Db2 subsystem access control

You can control whether a process can gain access to a specific Db2 subsystem from outside of Db2. A common approach is to grant access through RACF® or a similar security system.

A RACF system provides several advantages. For example, you can use RACF for the following objectives:

• Identify and verify the identifier that is associated with a process
• Connect those identifiers to RACF group names
• Log and report unauthorized attempts to access protected resources

Profiles for access to Db2 from various environments and Db2 address spaces are defined as resources to RACF. Each request to access Db2 is associated with an ID. RACF determines whether the ID is authorized for Db2 resources. If the ID is authorized, RACF permits access to Db2.

You can also consider using the security capabilities of IMS or CICS® to manage access to Db2:

• IMS terminal security lets you limit the entry of a transaction code to a particular logical terminal (LTERM) or group of LTERMs in the system. To protect a particular program, you can authorize a transaction code that is to be entered only from any terminal on a list of LTERMs. Alternatively, you can associate each LTERM with a list of the transaction codes that a user can enter from that LTERM. IMS then passes the validated LTERM name to Db2 as the initial primary authorization ID
• CICS transaction code security works with RACF to control the transactions and programs that can access Db2. Within Db2, you can use the ENABLE and DISABLE options of the bind operation to limit access to specific CICS subsystems.