DB2 GRANT statements do not support masking, and GRANT statements can be generated only for individual users. Therefore, when a resource rule contains a UID(*) or equivalent value, a GRANT statement is generated for each user and each fully‑qualified resource being synchronized. The resulting number of grants might be large enough to fill up the DB2 catalog.
The synchronization utility issues external resource validation calls to determine resource authorizations. The only time a GRANT statement can apply to multiple users is through the special DB2 authorization ID called PUBLIC. The synchronization utility grants resource privileges to PUBLIC based on a user‑supplied GRANT TO PUBLIC file.
When the synchronization utility processes a privilege for an included resource that is in the GRANT TO PUBLIC file, the utility does not perform the normal resource validation calls to correlate this privilege with each user. Instead, a single GRANT TO PUBLIC statement is generated for the resource privilege. A specific grant for this privilege is still generated for the owner of the resource in CA ACF2 Option for DB2. The owner of a resource is the ID that the $LIDOWNER or $UIDOWNER keyword in the resource rule identified.
Once you use the GRANT TO PUBLIC file, always include that same file or updated version for subsequent synchronizations. Failure to do this might result in REVOKES being generated for the authorization ID PUBLIC for included resources.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|