To address the violation an ACF2 DB2 resource rule for TYPE(PRC) stored procedure can be written.
The only SERVICE keywords that can be specified on the rule entry for a Stored Procedure rule is EXECUTE.
The following violation message is received for a DB2 stored procedure.
ACF04056 ACCESS TO RESOURCE DSNSYSIBM.SQLTABLES TYPE DPRC BY USER0002 NOT AUTHORIZED
The violation in the ACFRPTRV report shows the following.
REQUESTED RESOURCE REC LOOKUP KEY UID SOURCE CPU MODULE DISP DSP-MOD KEY-MOD SERV DATE TIME JNAME LID NAME PRE RMC INT PST FIN DPRC-DSNSYSIBM.SQLTABLES *VIO DPRC-DSNSYSIBM USER0002 TCPIP SYSX NO-REC - - EXEC 09.289 10/16 15.54 DSNTDIST USER0002 ASW DATA 0 8 0 0 16
Even though the service "SERV" in the ACFRPTRV report shows "EXEC", the SERVICE keyword in the ACF2 DB2 rule should be "EXECUTE"; "EXEC" is not allowed. The sample rule for the above violation follows.
$KEY(SYSIBM.SQLTABLES) TYPE(PRC) SYSID(DSNX) UID(*) SERVICE(EXECUTE) ALLOW
Details on the possible keywords that can be specified for each of the DB2 resource types can be found in the CA-ACF2 Security Option for DB2 Administrator Guide, section Writing Rules, section "How Do You Specify CA-ACF2 for DB2 Rules?", sub-section "SERVICE(keyword1,keyword2,...,keywordn)".