Defining class names for Db2 objects in single-subsystem scope

When you select this model, the RACF access control module inserts the Db2 subsystem name, or group attachment name, when it constructs RACF class names.

The classes that you define must follow this format:

ayyyyxxz

where:

a: is M for member class or G for grouping class
yyyy: is the Db2 subsystem name or, if data sharing, the Db2 group attachment name (from XAPLGPAT)
xx: is the type of Db2 object
z: is the &CHAROPT value (The default is 1.)

In single-subsystem scope, the class names of the Db2 object classes contain the Db2 subsystem name or Db2 group attachment name but the profile names of resources in those classes do not. Therefore, in single-subsystem scope, you must define a separate class name for each subsystem that uses the RACF access control module.

Begin figure description. This figure is described in the surrounding text. End figure description. — Figure 1. Single-subsystem scope classes

When you use the single-subsystem scope, you cannot use the classes provided in the supplied class descriptor table (ICHRRCDX) unless you are using the default Db2 subsystem name DSN and have altered the &CHAROPT variable in the RACF access control module to be a blank character (''). However, in single-subsystem scope, you must still define a separate class name for every other subsystem that shares the RACF access control module.

When you define your own classes, you can define two classes for each object type if you want both member and grouping classes. If only one class is defined for each object type, the class name must begin with M (not G).