Db2 table access still allowed after changing ACF2 rule to not allow access
search cancel

Db2 table access still allowed after changing ACF2 rule to not allow access

book

Article ID: 269046

calendar_today

Updated On:

Products

ACF2 - DB2 Option

Issue/Introduction

After removing Db2 table access for a user in ACF2 for Db2, the user is still able to access the table using RC/Query. However, if the user tries to access another table never accessed before (that was authorized by same rule) they appropriately receive a violation. 

How is this access being cached and can this caching option be turned off?

Resolution

When the ZPARM option 'CACHEDYN=YES' is active, Db2 is caching the allowed access from a dynamic SQL request. ACF2 for Db2 doesn't control this caching, Db2 does. If ACF2 allows access to the Db2 table by a dynamic SQL request, then Db2 caches it and the security calls to ACF2 won't happen again until the cache is cleared.

The way to clear the cache is to either stop and restart Db2, or invalidate the cache by running the utility RUNSTATS.

The CACHEDYN subsystem parameter and the RUNSTATS utility are documented on IBM’s website at the following links:

CACHE DYNAMIC SQL field (CACHEDYN subsystem parameter)
Sample RUNSTATS control statements (cf. 'Example 17')