Hi Terri, Temporarily add the UAUDIT attribute to the ID to generate SMF records for everything it touches, and use this information to help remediate its authority. For DB2-related activity, look in the LOGSTR field of the SMF record as this will often tell you what resource it was originally trying to use for which it needed a high-level authority to access. Permitting the ID access to the resources it is using could eliminate the need for high-level authorities and for the DBA group connection.
BTW, you might get more responses to questions like this by posting them on RACF-L. Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -------------------------------------------------------------------------------- Upcoming RSH RACF Training - WebEx - RACF Level I Administration - APR 22-26, 2024 - RACF Level II Administration - NOV 4-8, 2024 - RACF Level III Admin, Audit, & Compliance - DEC 9-13, 2024 - RACF - Securing z/OS UNIX - SEPT 23-27, 2024 - zSecure Admin - Basic Administration - May 7-10, 2024 --------------------------------------------------------------------------------- -----Original Message----- Date: Wed, 3 Apr 2024 12:22:15 +0000 From: "Shaffer, Terri" <terri.shaf...@aciworldwide.com> Subject: RACF/DB2 Search Question? Hi, One wondering if the RACF experts could answer something? We are in the process of upgrading our DB2 from V8 to V13.1, which is actually working great, but they have a PC application that uses JDBC drivers to talk to DB2. Everything works, Except a create tablespace command. So in looking at things I found, I made sure the userid being passed has access to XXXX.sysadm rule, which is all it had before, but still failed with SQL -551. Anyhow what I did to fix it was add the DBA group to that userid and everything started to work. However because that is more authority than I would like to give out, is there a way thru a RACF search or something other command I can find all the rules that has this specific GROUP specified? So maybe I can narrow down what Rule or MDSNxx or DSNADM Class that group has access to so I can narrow down that userid access to just what it needs? We are a development shop, and its developers DB2, but I still don’t like giving more access than whats actually required. Thanks. Ms Terri E Shaffer Senior Systems Engineer, z/OS Support: ACIWorldwide – Telecommuter H(412-766-2697) C(412-519-2592) terri.shaf...@aciworldwide.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN