Tailoring Authorization Switching
About this task
Alter Tablespace ALT, Alter Table ALT, WSLs, Change Management, Change Management batch, and IBM® Db2 Object Comparison Tool for z/OS® make use of authorization switching. These functions allow table spaces and tables to be redefined, which requires that they, and any dependent objects, be dropped and re-created. However, the job submitter might not have the necessary authority to rebuild all the objects and authorizations. Authorization switching allows the job submitter to use an ID that does have the authority to run the DDL to rebuild the objects.
Before Db2 Admin Tool Authorization Switching can be used, some additional installation steps must be performed to enable and protect it.
To complete the installation of Db2 Admin Tool Authorization Switching:
Procedure
ADBAUTHS.ssid.auth-switch-id
Example
FACILITY ADBAUTHS.DSN.SYSADMZ1
For Db2 Admin Tool Authorization Switching to proceed, the job submitter requires READ authority to the profile that protects this resource. The standard RACF profile rules apply for this resource. An installation can use general or more granular profile controls, as listed in the following table.
Granularity | Example |
---|---|
A single profile that protects all subsystem/user ID combinations | FACILITY ADBAUTHS.* |
A more granular profile | FACILITY ADBAUTHS.DSN.* |
The finest degree of control | FACILITY ADBAUTHS.DSN.SYSADMZ1 |
If the FACILITY class is a RACLIST profile, the profiles must be refreshed after each change using the RACF SETROPTS command.