Choosing the class scope
The system programmer can select the scope for the Db2 classes that protect Db2 objects and privileges.
The system programmer can alter the &CLASSOPT field
of the modifiable assembler source statement in the RACF access control module to
select the scope for the Db2 classes
that will protect Db2 objects
and privileges.
&CLASSOPT value |
Scope | Classification model |
|---|---|---|
| 1 | Single-subsystem scope | 1 |
| 2 | Multiple-subsystem scope Note: This
is the default.
|
2 |
When you select single-subsystem scope, you are choosing to define a separate set of classes for each Db2 subsystem that uses the RACF access control module. In general, you cannot use the classes in the supplied class descriptor table (ICHRRCDX) in single-subsystem scope.
When you select the multiple-subsystem scope, you are choosing to share a set of classes across all Db2 subsystems using RACF access control module, rather than defining a separate set for each. In multiple-subsystem scope, you can use the classes in the supplied class descriptor table (ICHRRCDX). This scope generally requires less administrative effort to set up and is the scope that most installations choose.
One general resource class is associated with each Db2 object type. You can define up to two classes for each object type and set them up as associated members or grouping classes. The list of supported Db2 objects and class abbreviations is defined in Db2 object types. If only one class is used for an object, it must be defined with the member prefix. An additional class is used to support Db2 administrative authorities. The format of the class names of Db2 objects depends on the classification model you use.