DB2/RACF stored proc access query

Jerry Long

DB2/RACF stored proc access query
Hi Listers,

I'm in the process of converting security for our stored procedures from native DB2 to RACF, using the DB2/RACF exit [login to unmask email]
and RACF class MDSNSP. All looks OK except for a funny which I'm not sure about.

When a package containing a stored proc call is bound, an row is added to SYSROUTINEAUTH with GRANTEE='callingpgm' and
GRANTEETYPE='P'.

However, when the new RACF profile for the stored proc has been created, it is not possible to give a permission to the calling program
as it is not a recognised RACF resource. So, the DB2 auth can not be recreated in RACF.

Does anyone know whether DB2 will reject a call for the stored proc because the calling program is not authorised in RACF, or whether
it will ignore the exit and satisfy the call authorisation from SYSROUTINEAUTH? So far, our testing has proved inconclusive.

T.I.A.
Jerry

Jerry Long
MBL DBA




NOTICE
This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank.

Roger Miller

Re: DB2/RACF stored proc access query
(in response to Jerry Long)
I think that's the internal grant, which is not needed for external
security. What I hear most often is a situation where the user does not
have an ACEE, since there are so many options for task structure and so
many products involved. I hope you have a good formatter for the IFCID
0314 records.

Roger Miller