Authorization


Using BMC AMI Recover requires that you have authorization within Db2 and (in some cases) through your system security package (such as RACF) that is sufficient to access Db2 resources and perform the tasks accomplished during BMC AMI Recover processing.

Authorization verification mechanisms

If the Db2 DSNX@XAC authorization exit is available for your system, BMC AMI Recover uses this exit to verify authorization for external access. The exit is available from the following sources:

  • IBM provides a sample exit with Db2 for the IBM Resource Access Control Facility (RACF) component.
  • CA Technologies provides the DSNX@XAC exit with CA-ACF2 Security for Db2 and CA-Top Secret Security for Db2.

We recommend this mechanism for implementing external security. The access control authorization exit must be available in the STEPLIB, JOBLIB, linklist, or in the SYS3.DSN exit.

If the DSNX@XAC exit is not available, BMC AMI Recover uses the standard Db2 method to check security.

Db2 authority

(BMC.DB2.SPE2210)To run BMC AMI Recover, you must have sufficient authority to  execute the BMC AMI Recover application plan, and  one of the following authorizations:  

  • RECOVERDB privilege for the database. For IMPORT of XML spaces, ALTER privilege for the database is also required.
  • DBADM or DBCTRL authority for the database. 
  • System DBADM authority 
  • DATAACCESS authority 
  • SYSCTRL or SYSADM authority 
  • IMAGCOPY authority to execute OUTCOPY only 

Because BMC AMI Recover uses the BMC dynamic bind technology, the OWNER of the plan must be authorized to EXECUTE each package in the plan at the time dynamic bind is performed. If you do not modify the OWNER of the BMC AMI Recover plan specified during installation, you should not need to be concerned with this requirement.

System authority

Because BMC AMI Recover does not run as part of the Db2 subsystem, you must have system authority similar to that of Db2 to use BMC AMI Recover.

If the underlying data sets of a table space or index space are RACF or similarly protected, you must have sufficient authority to access and modify the data set. If a table or index space is STOGROUP-defined and the corresponding ICF catalog is RACF or similarly protected, you must also have sufficient authority to access and update the operating system catalog. The minimum levels of authority shown in the table are required when you use the following settings:

  • The installation option OPNDB2ID is set to NO.
  • OPNDB2ID is set to YES and a security system other than RACF is used.

Table or index space definition

Minimum levels of authority required to access and update data sets

Minimum levels of authority required to access and update the operating system catalog

VCAT

Control

None required

STOGROUP

ALTER or Control

UPDATE (if data set authority is ALTER) or ALTER (if data set authority is Control)

If active logs will be read and OPNDB2ID = NO, the ID running the job needs ALTER authority if the log file has SHROPTIONS(1,n). 

If OPNDB2ID is set to YES and RACF is used, these authorities are not required; in this case, the RACF ID for Db2 is used when opening the Db2 data sets or catalog. For more information about the OPNDB2ID installation option, see OPNDB2ID-YES.

If Db2 is specified in the RACF started procedures table (ICHRIN03) as a privileged or trusted task and no user ID is associated with the Db2 address space, you cannot use OPNDB2ID to allow BMC AMI Recover to access the Db2 data sets. In this case, the user running BMC AMI Recover must have RACF authority to access the data sets needed for recovery.

The BMC AMI Recover option OPNDB2ID works under data sharing only if all RACF IDs for the members of a group are the same. Authorizations for the bootstrap and log data sets must also be the same.

In addition to the traditional Db2 DSNDBC and DSNDBD data sets, BMC AMI Recover requires the following access:

  • SIMDBC and SIMDBD for simulated recovery and rebuild
  • BMCDBC and BMCDBD for  recovery or rebuild with INDEP OUTSPACE, recovery with OUTCOPY ONLY from inline or snap copies, or REBUILD with SHRLEVEL CHANGE
  • OLDDBC and OLDDBD for REBUILD with SHRLEVEL CHANGE

If OPNDB2ID=YES, this access must be granted to Db2's RACF ID. If OPNDB2ID=NO, this access must be granted to the user running BMC AMI Recover.

APF authority

BMC AMI Recoveruses system services that require APF authorization. Accordingly, BMC AMI Recover must reside in an APF-authorized library.

All load modules loaded by BMC AMI Recover must be authorized and must reside in APF-authorized libraries, as follows:

  • IDCAMS
  • DSNUTILB
  • Data Facility Product (DFP) module IGWASYS (which generally resides in SYS1.CSSLIB)

    For DFP Version 3.2 or earlier, this module is called IGWAQSMS.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Recover for Db2 13.1