Reviewing and setting proper authorizations

The proper authorizations are required to perform various tasks relating to Db2 Query Monitor installation, customization, and use.

Procedure

  1. Review the authorizations listed in the following table to ensure that the proper authority is available for each user based on the tasks they will be required to perform.
    Table 1. Required authorizations
    Description Auth type
    The installation of Db2 Query Monitor requires DBADMN authority or higher. SYSADM
    Running Db2 Query Monitor requires that the Db2 Query Monitor load library is APF-authorized. APF
    Running Db2 Query Monitor requires users to have EXECUTE authority for the Db2 Query Monitor plan requires. Db2
    The user IDs for the started tasks (which include the Query Monitor Subsystem started task and the CAE Agent started task) must have execute authority on the Db2 Query Monitor plan. Db2
    Users must have UPDATE authority on the CQMPROF data set to create or update monitoring profiles. Users must have READ authority on the CQMPROF data set to view monitoring profiles. RACF®
    Users must have authority to create and use the Db2 Control File (DB2PARMS). RACF
    The user ID for the Query Monitor Subsystem started task must have RRSAF access to Db2. The Db2 connection method for the Query Monitor Subsystem, Performance History Database, and CAE components is RRSAF (replaces CAF, which was used previously). This enables Db2 authorization checking based on the user that is logged in when accessing remote data sharing members through the CAE. The ISPF client still uses CAF for accessing Db2. RACF
  2. Configure RACF facility class profiles to restrict or grant authority to perform Db2 Query Monitor functions. Secure Db2 Query Monitor's functions by configuring the RACF Facility Class Profiles as appropriate for your site. A function is not secured if the corresponding RACF Facility Class Profile does not exist. If the specific RACF Facility Class Profile does not exist, then the most granular generic RACF Facility Class Profile will be applied in its place.

    For example, if CQM.ACCESS.qmid does not exist for a given Query Monitor Subsystem, but a generic RACF Facility Class Profile name CQM.ACCESS.* exists, then the generic profile will be used. Only authorization IDs with READ access to the profile employed will be cleared by RACF.

    Table 2. RACF profiles and authorities
    Function Description of authority Profile
    Access Enables user to access to the Query Monitor Subsystem. CQM.ACCESS.qmid
    Dynamic activate Enables user to activate monitoring on Db2 subsystem. CQM.ACTIVATE.qmid.ssid
    Dynamic deactivate Enables user to deactivate monitoring on Db2 subsystem. CQM.DEACTIVATE.qmid.ssid
    Monitoring profile refresh Enables user to refresh a monitoring profile used by the Db2 subsystem. CQM.REFRESH.PROFILE.ssid
    Monitoring profile change Enables user to change the monitoring profile used by the Db2 subsystem. CQM.CHANGE.PROFILE.ssid
    Administrative functions - including Setup (Option 7) and CQM#CTLF program Enables user to access Setup (Option 7) and the control file updater program (CQM#CTLF). Only authorization IDs with READ access to this profile within the RACF FACILITY class are cleared by RACF. For ISPF, if this security check fails, the main menu does not give access to Setup (Option 7). For the CQM#CTLF program, if this security check fails, the program returns a return code of 16. CQM.ADMIN.FUNCTIONS
  3. Configure RACF facility class profiles and RACF data set profiles to protect data throughout Db2 Query Monitor.
    Two RACF protection measures are used to secure data throughout Db2 Query Monitor:
    Securing data in prior intervals and exceptions
    If you want to secure data in prior intervals and exceptions, you must configure a RACF data set profile for the appropriate backstore data sets that hold the data you intend to protect (for example, a RACF data set profile might be QMPROD.CQM1.EHSTV.**).
    Table 3. RACF profiles and authorities
    Function Description of authority Profile
    View data in an exception or interval data set Enables users to access data stored in the data set. Example: QMPROD.CQM1.EHSTV.**
    Securing access to the CAE Agent
    If you use a generic RACF profile "**" in the APPL class to define UACC(NONE), then you must define a CQMCAE profile in the APPL class to grant READ permissions for each Db2 Query Monitor user you want to give access to the CAE.
    Note: The AGENT_NAME parameter serves as the APPLID for the RACROUTE REQUEST=VERIFY in RACF. The default value for AGENT_NAME is CQMCAE. If you specify a custom AGENT_NAME, the APPL class is the custom AGENT_NAME you specify. For example, if you specify AGENT_NAME(QMCAE1), the profile in APPL class is QMCAE1. For more information, see AGENT_NAME.
    Securing the functions users can access in the CAE
    The functions that a user can access in the CAE are determined by their access to the CQM.CAE* facility classes CQM.CAE.ADMINISTRATOR and CQM.CAE.OPERATOR. A user is assigned the first role for which they have UPDATE authority (roles are checked in the order they are listed above). If a user has none of these authorities, they can still use the Activity Browser. The Activity Browser uses the same authorizations as ISPF. Authentication is performed on the mainframe and parallels that of ISPF users.
    Table 4. RACF profiles and authorities
    Function Description of authority Profile
    CAE administrator role If the user has UPDATE access to CQM.CAE.ADMINISTRATOR the user receives the access privileges associated with the administrator role. CQM.CAE.ADMINISTRATOR
    CAE operator and viewer roles If the user has UPDATE access to CQM.CAE.OPERATOR the user receives the access privileges associated with the operator role. If the user has READ access to CQM.CAE.OPERATOR the user receives the access privileges associated with the viewer role. CQM.CAE.OPERATOR
    CAE authenticated role User is not added to CQM.CAE.ADMINISTRATOR or CQM.CAE.OPERATOR  

    The following actions are permitted and prohibited for the various user roles:

    Administrator
    A user that has an Administrator role:
    • Has access to all features and product panels
    Operator
    A user that has an Operator role:
    • Cannot access or use Configuration or Tools
    • Can perform Alert Browser actions (acknowledge, delete, create new message board, and so forth)
    • Cannot update or delete shared configurations
    • Cannot access or use Data Server Manager (DSM) integration features
    Viewer
    A user that has a Viewer role:
    • Cannot access or use Configuration or Tools
    • Cannot perform Alert Browser actions (acknowledge, delete, create new message board, and so forth). Can only views alerts.
    • Cannot update or delete shared configurations
    • Cannot access or use Data Server Manager (DSM) integration features
    Authenticated
    A user that has an Authenticated role:
    • Cannot access or use Configuration or Tools
    • Cannot access or use the Alert Browser
    • Can use Activity Browser (access to panels depends on RACF privileges of the user in ISPF)
    • Cannot update or delete shared configurations
    • Cannot access or use Data Server Manager (DSM) integration features
    Securing data in current activity, summaries, exceptions, or SQLCODEs
    If you want to secure data in current activity, summaries, exceptions, or SQLCODES, you must configure a RACF facility class profile for the appropriate function (for example, a RACF facility class profile might be CQM.HOSTV.qmid which protects host variable information in current activity).
    Table 5. RACF profiles and authorities
    Function Description of authority Profile
    Host variable collection in the CAE Enable user to collect host variables using the CAE. CQM.EO.HOSTV.qmid
    Host variable viewing Enables users to view host variable information in current activity, exceptions, and summaries. CQM.HOSTV.qmid
    SQLTEXT viewing Enables users to view SQLTEXT information in current activity, exceptions, and summaries. CQM.SQLTEXT.qmid

    If a user requests to access data they are not authorized to view, the following message displays: CQM132E Authorization failed. The security system has determined that additional authorization is required to perform the selected operation. If this message is received unexpectedly, then verify that the configuration of your RACF data set profiles and facility class profiles is correct. For host variable viewing and collection, Db2 Query Monitor checks a user's access when it sees a new workload, when it's the time to start sampling, and before it writes sampled data into the staging tables. If the user does not have READ access to the class at any of those three checkpoints, an error is reported.

    A user who can schedule host variable collection can direct Db2 Query Monitor to save host variable information into Db2 tables whose security is controlled by that user. For this reason, Db2 Query Monitor administrators should be careful when granting users who are granted READ access to CQM.EO.HOSTV.qmid and CQM.HOSTV.qmid and should consider the security of the tables that will hold host variable information. To view host variables in the Activity Browser, the user must have READ access to CQM.HOSTV.qmid.

  4. To control access to the dynamic LPA facility, you must ensure that Db2 Query Monitor has UPDATE access to the following RACF FACILITY class profile: CSVDYLPA.ADD.CQC*
    For more information, see 5.6.3 Controlling adding a module to LPA after IPL in z/OS® V1R7.0 MVS™ Planning: Operations (SA22-7601).