Protecting Db2 objects

The resources that apply to a particular invocation of the RACF access control module depend on the input object type and the privilege being checked.

The object types and the names of their associated privileges are shown in RACF authorization checking reference. See the Db2 macro DSNXAPRV in prefix.SDSNMACS to find the numeric XAPLPRIV values (used by the RACF access control module) that correspond to the privilege names.

The RACF access control module constructs general resource class and profile names for Db2 objects based on the options you specified using the assembler SET symbols:

SET symbol	Default value	Description
`&CLASSOPT`	2	Specifies the classification model
`&CLASSNMT`	DSN	Specifies the class name root
`&CHAROPT`	1	Specifies the class name suffix

The &CLASSOPT, &CLASSNMT, and &CHAROPT options specify the format of the class names and resource profile names used by the RACF access control module. These options are global for each Db2 subsystem, and must be the same for all classes. Each instance of the RACF access control module can only be set up to process one classification model or the other, but not both. See Choosing the RACF access control module customization options for more information.

If your installation is using the default values for these options, you can use the classes in the supplied class descriptor table (ICHRRCDX). Additional classes do not need to be defined.

Security administrators must define the RACF resources to protect Db2 objects using names that correspond to the format required by the options set in the RACF access control module. The formats for the resource profile names are described in Defining resource names for Db2 objects.