Configuring security for BMC AMI Command Center for Db2

This section outlines the security mechanisms for controlling access to

BMC AMI Command Center for Db2

and to IBM Db2.

For further security details, see Common mainframe infrastructure documentation.

Controlling access toBMC AMI Command Center for Db2

BMC AMI Command Center for Db2provides one plan. The default plan name is BMCGUIPL. This plan is used to perform all BMC AMI Command Center functions and is bound with the Catalog Manager and BMC Explain collection IDs.

Managing DBC security

If you use Computer Technologies CA-ACF2, Computer Technologies CA-Top Secret, or IBM RACF to control access to IBM Db2 you must take into consideration certain requirements.

CA-ACF2

If you are using CA-ACF2 to control user access to Db2, you must assign a unique logon ID to the DBC. The logon ID definition must specify the STC option, indicating that the ID is for use by a started task. You must also enable SAF so that CA-ACF2 can recognize the RACROUTE calls that the product issues.

CA-ACF2 can use a TSO command-limiting function to restrict an individual user or an entire site. This function applies to TSO commands that you issue from the READY prompt or from ISPF.

If command limiting is active, you must specify the LGCOMAIN command. The LGCOMAIN command invokes the ISPF interface for the DB2 Product Configuration (LGC) component to allow editing of option sets.

Command limiting can be activated for an individual or an entire site as follows:

For an individual, with the TSOCMDS field of the logon ID record
TSOCMDS specifies the name of a module that contains a list of valid commands for a user. For a sample list, see the ACF$CMDS member of CAI.CAIMAC.
For an entire site, with the CMDLIST field of the GSO record named TSO
The ALLCMDS field indicates permission for a user to bypass command limiting. Use the character that is specified in the BYPASS field of the GSO TSO record as a prefix for the command name.

CA-Top Secret

If you are using CA-Top Secret to control user access to Db2, you must update the Facilities Matrix table to identify the program name. If the program name is not in the table, CA-Top Secret does not allow a program to issue RACROUTE calls. You can specify the first three characters of the program name in the Facilities Matrix table.

Required grants for CA-ACF2, CA-Top Secret, and RACF

If you use CA-ACF2 security, define the following grants to CA-ACF2. If you use RACF or CA-Top Secret, define the following grants to Db2:

GRANT CREATETAB ON DATABASE BMCPERF
             TO PUBLIC;
GRANT USE OF TABLESPACE BMCPERF.BMCUPLAN
             TO PUBLIC;

Db2 security

To authorize SQL Explains, you can use SYSADM authority or your user ID’s authorization as it exists in Db2. If your user ID does not have Explain authority, you can use the following procedure to allow Explain to acquire SYSADM authority.

This procedure sets the Run authorized (authexpl) option in the GUDOPT option set.

To allow Explain to acquire SYSADM authority

Important

Any changes that you make to the Run authorized option affects all users.

Invoke the LGCISPF CLIST from the CLIB data set: EX ‘HLQ..BMCCLIB(LGCISPF)’If you want to connect to a DBC other than the default DBC, invoke the LGCISPF CLIST with the DBC parm where xxxx is the DBC SSID on that LPAR:EX ‘HLQ..BMCCLIB(LGCISPF)’ ‘DBC(xxxx)’
On the DB2 Product Configuration – Main Menu (panel LGCPMENU), select 2 Manage Product Options.
In the Product Options Sets panel (LGCP1001), expand the BMC AMI Command Center list by selecting the plus sign (+) next to BMC AMI Command Center and pressing Enter.
Type E next to the option set that you want to edit.
Set the Run authorized option to Y.
Press F3 to save and exit.
For the change to take effect, issue the following console command:
/dbcssid GUD,EXPREFRESH
The dbcssid value represents the DBC subsystem ID.