There is a distributed app that is getting access to a package but does not hit the DB2PKG rule. (A Top Secret DB2 trace and facility trace of the DB2 facility do not show any DB2PKG checks for xxxx.yyyy.) The xxxx.yyyy package is being accessed from DB2 Connect. Why isn't there a check for DB2PKG(xxxx.yyyy) ?

Top Secret DB2 typically does not make the security checks. It is responding to calls from the IBM security exit DSNX@XAC. If there is no call (for DB2PKG xxxx.yyyy), then it is most likely a question for IBM to answer. Our understanding is that executing stored procedures does not require access to any underlying package, only to execute the procedure itself. The only exception to this that we know of is if the procedure accesses a user-defined function. So it is expected that the answer is that this is normal operation for stored procedures.