Example 6: Allowing access (multiple-subsystem scope)

The RACF access control module can grant access to Db2 objects based on a Db2 administrative authority profile.

This example shows how the RACF access control module allows access to a Db2 object (a table) based on a Db2 administrative authority profile. The installation has defined classes MSLH1TB1 and SLH1ADM1. Auditing is activated for all access attempts.

In this example, user ID MIKEJ is trying to alter a table called BDA0828.EMP in database JBW2000.

Setup

  • Classification model (&CLASSOPT): 2
  • Class name root (&CLASSNMT): SLH1
  • Class name suffix (&CHAROPT): 1
  • Db2 subsystem name: VHH1
  • Profiles:
    • Defined in the MSLH1TB1 class:

      VHH1.BDA0828.EMP.ALTER

      • AUDIT(ALL(READ))
      • UACC(NONE)
    • Defined in the SLH1ADM1 class:

      VHH1.SYSADM

      • AUDIT(ALL(READ))
      • UACC(NONE)
      • ID(MIKEJ) ACCESS(READ)
  • User ID MIKEJ has SYSADM authority.

Profile checking

RACF checks the following resources:

  1. VHH1.BDA0828.EMP.ALTER in class MSLH1TB1

    Results:

    • Access is denied (return code 8).
    • No failure message (ICH408I) is issued.
    • No audit records are created.
  2. VHH1.JBW2000.DBADM in class SLH1ADM1

    Results:

    • No profile is found (return code 4).
    • No failure message (ICH408I) is issued.
    • No audit records are created.
  3. VHH1.SYSADM in class SLH1ADM1

    Results:

    • Access is granted (return code 0).
    • No failure message (ICH408I) is issued.
    • An audit record is created, which includes the following log string data:
      • The VHH1.BDA0828.EMP.ALTER profile name
      • Input parameters identifying the request from Db2.

Final result

The RACF access control module sends a return code of 0 to Db2.