Example 3: Denying access

The RACF access control module can deny access to Db2 objects.

This example shows how the RACF access control module denies access to a Db2 object (a table). Auditing is activated for all access attempts.

In this example, user ID MIKEJ is trying to alter a table called BDA0828.EMP in database JBW2000.

Setup

Classification model (&CLASSOPT): 2
Class name root (&CLASSNMT): DSN
Class name suffix (&CHAROPT): 1
This is the default value, but it is not used with supplied classes.
Db2 subsystem name: VHH1
Profile:
- Defined in the MDSNTB class:
  VHH1.BDA0828.EMP.ALTER
  - AUDIT(ALL(READ))
  - UACC(NONE)
  - ID(MIKEJ) ACCESS(NONE)

RACF checks the following resources:

VHH1.BDA0828.EMP.ALTER in class MDSNTB
Results:
- Access is denied (return code 8).
- No failure message (ICH408I) is issued.
- No audit records are created.
VHH1.JBW2000.DBADM in class DSNADM
Results:
- No profile is found (return code 4).
- No failure message (ICH408I) is issued.
- No audit records are created.
VHH1.SYSADM in class DSNADM
Results:
- No profile is found (return code 4).
- No failure message (ICH408I) is issued.
- No audit records are created.
VHH1.BDA0828.EMP.ALTER in class MDSNTB
Results:
- Access is denied (return code 8).
- Failure message (ICH408I) is issued.
- An audit record is created, which includes the following log string data:
  - The VHH1.BDA0828.EMP.ALTER profile name
  - Input parameters identifying the request from Db2.

The RACF access control module sends a return code of 8 to Db2.