RACF security MDSNTB

John Kliewe

RACF security MDSNTB

We are about to create a new Db2 subsystem and will be using the RACF exit [login to unmask email] for RACF controlled access. I understand there are two options for setting this up :

multi-system : there is one RACF class named MDSNTB which covers all Db2 subsystems that share the RACF database.  In a multi-system, the RACF class is named MDSNTB and your profile name will begin with the Db2 subsystem name, like for example : DB2A.Q.STAFF.SELECT will give you select access to q.staff in subsystem DB2A

 

single-system : a separate RACF Class for tables is created for each subsystem.  To get SELECT access to Q.staff in subsystem DB2B, you will need access in RACF class MDB2BTB, and the profile is named Q.STAFF.SELECT

 

Anyone have experience working with both?  Are there pros/cons?  My instinct is to go with single-system, so that the people who administer RACF for subsystem DB2A can be separated from those for DB2B if necessary.

Colin Raybould

RE: RACF security MDSNTB
(in response to John Kliewe)

Hi John,

I would follow your organisational structure, if you have a centralised IT Security team, start with multi-system classes, however is you have devolved IT Security teams, start with single-system classes.

As for the pros and cons.

Multi-system classes:

Pro:

IBM provides a set of classes for upper case systems

Con:

Classes can get large
Refresh can take a long time for large classes
Class definition of Upper/Mixed case are shared 

Single-system classes:

Pro:

Smaller class size 
Refresh less disruptive
Upper/Mixed case definition can be different

Con:

Two classes are always multi-system
Large number of classes (up to 32 per set)
A missed class definition in RACF requires a DB2 restart before it can be used
Can run out of POSIT numbers for classes in RACF

Regards,

Colin Raybould.

Russell Peters

RE: RACF security MDSNTB
(in response to John Kliewe)

We use racf exclusively for all db2 authorizations and use the multi-system. I really can't say which is best, just that this is how we do it.

Bill Gallagher

[External] RACF security MDSNTB
(in response to Russell Peters)
In the shop I worked at previously where I helped set up RACF security for DB2, we also used multi-system. We had a smaller DB2 installation with a centralized team of RACF security administrators.

Bill Gallagher | Senior Systems Engineer, DBA

From: Russell Peters <[login to unmask email]>
Sent: Monday, June 22, 2020 12:26 PM
To: [login to unmask email]
Subject: [External] [DB2-L] - RE: RACF security MDSNTB

***External Sender - Please Exercise Caution***


We use racf exclusively for all db2 authorizations and use the multi-system. I really can't say which is best, just that this is how we do it.

-----End Original Message-----
________________________________
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

TRVDiscDefault::1201