ACF0456 DTBL not authorized message after DB2 V12 upgrade but unload works fine

Document ID : KB000115375
Last Modified Date : 19/09/2018
Show Technical Document Details
Issue:
We upgraded DB2 to V12 on an z/OS 2.2 LPAR running ACF2 DB2 V1.3 (high ptf RO98993). Our DB2 is at function level 100. The setting in our DB2 zparm is AUTH_COMPATIBILITY=( SELECT_FOR_UNLOAD). We are aware of the new UNLOAD security. Our DBAs thought with the above settings it would continue to use SELECT authority. However, after implementation jobs were getting, for example, ACF4056 ACCESS To RESOURCE PRODXXXXXXX DTBL BY BTCHID NOT AUTHORIZED. Interesting thing is the UNLOAD ran fine, it was noticed because the messages were coming out. To be clear, we weren't planning on using the new UNLOAD option and wanted to continue to use SELECT for now. We aren't surprised the UNLOADs are still working, just not sure why the ACF4056 message is coming out. Our security group looked at ACF2 report and saw it was because did not have UNLOAD access (but they do have Select). Our DBAs are opening ticket with IBM. They are wondering if should leave AUTH_COMPATIBILITY blank until go to function level 500 or above. Also, we do not run the optional link edit of CADB2XAC to put in DB2 SDSNEXIT library.
 
Environment:
z/OS CCS390 14.1 S1401
Cause:
Review of the dump shows that the problem occurs because DB2 includes the MOD as part of the internal release definition, I.E. 1215(mod 5). The ENF/DB2 code did not take that into account. 
Resolution:
ST05186.has been attached the fix to this case for download via SUPPORT.CA.COM . To implement: Deploy updated CAW0LOAD, refresh LLA if necessary and issue command: ENF REFRESH(CASR230)