Authorization verification mechanisms
If the DB2 DSNX@XAC authorization exit is available for your system, NGT Recover uses this exit to verify authorization for external access. The exit is available from the following sources:
IBM provides a sample exit with DB2 for the IBM Resource Access Control Facility (RACF) component.
CA Technologies provides the DSNX@XAC exit with CA-ACF2 Security for DB2 and CA-Top Secret Security for DB2.
BMC recommends this mechanism for implementing external security. The access control authorization exit must be available in the STEPLIB, JOBLIB, linklist, or in the SYS3.DSN exit.
If the DSNX@XAC exit is not available, NGT Recover uses the standard DB2 method to check security.
To run NGT Recover, you must have one of the following authorizations:
Installation SYSADM or SYSADM authority
Sufficient authority to run the NGT Recover application plan, and one of the following authorizations:
SYSCTRL or system DBADM
DBADM or DBCTRL authority for the databases containing the named table spaces
RECOVERDB, DISPLAYDB, STARTDB, and STOPDB authority for the databases containing the named table spaces and index spaces
DATAACCESS, DISPLAYDB, STARTDB, and STOPDB authority for the databases containing the named tables spaces and index spaces
IMAGCOPY and DISPLAYDB authority to execute OUTCOPY only
Because NGT Recover uses the BMC dynamic bind technology, the OWNER of the plan must be authorized to EXECUTE each package in the plan at the time dynamic bind is performed. If you do not modify the OWNER of the NGT Recover plan specified during installation, you should not need to be concerned with this requirement.
Because NGT Recover does not run as part of the DB2 subsystem, you must have system authority similar to that of DB2 to use NGT Recover.
If the underlying data sets of a table space or index space are RACF or similarly protected, you must have sufficient authority to access and modify the data set. If a table or index space is STOGROUP-defined and the corresponding ICF catalog is RACF or similarly protected, you must also have sufficient authority to access and update the operating system catalog. The minimum levels of authority shown in the table are required when you use the following settings:
The installation option OPNDB2ID is set to NO.
OPNDB2ID is set to YES and a security system other than RACF is used.
Table or index space definition
Minimum levels of authority required to access and update data sets
Minimum levels of authority required to access and update the operating system catalog
ALTER or Control
UPDATE (if data set authority is ALTER) or ALTER (if data set authority is Control)
If active logs will be read and OPNDB2ID = NO, the ID running the job needs ALTER authority.
If OPNDB2ID is set to YES and RACF is used, these authorities are not required; in this case, the RACF ID for DB2 is used when opening the DB2 data sets or catalog. For more information about the OPNDB2ID installation option, see OPNDB2ID=YES.
If DB2 is specified in the RACF started procedures table (ICHRIN03) as a privileged or trusted task and no user ID is associated with the DB2 address space, you cannot use OPNDB2ID to allow NGT Recover to access the DB2 data sets. In this case, the user running NGT Recover must have RACF authority to access the data sets needed for recovery.
The NGT Recover option OPNDB2ID works under data sharing only if all RACF IDs for the members of a group are the same. Authorizations for the bootstrap and log data sets must also be the same.
In addition to the traditional DB2 DSNDBC and DSNDBD data sets, NGT Recover requires the following access:
SIMDBC for simulated recovery
SIMDBD for simulated rebuild
BMCDB for INDEP OUTSPACE recovery
BMCDBD for INDEP OUTSPACE rebuild
REBUILD with SHRLEVEL CHANGE
If OPNDB2ID=YES, this access must be granted to DB2's RACF ID. If OPNDB2ID=NO, this access must be granted to the user running NGT Recover.
NGT Recover uses system services that require APF authorization. Accordingly, NGT Recover must reside in an APF-authorized library.
All load modules loaded by NGT Recover must be authorized and must reside in APF-authorized libraries, as follows:
Data Facility Product (DFP) module IGWASYS (which generally resides in SYS1.CSSLIB)
For DFP Version 3.2 or earlier, this module is called IGWAQSMS.