Remember that revoking a privilege from a user in DB2 can also revoke that privilege (or privileges granted due to that privilege, such as a SELECT granted because of a SYSADM privilege) from other users. Cascade revokes can occur during the synchronization process and can leave the DB2 catalog in an unsynchronized state with respect to CA ACF2 Option for DB2. This is because the Catalog Synchronization Utility uses standard grant and revoke statements to update the catalog. Just as when you used the authorization in the DB2 catalog for securing DB2, the potential for this problem is greatest when many different users grant the privileges in the catalog. The problem does not occur if the current install SYSADM granted the privileges or a special ID set up for granting privileges that has the same privilege in the DB2 catalog and in CA ACF2 Option for DB2 (such as the ID used by the Catalog Synchronization Utility) granted the privileges.
To resolve the problem, you can run a subsequent synchronization that includes the users and resources that were affected by the cascade revokes.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|