IBM Z Software


This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Submitted
Workspace zSecure
Categories zSecure Admin
Created by Guest
Created on Apr 2, 2026

RELATED IDEAS

zSecure - Correlation of Db2 Authorization Flows in zSecure Access Monitor

Background
We recently migrated from Db2 internal authorization to RACF-based Db2 security using RACF profiles. While the functional behavior is correct, we have identified a significant limitation in audit transparency when analyzing Db2 authorization flows using zSecure Access Monitor.

In Db2 authorization processing, multiple RACF checks can occur within a single logical access attempt. For example:

  • Access attempt to DBD0.IDAA_MGMT.SELECT → RACF RC=8 (denied)
  • Fallback check to DBD0.SYSADM → RACF RC=0 (granted via administrative authority)

Both checks are visible in Access Monitor; however, they are recorded as independent events with no correlation.

This results in:

  • Apparent denial of access to a protected resource
  • No transparent indication that access was subsequently granted via administrative privilege
  • Lack of traceability for effective data access, especially for privileged users

Clarification from Db2 Development
Db2 development has confirmed that correlation-relevant context is already available and propagated via the RACROUTE interface:

  • The Db2 RACF exit populates LOGSTR_DATA in RACROUTE REQUEST=FASTAUTH
  • LOGSTR_TIME (STCK value) and additional fields (object type, name, schema, etc.) are consistent across all authorization checks within the same logical access flow
  • This information is intended specifically to support correlation of authorization decisions

Enhancement Request
We request that zSecure Access Monitor be enhanced to:

  1. Capture and expose LOGSTR_DATA fields from RACROUTE calls issued by Db2 (especially LOGSTR_TIME)
  2. Introduce a correlation mechanism that groups RACF events belonging to the same Db2 authorization flow, based on LOGSTR_DATA
  3. Provide reporting capabilities that:
    • Link denied and granted checks within the same flow
    • Clearly indicate the effective access decision
    • Highlight when access is granted via administrative authorities (e.g., SYSADM)
  4. Ensure that this correlation is available in:
    • Access Monitor recorded event data
    • zSecure reporting (CARLa / UI)

Business Value

  • Accurate and complete audit trail of Db2 access decisions
  • Visibility of privileged data access
  • Closure of audit gaps in regulated environments
  • Improved compliance and forensic analysis capabilities
Idea priority High

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.