Db2 object classes that include privileges in RACF resource class MDSNSM

Some RACF security scenarios include profiles in the MDSNSM resource class for object-level privileges.

If the MDSNSM resource class profile is defined, it might impact the RACF exit return code for object-level profile checks.

For example, suppose that the following conditions exist:

A profile is defined for SQLADM in the MDSNSM resource class with a universal access authority of NONE:
```
RDEF MDSNSM DB2A.SQLADM UACC(NONE)
```
No object level profiles are defined for SELECT access on table SYSIBM.SYSTABLES in the MDSNTB class.
The MDSNTB class has been activated.
The DSNADM class allows access to certain users, but not USER01.

Now suppose that user USER01 issues the following SELECT statement:

SELECT * FROM SYSIBM.SYSTABLES WHERE NAME='CUSTOMER';

The RACF exit return code is 8 because the MDSNSM resource class profile is considered to be at the same level as the object profile. If the SQLADM profile were not defined, the RACF exit return code would be 4.

The following table lists the Db2 object-level privileges for which the RACF exit return code can change when privileges are included in RACF resource class MDSNSM.

Table 1. Db2 object-level privileges that include privileges in the MDSNSM resource class
Db2 object type (XAPLTYPE)	Authority or privilege needed in the MDSNSM resource class (XAPLPRIV)
Database (D)	DISPLAYDB (DSPDBAUTD) Run REPAIR utility (DIAGAUTD) STATS (STATSAUTD)
Package (K)	BIND (BINDAUTK) COPY (COPYAUTK) EXECUTE (CHKEXECK) for system-defined routine packages
Plan (P)	BIND (BINDAUTP)
Stored procedure (O)	EXECUTE (CHKEXECO) on system-defined routines
User-defined function (F)	EXECUTE (CHKEXECF) on system-defined routines
Table (T)	SELECT (SELCTAUTT), INSERT (INSRTAUTT), UPDATE (UPDTEAUTT), DELETE (DELETAUTT), UNLOAD (ULOADAUTT) on catalog and directory tables Any of the table privileges (ANYTBAUTT), for DESCRIBE TABLE
View (V)	Any of the table privileges (ANYTBAUTV), for DESCRIBE TABLE on a view