Choosing the RACF access control module customization options

When you modify the customization options from their default values, you can define classes in the installation-supplied class descriptor table.

Using the default values allows the RACF access control module to use the classes in the class descriptor table (CDT) supplied by IBM®. (See Supplied RACF resource classes for Db2.)

The RACF access control module uses the values &CLASSOPT, &CLASSNMT, and &CHAROPT to determine the format of the class names and resource names it constructs to protect the Db2 objects. The decisions you make about changing or keeping these defaults should be well understood before you complete Installing the RACF access control module.

Restriction: Each option that you specify in the RACF access control module applies to the entire Db2 subsystem using the module. This means that the &CLASSOPT, &CLASSNMT, and &CHAROPT values you select apply to all classes used by that Db2 subsystem. If you have multiple Db2 subsystems and must apply different values across subsystems, install the RACF access control module separately on each subsystem, each with its own set of processing options.

Table 1. Set symbols and values
Set symbol Description Default value See…
&CLASSOPT Specifies the class scope option. Valid values:
1
Single-subsystem scope
2
Multiple-subsystem scope
 2 Choosing the class scope
&CLASSNMT Specifies the class name root, which is characters 2–5 of the class name, and is used only when you also specify &CLASSOPT 2. (When you specify &CLASSOPT 1, the Db2 subsystem name or, if data sharing, the Db2 group attachment name, is used as the class name root.) Rule: This value must be 1–4 characters long. DSN Choosing the class name root and suffix
&CHAROPT Specifies the class name suffix, which is the last character of the class name for installation-defined classes. Valid values: 0–9, #, @, $, or a blank character (' '). 1 Choosing the class name root and suffix
&ERROROPT Specifies the action to take in the event of an initialization or authorization error. Valid values:
1
Native Db2 authorization is used. This is the default.
2
The Db2 subsystem is requested to stop.
 1 Choosing the error option
&PCELLCT Specifies the number of primary work area cells 50 Customizing the number of exit work area cells
&SCELLCT Specifies the number of secondary work area cells 50 Customizing the number of exit work area cells
&SERVICELEVEL For IBM use only    

The default values for all customization options as shipped with the RACF access control module are shown in the following figure.

Figure 1. Default values for installation options
            GBLC  &CLASSNMT,&CHAROPT,&CLASSOPT                                  
            GBLA  &PCELLCT,&SCELLCT                                             
     &CLASSOPT     SETC  '2'     1 - Use Single Subsystem Class Scope           
     *                               Classification Model I                     
     *                               (One set of classes for EACH subsys)       
     *                           2 - Use Multi-Subsystem Class Scope            
     *                               Classification Model II                    
     *                               (One set of classes for ALL subsys)        
     &CLASSNMT     SETC  'DSN'   DB2 Subsystem Name (Up to 4 chars)        
     &CHAROPT      SETC  '1'     One character suffix (0-9, #, @ or $)     
     &ERROROPT     SETC  '1'     1 - Use Native DB2 authorization          
     *                           2 - Stop the DB2 subsystem                
     &PCELLCT      SETA  50      Primary Cell Count                        
     &SCELLCT      SETA  50      Secondary Cell Count