Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Recovery Manager for Db2 13.1.

Authorizations

This topic describes the authorizations required to access 

BMC AMI Recovery Manager

, work with application object sets, and execute backup or recovery JCL.

Tip

If you use the CA ACF2 security system and your shop is restricting TSO commands, add ARMUMAN, ARMUSEL, ARMOPTM, and DSNJU004 to the list of commands in the TSOCMDS module. If your site restricts the use of TSO commands through an option of the system security package (such as the IBM RACF component of the z/OS Security Server or ACF2 ) or an add-on product such as PCF, be sure the ARMUMAN, ARMUSEL, ARMOPTM, and DSNJU004 command names are added to the appropriate command table. Otherwise, the message IKJ56500I command COMMAND NOT FOUND is issued when attempting to invoke the BMC AMI Recovery Manager CLIST or when using the logging environment modeling tool.

General authorization

You must have READ authority for BSDS data sets to run BMC AMI Recovery Manager.

RACF authorization

This section summarizes the authorization requirements to use the IBM Restore Access Control Facility (RACF) program with BMC AMI Recovery Manager.

Running BMC AMI Recovery Manager with RACF authorization for Db2

The ARCHIVE and DISPLAY GROUP commands belong to the Db2 object type System. Both commands use RACF class MDSNSM. When using BMC AMI Recovery Manager in a RACF environment, you need the following privileges or authorities to execute ARCHIVE and DISPLAY GROUP:

Command

Authorization requirement

ARCHIVE

You need one of the following privileges or authorities:

  • ARCHIVE privilege
  • Installation SYSOPR authority
  • SYSCTRL authority
  • SYSADM authority
Example

The following sample code defines the ARCHIVE privilege:

RDEFINE MDSNSM DEGD.ARCHIVE OWNER(DBAXYZ1) UACC(NONE)
PERMIT DEGD.ARCHIVE CLASS(MDSNSM) ID(DBAXYZ2) ACCESS(READ)
SETR GENERIC(MDSNSM) REFRESH
SETR RACLIST(MDSNSM) REFRESH

DISPLAY GROUP

You need one of the following privileges or authorities:

  • DISPLAY privilege
  • System DBADM authority
  • SYSOPR authority
  • SYSCTRL authority
  • SYSADM authority

APF authorization

The BMC AMI Recovery Manager load library must be APF authorized. In addition, you must add SCCAUTH to the AUTHPGM NAMES section of member IKJTSOxx in SYS1.PARMLIB. 

Important

SCCAUTH is a common authorization module used by multiple BMC products, including the components of the BMC Recovery Management for Db2 solution.

Db2 plan authorization

If the ssid.PUBLICPLAN configuration option is set to YES in the option set, BMC AMI Recovery Manager grants EXECUTE authority to PUBLIC the first time the product is run and then dynamically binds the plan. If the PUBLICPLAN option is set to NO, you must grant EXECUTE authority to users as needed. 

Object set authorization

Each BMC AMI Recovery Manager application object set has an owner (creator) who can give authority for that object set to any number of users.

In addition to the creator, only authorized users can maintain and save object sets. Any user who has SYSADM or system DBADM authority (or whose secondary IDs have SYSADM or system DBADM authority) are considered authorized users for all object sets in the subsystem. All users can display a list of object set names, but only the creator and authorized users can update or delete an object set.

Important

External security, such as ACF2 and RACF, is supported for opening and saving object sets.

Naming a new object set

Each object set name includes the authorization ID of its creator.

When you create a new object set, BMC AMI Recovery Manager identifies it (until you save it under another name) as sqlID.UNNAMED_OBJECTSET, where the variable sqlID is the creator part of the name and is your current SQL ID (which defaults to your primary logon user ID).

Important

You can change your SQL ID to one of your secondary user IDs on the Main Menu before proceeding to create the new object set.

If you save the object set to the repository, the object set is saved as sqlID.name, where the variable name is a long ID string of your choice.

If you modify your SQL ID on the Main Menu, the change is saved and is shown the next time you access BMC AMI Recovery Manager.

When you save a new object set or save an existing object set under a different name, you can change the object set name to one that uses one of your secondary user IDs. Users who have SYSADM or system DBADM authority (or whose secondary IDs have SYSADM or system DBADM authority), can specify any AUTHID as the creator of the object set.

Adding or revoking authorized users

You can add or revoke authorized users of a object set through the Object Set Edit Authorization panel. Although BMC AMI Recovery Manager tracks the ID of the grantor of another user’s authorization, there is no cascading when revoking authorization.

Some authorization scenarios

The following examples show how authorizations can be implemented to satisfy different requirements:

  • A object set that is used and maintained by an individual could use that user’s primary ID as the creator part of the name and selectively provide access to other users as needed.
  • A object set that is used and maintained by a group of people could use a secondary ID that represents that group of people. This is the most flexible scenario, because it gives access to all members with the secondary ID and can avoid duplicate security administration among BMC AMI Recovery Manager, Db2, and the security package.
  • TYPE O authorization is provided to a user who generates backup or recovery JCL. The user is allowed to make changes to the 'working' object set but is not allowed to save it to the repository. 

System resource authorization

BMC AMI Recovery Manager does not verify your authority to execute the following BMC, Db2, and operating system utilities which might be called in the generated JCL:

  • BMC AMI Copy
  • CHECK PLUS
  • BMC AMI Recover
  • Db2 Print Log Map (DSNJU004)
  • Db2 Change Log Inventory (DSNJU003)
  • Recovery Log Extractor (DSN1LOGP)
  • IBM Db2 RECOVER (DSNUTILB)
  • IBM Db2 COPY (DSNUTILB)
  • IBM Db2 CHECK (DSNUTILB)
  • IEBGENER
  • IDCAMS

Refer to the appropriate utility reference documentation for information about the authorizations required to use the listed utilities.

Disaster recovery authorizations

When you make disaster recovery preparations at the local site, you must have additional authorizations for the following activities:

To run the system resource recovery JCL at the recovery site, you need authority (at the recovery site) to execute the Db2 and operating system utilities that are listed in System resource authorization. You also need the following authorizations:

  • ALTER authority on the BSDS and active log data sets
  • Db2 installation SYSADM or installation SYSOPR authority
  • ALTER authority on the archive log data sets when you are performing subsystem recovery  

Authorization to modify subsystem backup and recovery options

If you have authority to access BMC AMI Recovery Manager, you can also display, change, and add to any subsystem default backup and recovery options that are not already defined. However, to save any changes that you make to these options, you must have one of the following Db2 authorizations:

  • Installation SYSADM
  • SYSADM or system DBADM
  • DBADM for the repository database

Authorization to use delete and redefine recovery options

To use the Delete STOGROUP objects and Redefine VCAT objects options on the Recovery Type Selection panel, you must have authority to issue Db2 STOP and DISPLAY commands on the objects that are being recovered.

You also need control authority on the physical data sets. See General-recovery-options for information about the Delete and Redefine options.

Related topics

Backup-strategy

For-first-time-users-of-BMC-AMI-Recovery-Manager

Generating-JCL-for-local-recovery

Subsystem-level-considerations


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*