User IDs for the DBC component

The DBC is the host address space used by the System and SQL Performance products.

The common Data Collector component for the Performance products runs under the DBC and is sometimes referred to as the DOM agent. The DOM agent is responsible for such things as connecting to Db2 subsystems, starting traces, and collecting and saving data. You can run the DBC as a batch job or as a started task, but we recommend running it as a started task. Restrict batch mode to testing the initial installation.

Related topic

Controlling-access-to-the-System-and-SQL-Performance-products-for-Db2


Important

If you plan to use more than one product in the same environment, we recommend that you use only one DBC for each z/OS image.

The following DBC user IDs are assigned according to the method that was used to start the DBC:

  • Batch

    The USER parameter of the JOB statement assigns this ID.

  • Started task

    Your MVS security system assigns this ID based on entries in the equivalent of the RACF ICHRIN03 table. This table contains the name of the started task procedure and the user ID that should be assigned to it. A user ID is often associated with each started task.

    Important

    (

    Apptune

     and 

    SQL Performance

    only) READ authority (or its equivalent) must be granted to the DBC started task ID on SYSUSERAUTH if either of the following conditions are true:

    READ authority (or its equivalent) must be granted to the DBC started task on SYSDBASE if either of the following conditions are true:

    • The object collection is set to Y in the ApptuneFilter option set.
    • The Db2 catalog data sets are protected by a security system.

    READ authority (or its equivalent) must be granted to the DBC started task on the DB2 SDSNLOAD and SDSNEXIT load libraries. The DBC started task needs the authority when the DOM agent starts the Db2 traces. ENQs are obtained on the DB2 libraries at the start of the traces that remain until the DOM agent is stopped.

Sites frequently allow the security system to assign a default user ID to started tasks so that started tasks can be added without requiring an update to the equivalent of the RACF ICHRIN03 table. In this case, you should grant the necessary authorizations to the user ID of the default started task. If you do not want the products being installed to use this default user ID, you must modify the ICHRIN03 table to assign a different user ID to the DBC.

Important

If you make changes to the ICHRIN03 table, an IPL is required to put them into effect.

The user that is assigned to the DBC started task needs RACF authority to the log files. The DOMEXIT1 exit determines the ID that the product uses for Db2 interactions (such as starting traces and executing Explains). Your security system must give this ID permission to perform the operations in Db2. If you did not customize DOMEXIT1 to use a different ID, the ID that the product uses for Db2 interactions is the default install SYSADM ID for each Db2 subsystem.

Console message IEF695I Procedure procName is assigned to User userID, is issued at DBC startup, and reports the user ID that the DBC is using. To determine which user ID the DBC is using, you can also issue the USERS command.

You must also add a rule to provide READ authority to the FACILITY class entity CSVDYNL.linkListName when the following conditions exist:

  • You are using CA-ACF2, CA-Top Secret, or RACF to control access to Db2.
  • You are using LINKLIST instead of STEPLIB for access to the System and SQL Performance products.

The linkListName variable represents the name of your LINKLIST data set.

For the authority requirements of the DBC, see Managing-security-with-CA-ACF2-CA-Top-Secret-or-RACF-security.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*