Setting UNLOAD PLUS authorizations

UNLOAD PLUS does not run as part of the Db2 subsystem. Therefore, users must have system authorizations and, for DIRECT YES, data set authorizations that are equivalent to the authorizations that Db2 requires. Use the following procedures to set the necessary authorizations.

Related topic

Required authorization


Important

If you are using UNLOAD PLUS with ALTER for Db2 or 

BMC AMI Change Manager for Db2

, UNLOAD PLUS functions in DIRECT YES mode only.

To set Db2 authorizations

  • For all unload jobs, set the following authorizations:
    • Sufficient Db2 authority to execute the UNLOAD PLUS plan and all packages that the UNLOAD PLUS plan uses
    • Authorization equivalent to the authorization that the IBM Db2 UNLOAD utility requires

    • When DIRECT NO is invoked, UNLOAD authority is not used, you must have the necessary SELECT authority

      Important

      UNLOAD PLUS enforces row- and column-level security only when DIRECT NO is in effect.

  • To enable the use of the FORCE option to cancel Db2 threads that might prevent a successful drain during an unload job, grant the following authorizations:

    • DISPLAY privileges
    • One of the following authorities:
      • SYSADM
      • SYSOPR
      • SYSCTRL

    Important

    These authorizations might be implicit in the authority that the users have.

  • To enable zIIP processing and SHRLEVEL CHANGE CONSISTENT YES, ensure that you have the appropriate authorizations for SUF (also known as XBM).For information about security levels and authorizations for SUF (also known as XBM), see the SNAPSHOT UPGRADE FEATURE for DB2 documentation.
  • The Db2 system parameter AUTH_COMPATIBILITY is ignored.

To enable data set access using the Db2 DBM1 user ID for RACF or ACF2

Specify OPNDB2ID=YES in your installation options.
This option tells the utility to use the Db2 DBM1 RACF or ACF2 user ID for data set access.

To enable data to set access when not using the Db2 RACF ID

When using DIRECT NO, UNLOAD PLUS uses Db2 to access data sets. In this case, users do not need the authorization described in this procedure.

  1. Specify OPNDB2ID=NO in your installation options.This option tells UNLOAD PLUS not to use the Db2 RACF ID for data set access.
  2. If using RACF or a similar system security package to protect underlying data sets and the Integrated Catalog Facility (ICF) catalog of a table or index space, grant READ privileges for the following sources:
    • Db2 VSAM data sets
    • Db2 image copy data sets
    • DSN1COPY data sets
    • Inline copy data sets
    • Instant Snapshot copy data sets
    • Online consistent copy data sets
    • Cabinet copy data sets
    • VSAM FlashCopy data sets
    • VSAM linear data sets
    • Encrypted copy data sets that are created by BMC AMI Copy
    • Key data sets for encrypted copies

Tip

For sites that use a system security package other than RACF, the following steps illustrate one method for granting these data set authorizations: 

  1. Associate users with a security group.
  2. Grant EXECUTE privileges on the UNLOAD PLUS product program (ADUUMAIN) to the security group.
  3. Grant the data set authorizations to ADUUMAIN.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*