Space announcement

   

This space provides the same content as before, but the organization of the home page has changed. The content is now organized based on logical branches instead of legacy book titles. We hope that the new structure will help you quickly find the content that you need.

Authorization

Using NGT Recover requires that you have authorization within DB2 and (in some cases) through your system security package (such as RACF) that is sufficient to access DB2 resources and perform the tasks accomplished during NGT Recover processing.

Authorization verification mechanisms

If the DB2 DSNX@XAC authorization exit is available for your system, NGT Recover uses this exit to verify authorization for external access. The exit is available from the following sources:

  • IBM provides a sample exit with DB2 for the IBM Resource Access Control Facility (RACF) component.

  • CA Technologies provides the DSNX@XAC exit with CA-ACF2 Security for DB2 and CA-Top Secret Security for DB2.

BMC recommends this mechanism for implementing external security. The access control authorization exit must be available in the STEPLIB, JOBLIB, linklist, or in the SYS3.DSN exit.

If the DSNX@XAC exit is not available, NGT Recover uses the standard DB2 method to check security.

DB2 authority

To run NGT Recover, you must have one of the following authorizations:

  • Installation SYSADM or SYSADM authority

  • Sufficient authority to run the NGT Recover application plan, and one of the following authorizations:

    • SYSCTRL or system DBADM

    • DBADM or DBCTRL authority for the databases containing the named table spaces

    • RECOVERDB, DISPLAYDB, STARTDB, and STOPDB authority for the databases containing the named table spaces and index spaces

    • DATAACCESS, DISPLAYDB, STARTDB, and STOPDB authority for the databases containing the named tables spaces and index spaces

    • IMAGCOPY and DISPLAYDB authority to execute OUTCOPY only

Because NGT Recover uses the BMC dynamic bind technology, the OWNER of the plan must be authorized to EXECUTE each package in the plan at the time dynamic bind is performed. If you do not modify the OWNER of the NGT Recover plan specified during installation, you should not need to be concerned with this requirement.

System authority

Because NGT Recover does not run as part of the DB2 subsystem, you must have system authority similar to that of DB2 to use NGT Recover.

If the underlying data sets of a table space or index space are RACF or similarly protected, you must have sufficient authority to access and modify the data set. If a table or index space is STOGROUP-defined and the corresponding ICF catalog is RACF or similarly protected, you must also have sufficient authority to access and update the operating system catalog. The minimum levels of authority shown in the table are required when you use the following settings:

  • The installation option OPNDB2ID is set to NO.

  • OPNDB2ID is set to YES and a security system other than RACF is used.

Table or index space definition

Minimum levels of authority required to access and update data sets

Minimum levels of authority required to access and update the operating system catalog

VCAT

Control

None required

STOGROUP

ALTER or Control

UPDATE (if data set authority is ALTER) or ALTER (if data set authority is Control)

If active logs will be read and OPNDB2ID = NO, the ID running the job needs ALTER authority.

If OPNDB2ID is set to YES and RACF is used, these authorities are not required; in this case, the RACF ID for DB2 is used when opening the DB2 data sets or catalog. For more information about the OPNDB2ID installation option, see OPNDB2ID=YES.

If DB2 is specified in the RACF started procedures table (ICHRIN03) as a privileged or trusted task and no user ID is associated with the DB2 address space, you cannot use OPNDB2ID to allow NGT Recover to access the DB2 data sets. In this case, the user running NGT Recover must have RACF authority to access the data sets needed for recovery.

The NGT Recover option OPNDB2ID works under data sharing only if all RACF IDs for the members of a group are the same. Authorizations for the bootstrap and log data sets must also be the same.

In addition to the traditional DB2 DSNDBC and DSNDBD data sets, NGT Recover requires the following access:

  • SIMDBC for simulated recovery

  • SIMDBD for simulated rebuild

  • BMCDB for INDEP OUTSPACE recovery

  • BMCDBD for INDEP OUTSPACE rebuild

  • REBUILD with SHRLEVEL CHANGE

If OPNDB2ID=YES, this access must be granted to DB2's RACF ID. If OPNDB2ID=NO, this access must be granted to the user running NGT Recover.

APF authority

NGT Recover uses system services that require APF authorization. Accordingly, NGT Recover must reside in an APF-authorized library.

All load modules loaded by NGT Recover must be authorized and must reside in APF-authorized libraries, as follows:

  • IDCAMS

  • DSNUTILB

  • Data Facility Product (DFP) module IGWASYS (which generally resides in SYS1.CSSLIB)

    For DFP Version 3.2 or earlier, this module is called IGWAQSMS.


Was this page helpful? Yes No Submitting... Thank you

Comments