Report entities and attributes for DB2 for z/OS
Use this information to find reporting attributes for DB2 for z/OS.
This is not meant to be a complete listing of all entities and attributes. See Domains, Entities, and Attributes for the complete list.
Attribute | Description |
---|---|
Timestamp | All attributes in this session are static, so this timestamp is created only once, when Guardium observes a request on the defined connection for the first time. |
OS User | OS USER, TSO logon ID, or Authid for batch job. Example: SYSADM
|
DB User Name | Authorization ID |
Service Name | DB2 SSID |
Server Description | DB2 Location name. Example: STLEC1
|
Network Protocol | Concatenation of connection type and name. Example: TSO:BATCH
and DRDA:SERVER
|
DB Protocol | DB2/Z. |
Client IP | This is the IP Address of the client workstation for distributed connections. |
Server Host Name |
LPAR name - example: LABEC247 |
Source Program | Concatenation of Server name with correlation name and ID. Could vary based on what the application sends. Example from distributed application (DB2JCC) could be: GUARDIUMZ4.SVL.I:DB2JCC_APPLI. A CICS transaction could be the transaction identifier. |
Server Type | DB2. If more than one type of database is writing events to the Guardium system, this field helps separate the events. |
Attribute | Description |
---|---|
Session Start | Sessions in z/OS are not able to be specified the same way as in distributed platforms, which relies on logins and logouts to the database. A session identifier is based on a set of characteristics and the timestamp recorded for that “session.” |
Session End | Timestamp recorded after a period of no activity on the associated session. |
UID Chain | Contains the VTAM network ID. Example: NETWORK_ID=G91E7FCC |
Terminal ID | For distributed access, this is the outgoing client port or socket In hex. Example: A314 (port 41748)
|
Process ID | This is a thread token identifier. You probably won’t need this for normal reporting purposes. |
Attribute | Description |
---|---|
Server IP/Port | Server IP concatenate with zero. Server port is always 0. |
Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB Name | A tuple containing the named fields. Note: DB Name is always blank. You must obtain DB Name from the Access Period Entity, DB2 i/z Database attribute. |
UID Chain | Contains the VTAM network ID. Example: NETWORK_ID=G91E7FCC
|
Terminal ID | For distributed access, this is the outgoing client port or socket In hex. Example: A314 (port 41748)
|
Process ID | This is a thread token identifier. You probably won’t need this for normal reporting purposes. |
Attribute | Description |
---|---|
DB2 i/z Program | This is the name of the DBRM that contains the executable code within the bound plan. Example: SYSLH200 is used to execute JDBC distributed dynamic
statements.
|
DB2 i/z Database | Database name Example: DSN00006
|
Application User Name | This consists of consists of PLAN, SQLID, PROG and DB_NAME Example: PLAN=DISTSERV ; SQLID=SYSADM ; PROG=SYSLH200 ; DB_NAME=DSN00006 |
SQL | SQL text “template”; i.e., construct. Field values are replaced by question marks. Example: INSERT INTO GDMC_LABEC247_VA1A VALUES (?, ?,? , ? , ? , ?, ?
)
|
Attribute | Description |
---|---|
ID | A generated value for each statement. You can use this to put statements in order. |
Timestamp | A timestamp from the DB2 server. Example: 2012-04-25-11.51.40.005951
|
Ack Response Time | Microsecond value from Timestamp. Example: 677032
It is
not recommended to use this field for sorting as it does not include leading zeros. Use FullSQL ID
instead. |
Records Affected | Number of rows, valid for SELECT, INSERT, or DELETE. -1 if not applicable or if number of rows is not available. |
More Information: TSSTOC=; stmttyp=; pds= |
This contains a variety of information. TSSTOC=. Store clock value. Example: TSSTOC=0x00D13309E22C45D8D4000000012F0001; May be useful to facilitation correlation of events within a commit or rollback. Stmttyp= ‘S’ for Static and ‘D’ for Dynamic. If you want to sort by this field, then it’s recommended that you use the DB2 z Statement Type attribute of this Entity instead, which pulls this value into a separate attribute. pds- For a Bind Package command, this is the PDS Name for the DBRM members. |
Bind Variables Values | The values of the host variables. To log masked data instead, use LOG MASKED DETAILS policy rule for the appliance. |
Full SQL |
Full SQL statement logged for each occurrence. Example: INSERT INTO GDMC_LABEC247_VA1A VALUES ('/08/15/16 19:49:56.653', '/08/15/16 19:49:56.653','--' , 1 , 1 , 1, 'guardiumz4 -count -update -server nulldn9seq -test_duration 7 -delay 999 -concurrent_connections 1' ) This can also contain the full BIND PLAN and BIND PACKAGE commands. Note: Values can be masked by using LOG MASKED DETAILS in the appliance policy.
|
App User Name | Displays the user name from the App Event entity of an App Event exists; otherwise, displays Application User from Access Period Entity. |
DB2 z/IMS/DATA SET Unit of Work | Computed attribute containing the CICS Unit of Work ID that can be used to correlate CICS traffic across multiple S-TAP Entities (IMS, Data Sets, and DB2). |
DB2 z Statement Type | Computed attribute that contains either ‘Static’ or ‘Dynamic’. |
DB2 z/IMS/DATA SET Unit of Work |
CICS unit of work ID, in hex. Can be used to correlate data access events across DB2, IMS and Data Sets within a CICS Transaction. This field is blank if this activity is not part of a CICS transaction. |
Attribute | Description |
---|---|
DB2 Client Info |
Information in the DB2 Client Info depends on what the application assigns to these fields. None, some, or all values could be populated: WSUSER= The user ID of the client end user. Can be CICS original signon client, if used. APPL= The application or transaction name of the end user's application. WKSTN= The workstation name of the client end user. The following two fields are populated only when z/OS Identity propagation is used: DN=X.500 distinguished name REG=X.500 registry name Example: WSUSER=SYSADM;WRKSTN=guardiumz4.svl.ibm;APPL=db2jcc_application;DN=;REG=
|
Attribute | Description |
---|---|
SQL | SQL text by construct. Constructs only reflect the SQL template text and will not log each
instance that a matching statement is executed, only once per hour (reporting period). Example: INSERT INTO GDMC_LABEC247_VA1A VALUES (?, ?,? , ? , ? , ?, ? )
|
Truncated SQL | Yes or No. This is historical and is not used any more. |
Attribute | Description |
---|---|
SQL Verb | This is the SQL verb, such as SELECT, INSERT, UPDATE, DELETE, BIND PLAN or BIND PACKAGE. Prior to 10.1.3, the SQL Verb would be recorded differently when Quick Parse Native is used (TABLE READ or TABLE WRITE). With 10.1.3, the Verb will more closely match what is used when LOG FULL DETAILS or ALLOW is used. |
Attribute | Description |
---|---|
Object Name | This is the object used in the SQL, such as the table, view, alias name, plan name, package name, bind plan owner. However, if the policy uses a Quick Parse Native action, then a data object will always be the base table in the format schema-name.table-name. |
Attribute | Description |
---|---|
Field Name |
This is the column name used in the SQL. Note you will get field names in other Entities (SQL or Full SQL); this Entity is used for reporting on lists of fields, for example. This value is not populated unless you use LOG FULL DETAILS for the rule action. Use of Quick Parse Native or Quick Parse No Fields will not allow population of this field. |
Attribute | Description |
---|---|
Exception Description | Contains the negative SQLCODE. |
Database Error Text | The text associated with this error. |
- With z/OS, you must specify on the Collection Profile policy rule that you want to collect negative SQLCODEs, and you must also specify which codes to collect. See the following table for a list of negative SQL codes that you might find useful. Refer to the Knowledge Center documentation for DB2 for z/OS to see the complete list of codes to tailor the list to your own needs.
- Some negative SQL codes support descriptions with real SQL values. Where available, these
descriptions are included in the "SQL string that caused the exception" report column. Take for
example the base description of SQLCODE -556:
This description can be presented with real values:revoke-target CANNOT HAVE THE privilege PRIVILEGE object-name REVOKED BY revoker-id BECAUSE THE REVOKEE DOES NOT POSSESS THE PRIVILEGE OR THE REVOKER DID NOT MAKE THE GRANT
ADMF002 CANNOT HAVE THE SELECT PRIVILEGE ON SYSADM.HOLLK REVOKED BY ADMF001 BECAUSE THE REVOKEE DOES NOT POSSESS THE PRIVILEGE OR THE REVOKER DID NOT MAKE THE GRANT
Description | |
---|---|
-164 | authorization-id DOES NOT HAVE THE PRIVILEGE TO CREATE A VIEW WITH QUALIFICATION qualifier-name |
-204 | name IS AN UNDEFINED NAME |
-206 | object-name IS NOT VALID IN THE CONTEXT WHERE IT IS USED |
-551 | auth-id DOES NOT HAVE THE PRIVILEGE TO PERFORM OPERATION operation ON OBJECT object-name |
-552 | authorization-id DOES NOT HAVE THE PRIVILEGE TO PERFORM OPERATION operation |
-553 | AUTHORIZATION ID OR SCHEMA NAME name SPECIFIED IS NOT VALID FOR REQUESTED OPERATION |
-554 | AN AUTHORIZATION ID OR ROLE CANNOT GRANT A PRIVILEGE TO ITSELF |
-555 | AN AUTHORIZATION ID OR ROLE CANNOT REVOKE A PRIVILEGE FROM ITSELF |
-556 | revoke-target CANNOT HAVE THE privilege PRIVILEGE object-name REVOKED BY revoker-id BECAUSE THE REVOKEE DOES NOT POSSESS THE PRIVILEGE OR THE REVOKER DID NOT MAKE THE GRANT |
-557 | INCONSISTENT GRANT/REVOKE KEYWORD keyword. PERMITTED KEYWORDS ARE keyword-list |
-559 | ALL AUTHORIZATION FUNCTIONS HAVE BEEN DISABLED |
-562 | THE SPECIFIED PRIVILEGES CANNOT BE GRANTED TO PUBLIC. |
-567 | bind-type AUTHORIZATION ERROR USING auth-id AUTHORITY PACKAGE = package-name PRIVILEGE = privilege |
-592 | NOT AUTHORIZED TO CREATE FUNCTIONS OR PROCEDURES IN WLM ENVIRONMENT env-name |
-807 | ACCESS DENIED: PACKAGE package-name IS NOT ENABLED FOR ACCESS FROM connection-type connection-name |
-908 | bind-type ERROR USING auth-id AUTHORITY. BIND, REBIND OR AUTO-REBIND OPERATION IS NOT ALLOWED |
-922 | AUTHORIZATION FAILURE: error-type ERROR. REASON reason-code |
-20264 | FOR TABLE table-name, primary-auth-id WITH SECURITY LABEL primary-auth-id-seclabel IS NOT AUTHORIZED TO PERFORM operation ON A ROW WITH SECURITY LABEL row-seclabel. THE RECORD IDENTIFIER (RID) OF THIS ROW IS rid-number. |
-20361 | AUTHORIZATION ID authorization-name IS NOT DEFINED FOR THE TRUSTED CONTEXT context-name |
-20372 | THE SYSTEM AUTHID CLAUSE OF A CREATE OR ALTER TRUSTED CONTEXT STATEMENT FOR context-name SPECIFIED authorization-name, BUT ANOTHER TRUSTED CONTEXT IS ALREADY DEFINED FOR THAT AUTHORIZATION ID. |
-20373 | A CREATE OR ALTER TRUSTED CONTEXT STATEMENT SPECIFIED authorization-name MORE THAN ONCE OR THE TRUSTED CONTEXT IS ALREADY DEFINED TO BE USED BY THIS AUTHORIZATION ID, PROFILE NAME, OR PUBLIC. |
-20374 | AN ALTER TRUSTED CONTEXT STATEMENT FOR context-name SPECIFIED authorization-name BUT THE TRUSTED CONTEXT IS NOT CURRENTLY DEFINED TO BE USED BY THIS AUTHORIZATION ID, PROFILE NAME, OR PUBLIC |
-30053 | OWNER AUTHORIZATION FAILURE |
-30060 | RDB AUTHORIZATION FAILURE |