This is part of the larger task of setting
up security on z/OS.
The user
ID of the person running the DB2 configuration
jobs must have UPDATE access to the component PDSE, READ/EXECUTE access
to the installation directory, and READ/WRITE/EXECUTE access to the
broker-specific directory.
A user needs SYSADM or SYSCTRL authority
to run the DB2 configuration jobs.
You
cannot share
DB2 tables between brokers;
each broker must have its own
DB2 tables.
The format of the table names is:
table_owner.table_name
where
table_owner is
known as the table owner.
When the broker starts up, the started task
user ID is used to connect to
DB2 using
ODBC. The ODBC statement
Set current SQLID is used to set
the ID to table_owner; the table owner ID specifies which tables to use. You
have two options in setting up the IDs:
- Make the table owner the same as the started task user ID. This means
that each broker must have a different user ID. Check that
the started task user ID specified has access to SYSIBM tables.
From a TSO user with no system administration authority, use SPUFI to issue
the following commands:
select * from SYSIBM.SYSTABLES;
select * from SYSIBM.SYSSYNONYMS;
select * from SYSIBM.SYSDATABASE;
and resolve any problems.
- Make the table owner different from the started task user ID. For this
to work the started task needs to be able to issue the Set current
SQLID request. The easiest way to do this is to create a RACF group
with the same name as the table owner, and connect the started task user ID
to this group.
Check that the group ID specified has access to
SYSIBM tables.
From a TSO user with no system administration authority, use SPUFI to issue
the following commands:
SET CURRENT SQLID='WMQI';
select * from SYSIBM.SYSTABLES;
select * from SYSIBM.SYSSYNONYMS;
select * from SYSIBM.SYSDATABASE;
and resolve any problems (
WMQI is
the name of the group). You might need to connect the TSO user
IDs of
the DB2 administrators to the group.
If
you have a unique group for each broker (and not a unique started task user
ID), the started task user ID must be connected to the group for the ODBC
request set currentsqlid to work successfully.
The DB2 administrator user
ID must have access to one of the programs DSNTEP2 or DSNTIAD,
or equivalent.
The started task user ID must be authorized to connect
to
DB2. The started task user ID needs
a minimum of
READ access to the
subsystem.RRSAF profile
in the DSNR class, if present. In this case,
subsystem is
the DB2 subsystem name. For example, the following RACF command lists all
the resources in DSNR class:
RLIST DSNR *
The
started task user ID needs EXECUTE authority to the DSNACLI plan
or equivalent.
The DB2 subsystem
started task user ID needs authority to create data sets with the high level
qualifier specified in the DB2_STOR_GROUP_VCAT value.