(ZOS) RACF protection for DB2
Use the Resource Access Control Facility (RACF ) DSNR resource class to protect DB2 resources. This helps you centralize security management. This section gives we pointers to general information about setting up RACF protection for DB2 and specific information about the resources, groups, user IDs, and permissions used by WebSphere Application Server for z/OS .
There are three functional areas in RACF to consider regarding protection for DB2:
- RACF DSNR class
The RACF DSNR class controls access to the DB2 subsystems. If the DSNR class is active, then WAS for z/OS controllers and servants need access to the db2_ssn. RRSAF profiles, where db2_ssn is your DB2 subsystem name. If a controller or servant does not have access, then that region will not initialize.
- Secondary authorization IDs
DB2 identification and signon exits (DSN3@ATH and DSN3@SGN) are used to assign authorization IDs. To use secondary authorization IDs (RACF group names), then we must replace the default exits with these two sample routines. For details on how to install these sample routines, see DB2 Administration Guide.
- Grant statements
WAS for z/OS does not support the protection of DB2 objects through the DSNX@XAC exit. To protect DB2 objects, we must use GRANT statements.
For more information on using RACF with DB2, see the documentation in the DB2 Information Centers.
Related:
WAS security for z/OS Use CBIND to control access to clusters