Required authorizations

To use BMC AMI Copy, you need authorization within Db2 and through your system security package.

These authorizations must be sufficient to access resources and perform the tasks required during BMC AMI Copy processing. The authorizations required for using the COPY, COPY IMAGECOPY, OPTIONS, QUIESCE, RECALL, MODIFY, and TEMPLATE commands are the same. Additional authorizations are required for the RUNSTATS option.

Authorization verification mechanisms

If the Db2 DSNX@XAC authorization exit is available for your system, BMC AMI Copy uses this exit to verify authorization for external access.

The exit is available from the following sources:

IBM provides a sample exit with Db2 for the IBM Resource Access Control Facility (RACF) component.
CA Technologies provides the DSNX@XAC exit with CA-ACF2 Security for Db2 and CA-Top Secret Security for Db2.

We recommend this mechanism for implementing external security. The access control authorization exit must be available in the STEPLIB, JOBLIB, linklist, or in the SYS3.DSN exit.

If the DSNX@XAC exit is not available, BMC AMI Copy uses the standard Db2 method to check security.

Db2 authority

To run BMC AMI Copy, you must have EXECUTE authority on the BMC AMI Copy plan, and the plan owner must have  EXECUTE authority to collection-id.* for the collections referenced by the plan.

For BMC AMI Copy to be able to process database objects, your primary or secondary authorization IDs must have one of the following authorities or privileges:

Installation SYSADM, SYSADM, or SYSCTRL authority
System DBADM, DBADM, DBCTRL, or DBMAINT or IMAGCOPY authority for the database containing the named space

Important

To copy the directory (DSNDB01), you must have installation SYSADM, SYSADM, or SYSCTRL authority. If you make SHRLEVEL CONCURRENT copies and set the installation option READONLY to LOCKTBL, you must also have SELECT authority for the tables you are copying or be the owner of those tables. To use the COPY RUNSTATS option, you must have the STATS privilege on the database.

System authority

Because BMC AMI Copy does not run as part of the Db2 subsystem, you must have authorization equivalent to that required by Db2 to use BMC AMI Copy.

When the BMC AMI Copy installation option OPNDB2ID is set to NO, and when the underlying data set of a table space is protected by the IBM Resource Access Control Facility (RACF) component of the z/OS Security Server or a similar security system, you must have sufficient authority to access and modify the data set. For index spaces, you must have read access to the index data set(s).

When the BMC AMI Copy installation option OPNDB2ID is set to YES, the DB2 RACF ID is used to allow Db2 data sets to be opened. For security systems other than RACF, the installation option OPNDB2ID must be set to NO.

If your Db2 is specified in the RACF started procedures table (ICHRIN03) as a privileged or trusted task and no user ID is associated with the Db2 address space, you cannot use OPNDB2ID to allow BMC AMI Copy to access the Db2 data sets. In this case, you are running BMC AMI Copy then you must have RACF authority to access the data sets needed for copying.

If you are using SHRLEVEL CHANGE with data sharing, BMC AMI Copy and COPY IMAGECOPY will read the BSDS. Therefore, you will need READ authorization for the BSDS for BMC AMI Copy and COPY IMAGECOPY commands. BMC AMI Copy reads the group buffer pool check point records from the BSDSs for the group if it detects that the space being copied is group buffer pool dependent.

APF authority

BMC AMI Copy uses MVS system services that require APF authorization. BMC AMI Copy must reside in an APF-authorized library.

All load modules loaded by BMC AMI Copy must be authorized and must reside in APF-authorized libraries.