I am getting an ACF04056 resource violation for a DB2 stored procedure. What SERVICE can be coded on a DB2 stored procedure TYPE(PRC) rule?

Document ID : KB000052465
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

To address the violation an ACF2 DB2 resource rule for TYPE(PRC) stored procedure can be written.

The only SERVICE keywords that can be specified on the rule entry for a Stored Procedure rule is EXECUTE.

Solution

The following violation message is received for a DB2 stored procedure.

  ACF04056 ACCESS TO RESOURCE DSNTSYSIBM.SQLTABLES TYPE DPRC BY USER0002 NOT AUTHORIZED

The violation in the ACFRPTRV report shows the following.

  REQUESTED RESOURCE                               REC  LOOKUP KEY                
  UID                      SOURCE   CPU  MODULE   DISP     DSP-MOD  KEY-MOD  SERV 
      DATE     TIME        JNAME    LID      NAME              PRE RMC INT PST FIN
 
  DPRC-DSNTSYSIBM.SQLTABLES                       *VIO  DPRC-DSNTSYSIBM    
  USER0002                 TCPIP    SYSA          NO-REC      -        -     EXEC                    
  09.289 10/16 15.54       DSNTDIST USER0002 ASW DATA           0   8   0   0   16

Even though the service "SERV" in the ACFRPTRV report shows "EXEC", the SERVICE keyword in the ACF2 DB2 rule should be "EXECUTE"; "EXEC" is not allowed. The sample rule for the above violation follows.

  $KEY(SYSIBM.SQLTABLES) TYPE(PRC) SYSID(DSNT) 
  UID(*) SERVICE(EXECUTE) ALLOW

Details on the possible keywords that can be specified for each of the DB2 resource types can be found in the CA-ACF2 Security Option for DB2 Administrator Guide, Chapter 7: Writing Rules, section "How Do You Specify eTrust CA-ACF2 for DB2 Rules?", sub-section "SERVICE(keyword1,keyword2,...,keywordn)".