Access to a specific DB2 subsystem is controlled outside of DB2. SAF routes security information between DB2 and CA Top Secret.

When you connect to DB2, it uses a primary authorization ID to identify you. You can also choose to become associated with a secondary authorization ID that provides additional privileges that you can use within DB2.

You can connect to DB2 through any of the following environments:

• TSO
• Batch
• CICS
• IMS
• Call Attachment Facility (CAF)
• Distributed Data Facility (DDF)

The defined CA Top Secret resource DB2 will still allow you to connect to native DB2 through TSO, Batch, CICS, and IMS.

Any program that uses SAF automatically interfaces with CA Top Secret because it is a SAF compatible product.

Since DB2 is a subsystem of MVS and made up of data sets, it is possible to gain access to its data without going through the DB2 subsystem at all. You can use CA Top Secret for z/OS to protect these data sets, which include the DB2 catalog and directory.

DB2 identifies the user to CA Top Secret Option for DB2 based on the connection type and process.