Authorizing users to access resources in Db2

Once the user has accessed the Db2® address space from a CICS® transaction they might need permission to issue Db2 commands or execute a plan.

About this task

Access to the Db2 resources that a CICS user needs to issue Db2 commands or execute a plan is subject to security checking by the Db2 security mechanisms. You can choose to have this security checking carried out by:
  • Db2 internal security.
  • RACF®, or an equivalent external security manager.
  • Partly Db2, and partly RACF.

For more information about setting up RACF to perform security checking in the Db2 address space, see Securing Db2 in Db2 for z/OS product documentation.

If you are using RACF for some or all of the security checking in your Db2 address space, remember that CICS transactions that sign on to Db2 must provide an authorization ID. For more information, see Providing authorization IDs to Db2 for CICS transactions. CICS must also be using RACF (SEC=YES must be specified in the SIT). This is because when RACF is used for security checking in the Db2 address space, CICS needs to pass a RACF access control environment element (ACEE) to Db2. CICS can only produce an ACEE if it has RACF active, and only threads defined with the GROUP, SIGN or USERID option can pass the ACEE to Db2.

When the ACEE is passed to Db2, it is used by the Db2 exit DSNX@XAC, which determines whether RACF, or an equivalent non-IBM® external security manager, or Db2 internal security is used for security checking. DSNX@XAC is driven when a transaction whose thread has signed on to Db2, issues API requests. You can modify DSNX@XAC. For more information, see Securing Db2 in Db2 for z/OS product documentation.

Db2, or the external security manager, performs security checking using the authorization IDs that the CICS transaction provided to Db2 when the thread that it was using signed on to Db2. The authorization IDs could be related to the individual CICS user (for example, the CICS user's user ID and the RACF groups to which the user is connected), or they could be related to the transaction (for example, the terminal ID or transaction ID), or they could be related to the whole CICS region. For more information, see Providing authorization IDs to Db2 for the CICS region and for CICS transactions.

Db2, or the external security manager, checks that you have given the authorization IDs permission to perform the relevant actions in Db2. You can give the authorization IDs this permission by using GRANT statements in Db2. For information about how to grant, and revoke, Db2 permissions for authorization IDs, see Securing Db2 in Db2 for z/OS product documentation.