Example 7: Allowing access (single-subsystem scope)

The RACF access control module can grant access to Db2 objects based on a Db2 administrative authority profile.

This example shows how the RACF access control module allows access to a Db2 object (a table) based on a Db2 administrative authority profile. The installation has defined classes MVHH1TB1 and VHH1ADM1. Auditing is activated for all access attempts.

In this example, user ID MIKEJ is trying to alter a table called BDA0828.EMP in database JBW2000.

Setup

Classification model (&CLASSOPT): 1
Class name root (&CLASSNMT): DSN
This is the default value, but it is not used in single-subsystem scope.
Class name suffix (&CHAROPT): 1
Db2 subsystem name: VHH1
Profiles:
- Defined in the MVHH1TB1 class:
  VHH1.BDA0828.EMP.ALTER
  - AUDIT(ALL(READ))
  - UACC(NONE)
- Defined in the VHH1ADM1 class:
  SYSADM
  - AUDIT(ALL(READ))
  - UACC(NONE)
  - ID(MIKEJ) ACCESS(READ)
User ID MIKEJ has SYSADM authority.

Profile checking

RACF checks the following resources:

BDA0828.EMP.ALTER in class MVHH1TB1
Results:
- Access is denied (return code 8).
- No failure message (ICH408I) is issued.
- No audit records are created.
JBW2000.DBADM in class VHH1ADM1
Results:
- No profile is found (return code 4).
- No failure message (ICH408I) is issued.
- No audit records are created.
SYSADM in class VHH1ADM1
Results:
- Access is granted (return code 0).
- No failure message (ICH408I) is issued.
- An audit record is created, which includes the following log string data:
  - The VHH1.BDA0828.EMP.ALTER profile name
  - Input parameters identifying the request from Db2.

Final result

The RACF access control module sends a return code of 0 to Db2.