[z/OS]

RACF protection for DB2

You can use the Resource Access Control Facility (RACF®) DSNR resource class to protect DB2® resources. This helps you centralize security management. This section gives you pointers to general information about setting up RACF protection for DB2 and specific information about the resources, groups, user IDs, and permissions used by WebSphere® Application Server for z/OS®.

There are three functional areas in RACF to consider regarding protection for DB2:
  • RACF DSNR class

    The RACF DSNR class controls access to the DB2 subsystems. If the DSNR class is active, then WebSphere Application Server for z/OS controllers and servants need access to the db2_ssn. RRSAF profiles, where db2_ssn is your DB2 subsystem name. If a controller or servant does not have access, then that region will not initialize.

  • Secondary authorization IDs

    DB2 identification and signon exits (DSN3@ATH and DSN3@SGN) are used to assign authorization IDs. If you want to use secondary authorization IDs (RACF group names), then you must replace the default exits with these two sample routines. For details on how to install these sample routines, see DB2 Administration Guide.

  • Grant statements

    WebSphere Application Server for z/OS does not support the protection of DB2 objects through the DSNX@XAC exit. To protect DB2 objects, you must use GRANT statements.

For more information on using RACF with DB2, see the documentation in the DB2 Information Centers.


Icon that indicates the type of topic Concept topic



Timestamp icon Last updated: March 5, 2017 17:24
File name: csec_settingracf.html