Granting RACF access for payroll management to a RACF group

During implementation of RACF security for the Spiffy database, RACF profiles for access to the PAYMGR view must be created, and access to those profiles must be granted to the PAYMGRS RACF group.

About this task

The security administrator associates the payroll managers' IDs with the PAYMGRS group. Next, privileges on the PAYMGR view, the compensation application, and the payroll update application are granted to PAYMGRS. The payroll update application must have the appropriate privileges on the update table.

Example

Suppose that ID SYSADM created the PAYMGR view in subsystem DB2A. To define the RACF profiles for the SELECT, INSERT, UPDATE, and DELETE privileges on the PAYMGR view in subsystem DB2A, and grant access to the PAYMGRS group, use statements like these:

RDEFINE MDSNTB DB2A.SYSADM.PAYMGR.SELECT UACC(NONE)                 
RDEFINE MDSNTB DB2A.SYSADM.PAYMGR.INSERT UACC(NONE)                 
RDEFINE MDSNTB DB2A.SYSADM.PAYMGR.UPDATE UACC(NONE)                 
RDEFINE MDSNTB DB2A.SYSADM.PAYMGR.DELETE UACC(NONE)                 
PERMIT DB2A.SYSADM.PAYMGR.SELECT CLASS(MDSNTB) ID(PAYMGRS) ACC(READ)
PERMIT DB2A.SYSADM.PAYMGR.INSERT CLASS(MDSNTB) ID(PAYMGRS) ACC(READ)
PERMIT DB2A.SYSADM.PAYMGR.UPDATE CLASS(MDSNTB) ID(PAYMGRS) ACC(READ)
PERMIT DB2A.SYSADM.PAYMGR.DELETE CLASS(MDSNTB) ID(PAYMGRS) ACC(READ)
SETROPTS RACLIST(MDSNTB) REFRESH

Suppose that the application plan name for the compensation application is COMPENS. To define a RACF profile for the EXECUTE privilege on the compensation application, and grant access to the PAYMGRS group, use statements like these:


RDEFINE MDSNPN DB2A.COMPENS.EXECUTE UACC(NONE)
PERMIT DB2A.COMPENS.EXECUTE CLASS(MDSNPN) ID(PAYMGRS) ACC(READ)
SETROPTS RACLIST(MDSNPN) REFRESH