×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC AMI Recover for Db2 12.1 ... Getting started Key concepts Operational issues and concepts

Authorization

Using BMC AMI Recover requires that you have authorization within Db2 and (in some cases) through your system security package (such as RACF) that is sufficient to access Db2 resources and perform the tasks accomplished during BMC AMI Recover processing.

Authorization verification mechanisms

If the Db2 DSNX@XAC authorization exit is available for your system, BMC AMI Recover uses this exit to verify authorization for external access. The exit is available from the following sources:

  • IBM provides a sample exit with Db2 for the IBM Resource Access Control Facility (RACF) component.

  • CA Technologies provides the DSNX@XAC exit with CA-ACF2 Security for Db2 and CA-Top Secret Security for Db2.

We recommend this mechanism for implementing external security. The access control authorization exit must be available in the STEPLIB, JOBLIB, linklist, or in the SYS3.DSN exit.

If the DSNX@XAC exit is not available, BMC AMI Recover uses the standard Db2 method to check security.

Db2 authority

To run BMC AMI Recover, you must have one of the following authorizations:

  • Installation SYSADM or SYSADM authority

  • Sufficient authority to run the BMC AMI Recover application plan, and one of the following authorizations:

    • SYSCTRL or system DBADM

    • DBADM or DBCTRL authority for the databases containing the named table spaces

    • RECOVERDB, DISPLAYDB, STARTDB, and STOPDB authority for the databases containing the named table spaces and index spaces

    • DATAACCESS, DISPLAYDB, STARTDB, and STOPDB authority for the databases containing the named tables spaces and index spaces

    • IMAGCOPY and DISPLAYDB authority to execute OUTCOPY only

Because BMC AMI Recover uses the BMC dynamic bind technology, the OWNER of the plan must be authorized to EXECUTE each package in the plan at the time dynamic bind is performed. If you do not modify the OWNER of the BMC AMI Recover plan specified during installation, you should not need to be concerned with this requirement.

System authority

Because BMC AMI Recover does not run as part of the Db2 subsystem, you must have system authority similar to that of Db2 to use BMC AMI Recover.

If the underlying data sets of a table space or index space are RACF or similarly protected, you must have sufficient authority to access and modify the data set. If a table or index space is STOGROUP-defined and the corresponding ICF catalog is RACF or similarly protected, you must also have sufficient authority to access and update the operating system catalog. The minimum levels of authority shown in the table are required when you use the following settings:

  • The installation option OPNDB2ID is set to NO.

  • OPNDB2ID is set to YES and a security system other than RACF is used.

Table or index space definition

Minimum levels of authority required to access and update data sets

Minimum levels of authority required to access and update the operating system catalog

VCAT

Control

None required

STOGROUP

ALTER or Control

UPDATE (if data set authority is ALTER) or ALTER (if data set authority is Control)

If active logs will be read and OPNDB2ID = NO, the ID running the job needs ALTER authority.

If OPNDB2ID is set to YES and RACF is used, these authorities are not required; in this case, the RACF ID for Db2 is used when opening the Db2 data sets or catalog. For more information about the OPNDB2ID installation option, see OPNDB2ID=YES.

If Db2 is specified in the RACF started procedures table (ICHRIN03) as a privileged or trusted task and no user ID is associated with the Db2 address space, you cannot use OPNDB2ID to allow BMC AMI Recover to access the Db2 data sets. In this case, the user running BMC AMI Recover must have RACF authority to access the data sets needed for recovery.

The BMC AMI Recover option OPNDB2ID works under data sharing only if all RACF IDs for the members of a group are the same. Authorizations for the bootstrap and log data sets must also be the same.

In addition to the traditional Db2 DSNDBC and DSNDBD data sets, BMC AMI Recover requires the following access:

  • SIMDBC and SIMDBD for simulated recovery and rebuild

  • BMCDBC and BMCDBD for  recovery or rebuild with INDEP OUTSPACE, recovery with OUTCOPY ONLY from inline or snap copies, or REBUILD with SHRLEVEL CHANGE

  • OLDDBC and OLDDBD for REBUILD with SHRLEVEL CHANGE

If OPNDB2ID=YES, this access must be granted to Db2's RACF ID. If OPNDB2ID=NO, this access must be granted to the user running BMC AMI Recover.

APF authority

BMC AMI Recover uses system services that require APF authorization. Accordingly, BMC AMI Recover must reside in an APF-authorized library.

All load modules loaded by BMC AMI Recover must be authorized and must reside in APF-authorized libraries, as follows:

  • IDCAMS

  • DSNUTILB

  • Data Facility Product (DFP) module IGWASYS (which generally resides in SYS1.CSSLIB)

    For DFP Version 3.2 or earlier, this module is called IGWAQSMS.

Related topics

Operational issues and concepts

STEPLIB DD or JOBLIB statements


Was this page helpful? Yes No Submitting... Thank you
Last modified by Anagha Evans on Oct 25, 2021
getting_started

Comments

Log in or register to comment.

Operating environment
Table space and index space status
© Copyright 1994-2024 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.