Authorization checking (XAPLFUNC = 2)
The RACF access control module requires an input ACEE to perform authority checking.
When an input ACEE (XAPLACEE) is not provided to the RACF access control module, it defers to Db2 for authority checking (EXPLRC1 set to 4). For the requests for which the input ACEE (XAPLACEE) is set to zero, see When Db2 cannot provide an ACEE. For these requests, authority checking must be implemented using the Db2 GRANT and REVOKE statements. RACF profiles defined for these requests are not used.
The RACF access control module performs FASTAUTH checks during authorization according to the rules described in RACF authorization checking reference. In Db2, there is no concept of negative access level. RACF access control module processing ends when FASTAUTH returns a return code of 0 or the list of checks for the request has been exhausted. Failure audit records are only created for the first failing resource. All audit records associated with the same invocation of the RACF access control module contain the same LOGSTR data.
Authorization return and reason codes
The following return and reason codes are shown in decimal notation.
- Return code
- Meaning
- 0
- Access permitted
- Reason code
- Meaning
- 0
- Access permitted by FASTAUTH checking.
- 13
- Access permitted by implicit privilege of ownership.
- 14
- Access permitted because current SQL ID matches schema name.
- 16
- Access permitted because the role associated with the request owns the object.
- 17
- Access permitted because the authorization ID associated with the request owns the implicit object.
- 18
- Access permitted because the role associated with the request owns the implicit object.
- 4
- Unable to determine; perform Db2 authorization checking
- Reason code
- Meaning
- 0
- Input class (XAPLTYPE) not active.
- 11
- Input ACEE (XAPLACEE) not provided.
- 14
- The ALET could not be created for cross memory ACEE.
- 15
- Input privilege code (XAPLPRIV) or input class (XAPLTYPE) not defined to the RACF access control module.
- 16
- Input privilege code (XAPLPRIV) does not contain any rules.
- 18
- Issued when running on z/OS® 1.7 and trying to create an object in a trusted context with the
role as object owner
clause.
- 8
- Access denied
- Reason code
- Meaning
- 0
- Access denied.
- 17
- Autobind indicator (XAPLAUTO) is not zero, indicating an autobind was requested. Manual REBIND is required.
- 18
- DSNXRXAC was assembled with z/OS 1.7 or earlier macros and an authorization check is being made where only a role can allow access.
- 100
- Role information was passed, but ignored because the RACF access control module was assembled with z/OS 1.7 macros.