z/OS security

If you have a z/OS security product , you must grant the required authorizations, even if your security system does not control access to Db2.

If you have no z/OS security product, see Db2-and-product-security.

VSAM data sets

The following table describes the function of each VSAM data set. For optimum performance, grant global access for each of the following data sets if you are using IBM RACF.

VSAM data sets created by the installation process

Data set	What the data set stores
PROFILE	User Profile user records for all product users and definitions for Apptuneapplication groups The user record contains the parameters for session characteristics and function keys.
SECURITY	User Profile security records Security records contain parameters that grant or deny access to various product functions and to Db2.
HELP	Online Help text associated with the products and their components
COPYDIR	Names of the archived log files for use by the archive directory
log files ¹	Trace records gathered from Db2 and BMC Software products
DCC$VARS1 ¹	Default parameter variable values and user-coded overrides to variable values (BMC AMI Pool Advisor and System Performance only)
PMD$HIST ¹	Long-term history records—daily, page sets, and objects (BMC AMI Pool Advisor and System Performance only)

_{1 Do not make the name of this data set version sensitive. You retain and reuse these files when you upgrade to a later release of the products.}

Report log data sets (Apptune and SQL Performance)

The installation process does not allocate report log data sets. Users allocate them to store reports and screen images for later viewing and printing. See the online Help for information about report logging (HELP TRPTLOG).

BBPARM and BBTMPLT data sets

Although only BMC AMI Pool Advisor and System Performance currently use these data sets, they must be present in order for you to use any of the System and SQL Performance products.

The BBPARM data set contains the following information:

Parameters that determine the changes that should be made to the monitored resources and the maximum and minimum threshold values that will be used when advisors recommend changes
Rules that trigger recommendations for changes to monitored resources

The BBTMPLT data set contains the advisor text that is displayed in BMC AMI Pool Advisor and System Performance.

Data set users

The following classes of users need authority to access the data sets that the installation process creates:

Db2 Component Services (DBC)
Product installer
Product administrator
The product administrator controls internal security and determines whether users should be restricted from performing tasks such as issuing z/OS or Db2 commands. A site can designate an individual to be the product administrator or can allow all users to perform administrative functions.
Product users

The following table lists RACF access authorization requirements for product data sets and lists CA-ACF2 access authorization requirements for product data sets. Consult with your security administrator as needed about assigning the appropriate authorizations.

Important

For more information about DBC security, see Managing-security-with-CA-ACF2-CA-Top-Secret-or-RACF-security.

RACF access authorization to product data sets

	DBC	Archive processing	Product installer	Product administrator	All users
Profile	NA	NA	A	U	U ³
Security	R	NA	A	U	R
Help	NA	NA	A	R	R
Report log	NA	NA	A	U	U ⁴
Log files	A	R	NA	NA	NA
Archives	NA	A	R	R	R
COPYDIR	U	U	A	U	R
PMD$HIST	U ¹	NA	A ¹	U ¹	NA
DCC$VARS	U ¹	NA	A ¹	U ¹	NA
BBPARM	R	NA	A	U	NA
BBTMPLT	R	NA	A	NA	NA
DB2MSTR	R	NA	R ²	R ²	R ²
DBC PARMLIB	R	R	A	NA	NA
DBC repository	A	NA	A	NA	NA
Db2 Product Configuration datastore	U	NA	S	NA	NA
RTCS private registry	U	U	A	U	R
Legend: R = READ U = UPDATE A = ALTER S = SUPERUSER NA = not applicable

^{1 Authorization is required ifSystem Performanceor BMC AMI Pool Advisoris installed. Otherwise, authorization is NA.}

^{2 The product installer, product administrator, and all users need READ (R) authority if the Data Collector is run with the SECURITY VIA DB2 AUTHORIZATION TABLE option set to Y in the DOMPLEX option set.}

^{3 You can use U (UPDATE) if you want to enable users to update their own profile settings or to be able to create their own reports. This access could be set to R (READ) but doing so might cause errors to be displayed. However, you can ignore these messages and the product continues to work normally.}

^{4 All users need UPDATE authority to their own report log data sets.}

CA-ACF2 access to product data sets

	DBC	Archive processing	Product installer	Product administrator	All users
Profile	NA	NA	WA	W	W ³
Security	R	NA	WA	W	R
Help	NA	NA	WA	R	R
Report log	NA	NA	WA	W	W
Log files	WA	R	NA	NA	NA
Archives	NA	WA	R	R	R
COPYDIR	W	W	WA	W	R
PMD$HIST	W ¹	NA	WA ¹	W ¹	NA
DCC$VARS	W ¹	NA	WA ¹	W ¹	NA
BBPARM	R	NA	WA	W	NA
BBTMPLT	R	NA	WA	NA	NA
DB2MSTR	R	NA	R ²	R ²	R ²
DBC PARMLIB	R	R	WA	NA	NA
DBC repository	WA	NA	WA	NA	NA
Db2 Product Configuration datastore	W	NA	S	NA	NA
RTCS private registry	W	W	WA	W	R
Legend: R = READ U = UPDATE A = ALTER S = SUPERUSER NA = not applicable

^{1 Authorization is required ifSystem Performanceor BMC AMI Pool Advisoris installed. Otherwise, authorization is NA.}

^{3 You can use W (WRITE) if you want to enable users to update their own profile settings or to be able to create their own reports. This access could be set to R (READ) but doing so might cause errors to be displayed. However, you can ignore these messages and the product continues to work normally.}