Matching schema names

If the user identity matches the schema name, the privileges that are associated with schema objects can be given to the user.

Certain privileges associated with schema objects (such as user-defined functions, user-defined distinct types, and stored procedures), can be given if the user identity matches the schema name. The schema name is a short SQL identifier used as a qualifier in the name of schema objects and creates a logical grouping of these objects. It is often, but not always, a Db2 authorization ID. For applicable privileges, the RACF access control module looks for a match on schema name before checking RACF profiles.

For authorization checking of the CREATEIN schema privilege, the RACF access control module the RACF access control module first checks to see if the user identity in either of the fields XAPLUCHK or XAPLUPRM matches the schema name in XAPLOBJN. If either of these fields matches XAPLOBJN and XAPLUCHK is not a role, the RACF access control module allows the access. For all other schema privileges, the RACF access control module first checks to see if the user identity in XAPLUCHK matches the schema name in XAPLOWNQ. If those two fields are equal and XAPLUCHK is not a role, the RACF access control module allows the access. In each case, when the RACF access control module allows access, it returns a return code 0 in EXPLRC1 and reason code 14 in EXPLRC2, and no further checking occurs. If the RACF access control module does not allow the access, profile checking occurs. See RACF authorization checking reference for details.

Note: On multilevel-secure systems with the RACF SETROPTS MLS option active, the schema match check is not performed.

If these checks fail, for some privileges the RACF access control module checks whether implicit privileges of ownership from other objects is sufficient.