Example 4: Deferring to Db2 (unprotected table)

The RACF access control module can defer to native Db2 authorization checking for an unprotected table.

This example shows how the RACF access control module defers to native Db2 authorization checking because the Db2 object (a table) is not protected by RACF.

In this example, user ID MIKEJ is trying to alter a table called BDA0828.EMP in database JBW2000.

Setup

  • Classification model (&CLASSOPT): 2
  • Class name root (&CLASSNMT): DSN
  • Class name suffix (&CHAROPT): 1

    This is the default value, but it is not used with supplied classes.

  • Db2 subsystem name: VHH1
  • Profiles:
    • Defined in the MDSNTB class:

      VHH1.BDASCH1.EMP.ALTER

    • Defined in the DSNADM class:

      VHH1.SYSOPR

      • AUDIT(ALL(READ))
  • User ID MIKEJ has SYSOPR authority.

Profile checking

RACF checks the following resources:

  1. VHH1.BDA0828.EMP.ALTER in class MDSNTB

    Results:

    • No profile is found (return code 4).
    • No failure message (ICH408I) is issued.
    • No audit records are created.
  2. VHH1.JBW2000.DBADM in class DSNADM

    Results:

    • No profile is found (return code 4).
    • No failure message (ICH408I) is issued.
    • No audit records are created.
  3. VHH1.SYSADM in class DSNADM

    Results:

    • No profile is found (return code 4).
    • No failure message (ICH408I) is issued.
    • No audit records are created.

Final result

The RACF access control module sends a return code of 4 to Db2.