Hi, our RACF Security folks have identified many DB2 internal IDs that have certain grants associated with them, but there are no external RACF IDs for them. They want to remove the grant access within DB2. The question I have is that can an ID be used within dynamic SQL but there be no RACF ID, and if this is true, I would be concerned about them removing the DB2 internal grants. Or must there always be a RACF ID for any DB2 internal user?

Ok, since nobody seems to know the answer to this question, I have used BMC to display the IDs in question. There are no plans that come up. Only table access. So I thought that maybe I could tell the security folks they could revoke access, but then I started thinking that even though there is no plan associated with these ids(meaning static users identified), there still might be dynamic sql where the id is used. So is there any way to check to see the last time an ID did anything against the DB2 subsystem? If so, I can tell if there has been any recent dynamic access to DB2, and if there isn't any, I can tell them to revoke the privileges.

RACF was probably cleaned up of old IDs but DB22 has not. DB2 grants can be done to nonexistent user or group IDs. So, if a user or started task cannot be authenticated in RACF, DB2 security will never become an issue. Therefore, feel free to clean up grants.