Creating Data Gate on Cloud users and granting privileges on z/OS

Data Gate on Cloud requires both a privileged user (for administration and load tasks) and a log reader user (to read Db2® for z/OS log data).

About this task

The log reader user should be a dedicated user ID to access the log interface and to retrieve the log records of the copied tables for the Data Gate on Cloud. The privileged user should be responsible for administration tasks (like stored procedure invocation, SELECT on Data Gate on Cloud meta data tables and Db2 catalog, etc.) and the initial load of data (UNLOAD/SELECT on business tables).

You can define one user ID with all required privileges for both the log reader user and the privileged user. Data Gate on Cloud supports using a single user ID during configuration by choosing the Same as source database option.

Procedure

Grant the following privileges to the Data Gate on Cloud log reader user (named LOGUSR in the examples).
1. Add a DSNR profile.
  Ownership must be assigned to the user ID that starts the Db2 subsystem or data sharing member to which you want to connect. In the following examples, the name of this user is DB2USER. The profile name must consist of the Db2 subsystem or member name followed by a dot and the keyword ACCEL.
  For example:
```
DB2A.ACCEL
```
  The RACF® commands you need to run to create this profile and grant the required read access are (in accordance with the names previously introduced):
```
RDEFINE DSNR (DB2A.ACCEL) OWNER(DB2USER) UACC(NONE)
PERMIT DB2A.ACCEL CLASS(DSNR) ID(LOGUSR) ACCESS(READ)
```
2. Assign read access to the DB2A.DIST profile.
  Most likely, this .DIST profile already exists because it controls all remote access to Db2. If it does not yet exist, define it in the same way as the DB2A.ACCEL profile.
  For example:
```
RDEFINE DSNR (DB2A.DIST) OWNER(DB2USER) UACC(NONE)
PERMIT DB2A.DIST CLASS(DSNR) ID(LOGUSR) ACCESS(READ)
```
3. Grant MONITOR2 authority by issuing the command:
```
GRANT MONITOR2 TO LOGUSR;
```
4. For schema change support, grant the SELECT privilege on the following system tables:
  - SYSIBM.SYSTABLES
  - SYSIBM.SYSCOLUMNS
  - SYSIBM.SYSDUMMY1
  To set these privileges for the sample user ID LOGUSR:
```
GRANT SELECT ON SYSIBM.SYSTABLES TO LOGUSR;
GRANT SELECT ON SYSIBM.SYSCOLUMNS TO LOGUSR;
GRANT SELECT ON SYSIBM.SYSDUMMY1 TO LOGUSR;
COMMIT; 
```
  For more information about schema changes, see Support for schema changes in Data Gate on Cloud tables
5. For schema change support, also grant the SELECT and UPDATE privileges on the SYSACCEL.SYSACCELERATEDTABLES table.
  To set this privilege for the sample user ID LOGUSR:
```
GRANT SELECT, UPDATE ON SYSACCEL.SYSACCELERATEDTABLES TO LOGUSR;
COMMIT; 
```
6. The LOGUSR user ID also requires permission to run the SYSPROC.ACCEL_REMOVE_TABLES stored procedure.
  For details, see the Authorizations for z/OS section in SYSPROC.ACCEL_REMOVE_TABLES.
7. In addition, the LOGUSR user ID requires read access to the AQTDEF6 and AQTENV data set members of your installation. The name of the data set that these members belong to depends on your product configuration. Grant the read privilege to the RACF user profile that has access to these members.
  This will probably not be one of the profiles already mentioned, but yet another RACF profile. On a generic basis, the command for this reads:
```
PERMIT <profile name> ID(LOGUSR) ACCESS(READ)
```
  where <profile name> is the name of the identified RACF profile.
Grant the following privileges and authorizations to the privileged user (privileged-user):
z/OS privileges:
- Read privilege on the stored procedure configuration data set SAQTSAMP, members AQTENV and AQTDEF6
- For the initial load of data to Data Gate on Cloud:
  - GRANT STARTDB ON DATABASE Db2-database TO privileged-user
  - GRANT UNLOAD/SELECT ON Db2-table TO privileged-user
RACF and z/OS UNIX file system (zFS) privileges:
- OMVS segment for the privileged user ID
- Write access to the /tmp directory (UNIX System Services pipes are created in this directory).
- RACF ACCESS(READ) on the data set high-level-qualifier.ETC.IPNODES
- Permission to read the RACF group profiles associated with the privileged user. In the following example, this permission is granted to the user IBMDBUSR:
```
PE IRR.DIGTCERT.LIST CL(FACILITY) ID(IBMDBUSR) ACC(READ)
```
- Permission to update RACF key rings associated with the privileged user. In the following example, this permission is granted to the user IBMDBUSR:
```
PE IRR.DIGTCERT.LISTRING CL(FACILITY) ID(IBMDBUSR) ACC(UPDATE)
```
- Permission to read the dbsubsystem.ACCEL profile. In the following example, this permission is granted to the user IBMDBUSR on a profile named DB2A.ACCEL
```
PERMIT DB2A.ACCEL CLASS(DSNR) ID(IBMDBUSR) ACCESS(READ)
```
- Permission to read the dbsubsystem.DIST profile. In the following example, this permission is granted to the user IBMDBUSR on a profile named DB2A.DIST:
```
PERMIT DB2A.DIST CLASS(DSNR) ID(IBMDBUSR) ACCESS(READ)
```
Db2 for z/OS privileges:
- GRANT EXECUTE ON FUNCTION DSNAQT.* TO privileged-user
- GRANT EXECUTE ON PROCEDURE SYSPROC.* TO privileged-user
- GRANT EXECUTE ON PACKAGE SYSACCEL.* TO privileged-user
- GRANT MONITOR1 TO privileged-user
- GRANT ALTER ON replicated-table-1, replicated-table-2, ... TO privileged-user
- GRANT TRACE TO privileged-user
- GRANT DISPLAY TO privileged-user
- GRANT SYSOPR TO privileged-user
- GRANT SELECT ON DSNAQT.ACCEL_NAMES TO privileged-user
- GRANT SELECT ON SYSACCEL.* TO privileged-user
- GRANT SELECT ON SYSIBM.SYSCOLUMNS TO privileged-user
- GRANT SELECT ON SYSIBM.SYSCONTROLS TO privileged-user
- GRANT SELECT ON SYSIBM.SYSDATABASE TO privileged-user
- GRANT SELECT ON SYSIBM.SYSDUMMY1 TO privileged-user
- GRANT SELECT ON SYSIBM.SYSINDEXES TO privileged-user
- GRANT SELECT ON SYSIBM.SYSRELS TO privileged-user
- GRANT SELECT ON SYSIBM.SYSTABLEPART TO privileged-user
- GRANT SELECT ON SYSIBM.SYSTABLES TO privileged-user
- GRANT SELECT ON SYSIBM.SYSVIEWS TO privileged-user