Tailoring Authorization Switching

Authorization Switching is a facility within Db2 Admin Tool that is used to execute DDL and DCL under the authority of another user. The facility does not cover other statement types, including Db2 utility commands and DSN subcommands such as FREE PACKAGE and BIND PLAN. This other user is called the auth-switch ID, and the ID that submits the job is called the submitter.

About this task

Deprecation notice: Start of changeAuthorization switching is deprecated in Db2 Admin Tool. For more information, see Deprecated functions and functions that are no longer supported in Db2 Admin Tool 12.1.End of change

Alter Tablespace ALT, Alter Table ALT, WSLs, Change Management, Change Management batch, and IBM® Db2 Object Comparison Tool for z/OS® make use of authorization switching. These functions allow table spaces and tables to be redefined, which requires that they, and any dependent objects, be dropped and re-created. However, the job submitter might not have the necessary authority to rebuild all the objects and authorizations. Authorization switching allows the job submitter to use an ID that does have the authority to run the DDL to rebuild the objects.

Before Db2 Admin Tool Authorization Switching can be used, some additional installation steps must be performed to enable and protect it.

To complete the installation of Db2 Admin Tool Authorization Switching:

Procedure

Create RACF® profiles or equivalent (as required) to protect the facility.
Tip: When Db2 Admin Tool Authorization Switching is enabled for a Db2 subsystem, create a RACF profile to protect the facility from unauthorized use. When DDL that is enabled with Db2 Admin Tool Authorization Switching capability is run, a RACF access check is made to a resource that is intended to protect the use of a given Authorization Switching ID on the Db2 subsystem. The resource is within the IBM-supplied RACF FACILITY class in the following form:
ADBAUTHS.ssid.auth-switch-id

Example

If the Db2 subsystem is DSN and the desired authorization ID to use is SYSADMZ1, the RACF resource name that Db2 Admin Tool generates is:
FACILITY ADBAUTHS.DSN.SYSADMZ1

For Db2 Admin Tool Authorization Switching to proceed, the job submitter requires READ authority to the profile that protects this resource. The standard RACF profile rules apply for this resource. An installation can use general or more granular profile controls, as listed in the following table.

Table 1. Controlling the granularity of profiles.
Granularity Example
A single profile that protects all subsystem/user ID combinations FACILITY ADBAUTHS.*
A more granular profile FACILITY ADBAUTHS.DSN.*
The finest degree of control FACILITY ADBAUTHS.DSN.SYSADMZ1

If the FACILITY class is a RACLIST profile, the profiles must be refreshed after each change using the RACF SETROPTS command.

Restriction: Db2 Admin Tool Authorization Switching requires that the RRS Attach Facility (RRSAF) of Db2 for z/OS is available.