Authority checking for all packages in a collection

You can perform authority checking on a collection of packages instead of performing authority checking on each package individually.

The naming convention for Db2 package objects is:

subsystem-name.collection-ID.package-ID.privilege-name

When a Db2 user tries to perform an operation on all packages in a collection, Db2 can pass an asterisk (*) to the RACF access control module in place of package-ID. To ensure consistent results between the RACF access control module and the RACF command processors (SEARCH and RLIST), the asterisk (*) in the resource name should match the asterisk (*) in the profile name.

For example, in Db2, you can BIND a plan using all of the packages from a given collection. When that plan is later executed, Db2 checks the user's authority to execute all packages in the collection by passing an asterisk (*) in place of the package name. For example, suppose the following Db2 commands are issued for subsystem DSN:

BIND PACKAGE(DSNTEP2) MEMBER(DSNTEP2) ACT(REP) ISO(CS)
BIND PLAN(DSNTEP42) PKLIST(DSNTEP2.*) ACT(REP) ISO(CS)
RUN  PROGRAM(DSNTEP2) PLAN(DSNTEP42) -

When Db2 gets to the execution step, it calls the RACF access control module to check the user's authority to EXECUTE package DSNTEP2.*, where the asterisk (*) means all packages in the collection.

The RACF access control module checks the user's authority to resource:

DSN.DSNTEP2.*.EXECUTE     (in class MDSNPK)

The RACF profile name protecting this resource should contain a single asterisk (*) to match the asterisk (*) in the resource name.