Protecting use of DB2 command prefixes

Document ID : KB000077349
Last Modified Date : 12/04/2018
Show Technical Document Details
Question:
OPCMD Resources such as '-DC11' can be used to protect use of DB2 command prefixes, for example to authorise
the corresponding DB2 STC ACID. It's stated in the TSS Command Functions Guide, Chapter 4, in the section on
the OPCMD Resource Class, that '..the OPERCMDS Resource Class may be used instead.' Can OPERCMDS also be
used to protect DB2 command prefixes and if so, what syntax should be used?
Answer:
OPCMD or OPERCMDS will not provide this security. The only DB2 command where these calls occur is for the 
'-DC11 START DB2' commands. In that case you would see the following calls for each Class: 
========================================================
ACID    CLASS    ENTITY NAME 

Issuing user OPCMD    START 
Issuing user OPERCMDS    MVS.START.STC.DB1BMSTR 

DB2 STC    OPCMD    START 
DB2 STC OPERCMDS    MVS.START.STC.BRLMPROC 

DB2 STC    OPCMD    START 
DB2 STC OPERCMDS    MVS.START.STC.DB1BDBM1 
========================================================

Neither OPCMD nor OPERCMDS is checked for other DB2 commands such as DISPLAY or STOP. In those cases
the only external security command checking is performed by either TSS/DB2 (if used) or the DB2 external
security authorization exit (DSNX@XAC). Without these security features/products no external security checks
will occur for DB2 commands.