The DB2 ASID is ipl'd  3 times a year.  What information is captured from ACF2 when DB2 starts and will not be refreshed until DB2 starts up again? What ACF2 security information is maintained in the DB2 ASID? How can this security information be refreshed or is a restart of DB2 required? Consider the following types of resources all related to dataset encryption:

PROF(CSFKEYS) DIV(ICSF)  also (F ACF2,OMVS(CSFKEYS)) 
PROF(DATASET) DIV(DFP)
PROF(DATASET) DIV(DFP)
PROF(DATASET) DIV(PROFILE) 
TYPE(CSF) CLASS(CSFKEYS)

Would is be better to have rules specify a ROLE that DB2 is in rather just USER(DB2) in a ruleline?

Release : 16.0

Component : ACF2 for z/OS

Once DB2 is up and running any rules or profile records that are resident and storage would need to be refreshed with appropriate modify ACF2 commands. For example:

Changes to PROF(CSFKEYS) DIV(ICSF) records:  
F ACF2,REBUILD(CSFKEYS),CLASS(P)
F ACF2,OMVS(CSFKEYS)

Changes to PROF(DATASET) DIV(DFP) records:
F ACF2,REBUILD(DSN),CLASS(P)

Changes to PROF(DATASET) DIV(PROFILE) records:
F ACF2,REBUILD(DSN),CLASS(P) 

Changes to TYPE(CSF) CLASS(CSFKEYS) records:
F ACF2,REBUILD(CSF)

Changes to STGADMIN resources records:
F ACF2,REBUILD(FAC)

Changes to ROLEs for DB2 related ROLESET rules:
F ACF2,NEWXREF,TYPE(ROL)

As far as 'Would is be better to have rules specify a ROLE that DB2 is in rather just USER(DB2) in a ruleline.', as noted above is the DB2 related ROLESET rules that use 'ROLE' in the rule entry the F ACF2,NEWXREF,TYPE(ROL) command needs to be issued, if the DB2 related rules use 'USER' in the rule entry no NEWXREF needs to be done. Depending on the number of logonids included in a ROLE using 'ROLE' in a rule entry rather than 'USER' might make rules easier to manage.

When ACF2 starts up or when an F ACF2,NEWXREF,TYPE(ROL) command is issued, it builds a structure of all the X(ROL) records in storage, based on the SYSID at startup or as specified on the NEWXREF command. When a user signs on, ACF2 builds their list of roles based on this structure.

When a site changes anything in a rule or profile or XREF and it will be picked up immediately for  long running address space as long as the proper modify ACF2 command is being issues. For any logonid fields that are changed to be picked up the logonid would need to logoff and logon to pick up the changes or for long running tasks, the task would need to be stopped and restarted.

For rules that are not globally resident such as WRITER, the F ACF2,SETNORUL(jobname|ALL) command can be issued to reset and clear the locally resident rule chain in user's address space.