To address the violation an ACF2 DB2 resource rule for TYPE(PRC) stored procedure can be written.
The only SERVICE keywords that can be specified on the rule entry for a Stored Procedure rule is EXECUTE.
The following violation message is received for a DB2 stored procedure.
ACF04056 ACCESS TO RESOURCE DSNTSYSIBM.SQLTABLES TYPE DPRC BY USER0002 NOT AUTHORIZED
The violation in the ACFRPTRV report shows the following.
REQUESTED RESOURCE REC LOOKUP KEY
UID SOURCE CPU MODULE DISP DSP-MOD KEY-MOD SERV
DATE TIME JNAME LID NAME PRE RMC INT PST FIN
DPRC-DSNTSYSIBM.SQLTABLES *VIO DPRC-DSNTSYSIBM
USER0002 TCPIP SYSA NO-REC - - EXEC
09.289 10/16 15.54 DSNTDIST USER0002 ASW DATA 0 8 0 0 16
Even though the service "SERV" in the ACFRPTRV report shows "EXEC", the SERVICE keyword in the ACF2 DB2 rule should be "EXECUTE"; "EXEC" is not allowed. The sample rule for the above violation follows.
$KEY(SYSIBM.SQLTABLES) TYPE(PRC) SYSID(DSNT)
UID(*) SERVICE(EXECUTE) ALLOW
Details on the possible keywords that can be specified for each of the DB2 resource types can be found in the CA-ACF2 Security Option for DB2 Administrator Guide, Chapter 7: Writing Rules, section "How Do You Specify eTrust CA-ACF2 for DB2 Rules?", sub-section "SERVICE(keyword1,keyword2,...,keywordn)".