Required authorizations for user IDs
Multiple user IDs are associated with installing, configuring, and using the common components with BMC products. This section describes the permissions and security settings for these IDs:
Installation user ID
The user ID of the installer must have the following permissions and security settings:
- ALTER authority for the following data sets:
- BMC Installation System installation data sets
- SMP/E global, target, and distribution data sets
- Runtime data sets
- User data sets
- READ authority for the IBM Resource Access Control Facility (RACF) FACILITY class for the following resources:
- BMC.DBC.*
- BMC.DPR.*
- BMC.LGC.* (if LGC is installed)
- BMC.NGL.* (if NGL is installed)
- USS SUPERUSER access
DBC started task user ID
The started task for the DBC must have the following permissions and security. For more information about DBC, see Working-with-DB2-Component-Services-DBC.
- DBC must meet the following UNIX requirements:
- Write and execute access to the /tmp directory.
- Update access to the FSACCESS (UNIX file system access check) resource class.
- DBC must be authorized to create an Extended MCS Console.
- READ authority for the RACF FACILITY class for the following resources:
- BMC.DBC.*
- BMC.DPR.*
- BMC.LGC.* (if LGC is installed)
- BMC.NGL.* (if NGL is installed)
- ALTER authority for the user data sets (that is, DBCREPOS and LOGSET files)
- READ and WRITE authority for the:
- LGC private registry data set (if LGC is installed)
- NGL private registry data set (if NGL is installed)
- An OMVS segment defined in the IBM RACF (normal user) security product or an equivalent security product
- When using APPTUNE object data collection, READ authority for:
- DB2 Version 9 subsystems data sets:
- db2cat.DSNDBD.DSNDB06.SYSDBASE.I0001.A001
- db2cat.DSNDBD.DSNDB06.SYSUSER.I0001.A001
- DB2 Version 10 and later subsystems data sets:
- db2cat.DSNDBD.DSNDB06.SYSTSTAB.I0001.A001
- db2cat.DSNDBD.DSNDB06.SYSTSIXS.I0001.A001
- db2cat.DSNDBD.DSNDB06.SYSUSER.I0001.A001
- DB2 Version 9 subsystems data sets:
- When using Pool Advisor, READ authority for DB2 Version 10 and later subsystems data sets:
- db2cat.DSNDBD.DSNDB06.SYSTSDBA.I0001.A001
- db2cat.DSNDBD.DSNDB06.SYSTSTAB.I0001.A001
- db2cat.DSNDBD.DSNDB06.SYSTSTSP.I0001.A001
- db2cat.DSNDBD.DSNDB06.SYSTSIXS.I0001.A001
- READ authority for System Authorization Facility (SAF) class DSNR for:
- db2ssid .BATCH
- db2ssid.RRSAF
NGLARCH started task user ID
The started task for the NGL must have the following permissions and security:
- ALTER authority for the HLQ for the user data sets (that is, LOGSET files)
- READ and WRITE authority for the NGL private registry data set (if NGL is installed)
- An OMVS segment defined in IBM RACF (normal user) or the equivalent in your security system
User ID
To use interface components of the products, the user ID must have:
- READ authority for the runtime data sets
- READ authority for the RACF FACILITY class for the following resources:
- hlq.DBC.*
- hlq.DPR.*
- An OMVS segment defined in the RACF (normal user) security product or an equivalent security product
- Execute access to the /tmp directory
Any User ID that issues operator commands to the DBC must have READ authority for the RACF FACILITY class for the following resource: hlq.lpar.dbcgroup.prodCode.command.PF
The variables are defined as follows:
- hlq is the high-level qualifier of the resource name. The HLQ node defaults to BMC, but you can customize the value by using the <HLQ> option in the DBC SAF startup options.
- lpar is the MVS system name where DBC executes.
- dbcgroup is the name of the DBC. This name is specified either in the execution parms for the DBC started task or in the DBCPARMS input DD statement. This name is also the XCF group name for the DBC.
- prodCode is the BMC product code of the product for which the resource is defined. This three-character code is specified in the INITPROD command used in product initialization.
- command is the name of the command.