A useful tip for all you DB2 z/OS types

By James Gill

When you use stored procedures that have a USS component or function embedded, you have to start using the RACF PROGRAM class to ensure that module access is controlled and the environment is allowed to run. The problem with this is that the class references the dataset that the module is loaded from, and if you create a new dataset with each new maintenance level of DB2 (and access these through aliases), then you need to update the PROGRAM entities with each maintenance rollout.

There is an alternative approach, which is to bypass the module access checking from USS for non-USS datasets (regular load libraries). Whilst this approach reduces the security for these modules, access to the profile that allows this is controlled. It can be implemented like this:

RDEFINE FACILITY BPX.DAEMON.HFSCTL UACC(NONE) OWNER(IBMUSER) 

PERMIT BPX.DAEMON.HFSCTL CLASS(FACILITY) ID(someid) ACCESS(READ)

Where someid is the userid used to run the WLM managed stored procedure address spaces.