Setting UNLOAD PLUS authorizations
UNLOAD PLUS does not run as part of the Db2 subsystem. Therefore, users must have system authorizations and, for DIRECT YES, data set authorizations that are equivalent to the authorizations that Db2 requires. Use the following procedures to set the necessary authorizations.
Note
To set Db2 authorizations
- For all unload jobs, set the following authorizations:
Sufficient Db2 authority to execute the UNLOAD PLUS plan and all packages that the UNLOAD PLUS plan uses
Authorization equivalent to the authorization that the IBM Db2 UNLOAD utility requires
When DIRECT NO is invoked, UNLOAD authority is not used, you must have the necessary SELECT authority
Note
UNLOAD PLUS enforces row- and column-level security only when DIRECT NO is in effect.
- To enable the use of the FORCE option to cancel Db2 threads that might prevent a successful drain during an unload job, grant the following authorizations:
DISPLAY privileges
One of the following authorities:
SYSADM
SYSOPR
SYSCTRL
Note
These authorizations might be implicit in the authority that the users have.
- To enable zIIP processing and SHRLEVEL CHANGE CONSISTENT YES, ensure that you have the appropriate authorizations for XBM or SUF.
For information about security levels and authorizations for XBM, see the EXTENDED BUFFER MANAGER for DB2 documentation .
To enable data set access using the Db2 RACF ID
Specify OPNDB2ID=YES in your installation options.
This option tells UNLOAD PLUS to use the Db2 RACF ID for data set access.
To enable data set access when not using the Db2 RACF ID
When using DIRECT NO, UNLOAD PLUS uses Db2 to access data sets. In this case, users do not need the authorization described in this procedure.
- Specify OPNDB2ID=NO in your installation options.
This option tells UNLOAD PLUS not to use the Db2 RACF ID for data set access.
- If using RACF or a similar system security package to protect underlying data sets and the Integrated Catalog Facility (ICF) catalog of a table or index space, grant READ privileges for the following sources:
Db2 VSAM data sets
Db2 image copy data sets
DSN1COPY data sets
Inline copy data sets
Instant Snapshot copy data sets
Online consistent copy data sets
Cabinet copy data sets
VSAM FlashCopy data sets
VSAM linear data sets
Encrypted copy data sets that are created by COPY PLUS
Key data sets for encrypted copies
Tip
For sites that use a system security package other than RACF, the following steps illustrate one method for granting these data set authorizations:
- Associate users with a security group.
- Grant EXECUTE privileges on the UNLOAD PLUS product program (ADUUMAIN) to the security group.
- Grant the data set authorizations to ADUUMAIN.
Comments
Log in or register to comment.