Managing security with CA-ACF2, CA-Top Secret, or RACF security
If you use CA-ACF2, CA-Top Secret, or RACF to control access to Db2, the following considerations apply.
CA-ACF2
If you are using CA-ACF2 to control user access to Db2, you must assign a unique logon ID to the DBC. The logon ID definition must specify the STC option, indicating that the ID is for use by a started task. You must also enable SAF so that CA-ACF2 can recognize the RACROUTE calls that the product issues.
CA-ACF2 can use a TSO command-limiting function to restrict an individual user or an entire site. This function applies to TSO commands that you issue from the READY prompt or from ISPF.
If command limiting is active, you must specify the commands shown in the following table:
Command | Description |
|---|---|
BBM9TC21 | Hyperlink to the BMC AMI Ops Monitor for Db2 |
DOMDMAIN | Access the System and SQL Performance products for Db2 Report Manager for viewing product reports |
DMDAIEZ2 | Invoke ISPF Edit to allow editing of BMC AMI Pool Advisor for Db2ZPARM keywords (BMC AMI Pool Advisor and System Performance) |
DMDRJCL1 | Invoke ISPF Edit to allow editing of the JCL member created in the Configuration Advisor analysis process (BMC AMI Pool Advisor and System Performance) |
DOMDMAIN | Access the System and SQL Performance products for Db2 Report Manager for viewing product reports |
LGCOMAIN | Invoke the ISPF interface for the Db2 Product Configuration (LGC) component to allow editing of option sets |
PSSCATI | Invoke Common Explain functionality from BMC AMI Catalog Manager for Db2 |
PSSDCL | Create a DCLGEN in the product (SQL Explorer and SQL Performance) |
PSSSQLX | Execute an Explain or a single SQL statement from the product (SQL Explorer, Apptune, SQL Performance, and BMC AMI Ops Monitor for Db2 |
Command limiting is activated in the following ways:
For an individual, with the TSOCMDS field of the logon ID record
TSOCMDS specifies the name of a module that contains a list of valid commands for a user. For a sample list, see the ACF$CMDS member of CAI.CAIMAC.
For an entire site, with the CMDLIST field of the GSO record named TSO
The ALLCMDS field indicates permission for a user to bypass command limiting. Use the character that is specified in the BYPASS field of the GSO TSO record as a prefix for the command name.
CA-Top Secret
If you are using CA-Top Secret to control user access to Db2, you must update the Facilities Matrix table to identify the program name. If the program name is not in the table, CA-Top Secret does not allow a program to issue RACROUTE calls. You can specify the first three characters of the program name in the Facilities Matrix table. For the System and SQL Performance products, the first three characters are DOM. These characters then act as a wildcard (DOM*, for example), allowing any program beginning with the characters DOM to issue RACROUTE calls.
CA-ACF2, CA-Top Secret, and RACF
The names in the following list of grants reflect the default names that are used during installation.
- vr indicates the version and release levels of the product. If you used different names during installation, replace these default names with your own names.
- The storageGroup in line 11 is the STOGROUP referenced in the DDL for the BMCPERF database.
- The bufferpool in line 13 is the BUFFERPOOL referenced in the DDL for the BMCPERF database.
- The bufferpool in line 15 is the INDEXBP referenced in the DDL for the BMCPERF database.
TO PUBLIC;
GRANT USE OF TABLESPACE BMCPERF.BMCUPLAN
TO PUBLIC;
GRANT ALL ON TABLE BMCDAA<vr>.SQLX_BASE
TO PUBLIC;
GRANT ALL ON TABLE BMCDAA<vr>.SQLX_STATS
TO PUBLIC;
GRANT ALL ON TABLE BMCDAA<vr>.SQLX_SQLTXT
TO PUBLIC;
GRANT USE OF STOGROUP <storageGroup>
TO PUBLIC;
GRANT USE OF BUFFERPOOL <bufferpool>
TO PUBLIC;
GRANT USE OF BUFFERPOOL <bufferpool>
TO PUBLIC;
Define the grants as follows:
- If you use CA-ACF2 security, define the grants to CA-ACF2.
- If you use RACF or CA-Top Secret, define the grants to Db2.