Authorization needed to use Log Master

You need authorization within Db2 and through your system security package, such as the IBM product Resource Access Control Facility (RACF).

The authorization must be sufficient to access Db2 resources and perform the tasks accomplished during processing.

The following topics provide more information about the required authorizations:

Authorization verification mechanisms

If the Db2 DSNX@XAC authorization exit is available for your system, Log Master uses this exit to verify authorization for external access.

The exit is available from the following sources:

  • IBM provides a sample exit with Db2 for the IBM Resource Access Control Facility (RACF) component.

  • CA Technologies provides the DSNX@XAC exit with CA-ACF2 Security for Db2 and CA-Top Secret Security for Db2.

BMC recommends this mechanism for implementing external security. The access control authorization exit must be available in the STEPLIB, JOBLIB, linklist, or in the SYS3.DSN exit.

If the DSNX@XAC exit is not available, Log Master uses the standard Db2 method to check security.  

Db2 authority

You must have the following Db2 authorizations:

  • EXECUTE privilege on the Log Master batch and online plans

  • DISPLAY system privilege

  • Authority to perform quiesce at log mark

    Before a Log Master job can use this feature of the product, the user ID of the job must also have one of the following Db2 authorities or privileges:

    • DBADM, DBCTL, or DBMAINT authority for the databases

    • SYSCTRL or SYSADM authority

    • IMAGECOPY privilege for the databases

  • Authorizations to execute SQL

    Log Master uses the High-speed Apply Engine to execute generated SQL statements. The required authorizations are listed in this section. For more information about controlling access, see the installation section in the  High-speed Apply Engine documentation Open link .

    Before a Log Master job can execute SQL, the user ID of the job (or the user ID specified in either the EXECSQL statement or the BINDOWN installation option) must have the following Db2 privileges:

    • EXECUTE privilege for the plan that the High-speed Apply Engine uses to access its own restart tables and the catalog (normally provided during installation)

    • EXECUTE privilege for the High-speed Apply restart package (normally provided during installation)

    • INSERT, UPDATE and DELETE privileges on the target tables

    • Appropriate privileges to bind or administer plans, packages, and collections

    The High-speed Apply Engine provides several ways to grant these privileges. Some techniques avoid granting bind privileges to the user ID that runs Log Master. For more information, see the  High-speed Apply Engine documentation Open link

RACF authority

Log Master does not run as part of the Db2 subsystem. To use the product, you must have system authority similar to that of Db2.

Log Master reads data from certain underlying Db2 data sets such as table spaces, active and archive logs, or the bootstrap data set (BSDS). If the underlying data sets are protected by RACF or a similar system security package, the user ID of the Log Master batch job must have authority to access all of the underlying data sets that the job requires.

To avoid granting authority for each required data set to the user ID of each Log Master batch job, use the OPNDB2ID installation option. This option works when all of the following conditions exist:

  • Your environment uses RACF.

    The OPNDB2ID installation option does not operate in other security environments.

  • You install the product with the OPNDB2ID installation option set to YES.

    When OPNDB2ID is set to YES, Log Master uses the RACF ID of Db2 to open the Db2 data sets.

  • You explicitly associate a user ID with the DB2 address space.

    • For OPNDB2ID to work correctly, you must explicitly associate a user ID with Db2 regardless of whether you specify Db2 as a privileged or trusted task in the RACF started procedures table (ICHRIN03).

    • To ensure that OPNDB2ID works correctly in a data sharing environment, the RACF IDs of the DBM1 address spaces within all Db2 subsystems within the data sharing group must be the same. The authorizations for the bootstrap and log data sets must also be the same. 

APF authorizations

The following topics provide information about the required APF authorizations:

APF authorization for batch programs

Log Master batch programs use operating system services that require APF authorization.

Accordingly, Log Master must reside in APF-authorized libraries. Any libraries that you reference in the STEPLIB DD statements must also be APF authorized.

APF authorization for the online interface

You can run the Log Master online interface with or without APF authorization. The APFONLIN installation option determines whether Log Master expects to have proper APF authorization.

For more information, see APFONLIN=YES.

  • Without authorization, an online user must enter the name and location of the BSDS on the Product Options panel. The online interface does not run as an authorized TSO program.

  • With proper authorization, Log Master can obtain the name of the BSDS dynamically from Db2. The online interface runs as an authorized TSO program.

    The TSO program name for the product is SCCAUTH. You must place this name in the operating system’s SYS1.PARMLIB data set in the authorized command table. The command table is a member of SYS1.PARMLIB named IKJTSOxx. The suffix xx is assigned during installation. The TSO command table contains several different lists. Place SCCAUTH in the authorized program list (which is specified as AUTHPGM NAMES).

    Important

    Perform this procedure on all operating system images where you expect the product to run as an authorized TSO program.

Related topic


Was this page helpful? Yes No Submitting... Thank you

Comments