I am running the ACFRPTRV report for DB2 accesses and see Service of OWN and ADM, what do these services indicate?

Document ID : KB000018437
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The CA ACF2 Option for DB2 journals events in the same SMF records as CA ACF2, standard CA ACF2 reports show both CA ACF2 and CA ACF2 Option for DB2 information. The SERV(Service) report field shows the type of service requested for a particular DB2 resource.

Solution:

The SERVICE 'OWN' and 'ADM' are unique DB2 services for the ACFRPTRV report and do not correspond to the SERVICE parameter of the rule. The'OWN' SERVICEs correspond to the $LIDOWNER and $UIDOWNER rule control statements. The 'ADM' correspond to the %CHANGE, %RCHANGE, SECURITY, or scoped SECURITY privileges. Details follow.

The entry in the RV report with SERVICE(OWN) is a request for OWNERSHIP. Ownership is not a SERVICE, and cannot be specified in the SERVICE parameter of a rule. Ownership in a rule is established either via the $LIDOWNER control statement, giving ownership to a certain unique logonid, or via the $UIDOWNER control statement, giving ownership to one or more individual logonids that match the UID mask.

During view creation, CA-ACF2/DB2 checks whether the view creator can change the view rule set through %CHANGE, %RCHANGE, SECURITY, or scoped SECURITY privileges. If any of these privileges are granted on the view but not on the base tables or views, CA-ACF2/DB2 generates a SERVICE(ADM) violation against the table and prevents the view's creation. This validation ensures that a user who creates a view of a table does not have more authority over theview than he has over the table.

Details on the ACFRPTRV report 'ADM' SERVICE is documented in the CA ACF2 Option for DB2 Administration Guide in Chapter 9: Using Reports section 'Understanding the ACFRPTRV Report'.