Example of resource checking

RACF resources are checked when a user issues the SELECT statement.

The following example shows the series of RACF resources that are checked when a user issues the SELECT statement.

When RACF checks authorization, the requester must own the object or have at least READ access to one of the following profiles:

Profile name	Class	Note
subsystem.table-qualifier.table-name.SELECT	MDSNTB	Gives access to the table
subsystem.database-name.DBADM	DSNADM	Gives access to the database that holds the table
subsystem.SYSCTRL	DSNADM	Bypassed for user tables
subsystem.SYSADM	DSNADM	—

RACF produces an SMF record for a failure only after checking the entire list of profiles and the requester fails to meet any of the requirements. RACF does not produce an audit record if:

The requester meets any of the requirements and access is granted, or
The RACF access control module returns the authority checking responsibility to Db2.

If Db2 objects are defined to RACF using the WARNING option, you receive ICH408I messages that identify those profiles that would fail a request and the requested access is allowed.

Note: For Db2 releases before Db2 V8, the ICH408I messages were suppressed.

If the WARN option is added to a resource that is requested by a user with a Db2 administrative authority, such as SYSADM, DBADM or in some cases, SYSCTRL, that normally allows the user to access the object, the user can ignore the WARNING message.

An audit record is produced for the first resource that has auditing indicated by the covering profile and receives a return code of 8.

RACF produces an SMF record for a success when the requester indicates that it must be performed.

For a list of the RACF classes, see Supplied RACF resource classes for Db2. For a full list of each RACF resource checked for each privilege, see RACF authorization checking reference.