When the RACF access control module is bypassed

RACF access control module is not always called to check authorization.

In the following situations, the RACF access control module is not called to check authorization:

  • The user has installation SYSOPR (when sufficient for the privilege being checked) or installation SYSADM authority. This authorization check is made strictly within Db2.
    The RACF access control module is called for any additional authorization checks that are done as part of a process, if those checks are done on behalf of another user or role that does not have installation SYSADM or installation SYSOPR authority. Examples of the processes for which the RACF access control module is called are:Start of change
    • A package is bound or rebound with an owner that is different from the primary authorization ID. The primary authorization ID is checked for all access by the RACF access control module. In this situation, if installation SYSADM authority is held by the primary authorization ID and not by the package owner, the primary authorization ID is checked for static SQL authorization in RACF.
    • Dependent privileges are revoked.
    End of change
  • Db2 security has been disabled (NO was specified in the USE PROTECTION field of installation panel DSNTIPP).
  • Db2 cached the authorization information from a prior check.
  • From a prior invocation of the RACF access control module, the routine had indicated that it should not be called again.
  • Db2 GRANT statements are issued to control authorization by granting privileges in Db2.