Identity used for authorization checks

The RACF access control module receives user identification information in the XAPL (DSNDXAPL) parameter list that is passed by Db2.

In the XAPL, the RACF access control module receives:

• A pointer to the input ACEE that represents the identity of the requester (XAPLUPRM).
• The 1–8-character user ID of the requester (XAPLUPRM).
  Note: The XAPLUPRM value is used for all RACF authorization checking, although RACF actually checks the input ACEE itself to determine this identity. The identity represented by the ACEE is the same as the user ID passed in XAPLUPRM.
• The 1–128-character authorization ID (XAPLUCHK) that Db2 uses for the authorization check. The XAPLUCHK can contain a value that is not a RACF user ID or group, and it can differ from the XAPLUPRM.

While the RACF access control module uses the XAPLUCHK and XAPLUPRM values to perform ownership checks, it performs all access authorization checks using only XAPLUPRM.

It is possible for the XAPLUCHK value to be different from the user ID (XAPLUPRM) represented in the ACEE pointed to by XAPLACEE. For example, this can occur when a BIND request is issued and the binder is not the owner of the plan or package. The RACF access control module is invoked to determine whether the binder is authorized to do the BIND. If this check is successful, it is then invoked to check the binder's authorization to access each Db2 resource accessed in the plan or package. For the BIND check, XAPLUPRM and XAPLUCHK have the authorization ID of the binder. However, for the subsequent checks on the Db2 resources accessed in the plan or package, XAPLUPRM still has the authorization ID of the binder, but XAPLUCHK now has the authorization ID of the plan or package owner. For the BIND to succeed, the binder must have authorization to bind this plan or package, and be authorized to access all Db2 resources accessed in it. Db2 authorization performs the subsequent checks on the owner of the plan/package and not the binder.