Authorization and ownership checking with roles
You can use the RACF access control module to perform ownership checking with roles.
The tables below show the ownership and authorization checks that the RACF access control module performs. The ownership checks are performed first, then the authorization checks. You can use these tables with trace data to diagnose problems.
The following table expands on the information in Checks for implicit privileges of ownership.
| XAPLONRT (type of ID that owns object) | XAPLOWNR (owner of object) | XAPLCHKS (bit 8 in XAPLFLG1) | XAPLUCKT (type of ID being checked by Db2) | XAPLUCHK (authorization ID or role being checked by Db2) | XAPLROLE (role associated with requester) | XAPLUPRM (requester - always an authorization ID) | Action |
|---|---|---|---|---|---|---|---|
| Blank (indicates authorization ID) | Authorization ID | Not applicable | Blank (indicates authorization ID | Authorization ID | Role | User ID | Does XAPLOWNR = XAPLUPRM? Does XAPLOWNR = XAPLUCHK? If either matches, the ownership check passes.RACF does not check for XAPLOWNR = XAPLUCHK if XAPLACAC='1'B and XAPLONRT is a blank and XAPLUCKT is a blank. |
| Blank (indicates authorization ID) | Authorization ID | Not applicable | L(indicates a role) |
Role | Role | User ID | Compare XAPLOWNR to XAPLUPRM. If equal, the ownership check passes. |
L(indicates a role) |
Role | Not applicable | Blank (indicates authorization ID | Authorization ID | None | User ID | The ownership check fails because the owner is a role and nothing else is a role. |
L(indicates a role) |
Role | Bit = ON |
Blank (indicates authorization ID | Authorization ID | Role | User ID | Compare XAPLOWNR to XAPLROLE. If equal, the ownership check passes. |
L(indicates a role) |
Role | Bit = ON |
L(indicates a role) |
Role | Role | User ID | Does XAPLOWNR = XAPLROLE? Does XAPLOWNR = XAPLUCHK? If either matches the ownership check passes. |
L(indicates a role) |
Role | Bit = OFF |
L(indicates a role) |
Role | Role | User ID | Does XAPLOWNR = XAPLUCHK? If equal the ownership check passes. |
| Type of privilege | XAPLUCKT (type of ID being checked by Db2) | XAPLCHKS (bit 8 in XAPLFLG1 | XAPLROLE (role associated with requester) | XAPLUCHK (authorization ID or role being checked by Db2) | ACEE (requester - always an authorization ID = to XAPLUPRM) | Action |
|---|---|---|---|---|---|---|
| All | Blank (indicates authorization ID) | Not applicable | Blank | Ignored | Authorization ID | Perform FASTAUTH check with AUTHCHKS=ALL |
| All | Blank (indicates authorization ID) | Not applicable | Role | Ignored | Authorization ID | Perform FASTAUTH check with AUTHCHKS=ALL. The check includes the role, from XAPLROLE. |
| All except those that occur during a create or bind | L(indicates a role) |
Bit = ON |
Role | Ignored | Authorization ID | Perform FASTAUTH check with AUTHCHKS=ALL. The check includes the role, from XAPLROLE. |
| All that occur during a create or bind | L(indicates a role) |
Bit = OFF |
Role (ignored) | Role | Authorization ID | Perform FASTAUTH check with AUTHCHKS=CRITONLY. Check only the role, from XAPLUCHK. |
Note: XAPLUCHK can contain a role.