Report entities and attributes for DB2 for z/OS

Use this information to find reporting attributes for DB2 for z/OS.

This is not meant to be a complete listing of all entities and attributes. See Domains, Entities, and Attributes for the complete list.

Table 1. Attributes for Client/Server Entity (DB2 for z/OS)
Attribute Description
Timestamp All attributes in this session are static, so this timestamp is created only once, when Guardium observes a request on the defined connection for the first time.
OS User OS USER, TSO logon ID, or Authid for batch job.
Example: SYSADM
DB User Name Authorization ID
Service Name DB2 SSID
Server Description DB2 Location name.
Example: STLEC1
Network Protocol Concatenation of connection type and name.
Example: TSO:BATCH and DRDA:SERVER
DB Protocol DB2/Z.
Client IP This is the IP Address of the client workstation for distributed connections.
Server Host Name

LPAR name - example: LABEC247

Source Program Concatenation of Server name with correlation name and ID. Could vary based on what the application sends. Example from distributed application (DB2JCC) could be: GUARDIUMZ4.SVL.I:DB2JCC_APPLI. A CICS transaction could be the transaction identifier.
Server Type DB2. If more than one type of database is writing events to the Guardium system, this field helps separate the events.
Table 2. Attributes for Session Entity
Attribute Description
Session Start Sessions in z/OS are not able to be specified the same way as in distributed platforms, which relies on logins and logouts to the database. A session identifier is based on a set of characteristics and the timestamp recorded for that “session.”
Session End Timestamp recorded after a period of no activity on the associated session.
UID Chain Contains the VTAM network ID. Example: NETWORK_ID=G91E7FCC
Terminal ID For distributed access, this is the outgoing client port or socket In hex.
Example: A314 (port 41748)
Process ID This is a thread token identifier. You probably won’t need this for normal reporting purposes.
Table 3. Attributes for Client Server / Session Entity
Attribute Description
Server IP/Port Server IP concatenate with zero. Server port is always 0.
Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB Name A tuple containing the named fields. Note: DB Name is always blank. You must obtain DB Name from the Access Period Entity, DB2 i/z Database attribute.
UID Chain Contains the VTAM network ID.
Example: NETWORK_ID=G91E7FCC
Terminal ID For distributed access, this is the outgoing client port or socket In hex.
Example: A314 (port 41748)
Process ID This is a thread token identifier. You probably won’t need this for normal reporting purposes.
Table 4. Attributes for Access Period Entity (DB2 for z/OS)
Attribute Description
DB2 i/z Program This is the name of the DBRM that contains the executable code within the bound plan.
Example: SYSLH200 is used to execute JDBC distributed dynamic statements.
DB2 i/z Database Database name
Example: DSN00006
Application User Name This consists of consists of PLAN, SQLID, PROG and DB_NAME Example: PLAN=DISTSERV ; SQLID=SYSADM ; PROG=SYSLH200 ; DB_NAME=DSN00006
SQL SQL text “template”; i.e., construct. Field values are replaced by question marks.
Example: INSERT INTO GDMC_LABEC247_VA1A VALUES (?, ?,? , ? , ? , ?, ? )
Table 5. Attributes for Full SQL Entity (DB2 for z/OS)
Attribute Description
ID A generated value for each statement. You can use this to put statements in order.
Timestamp A timestamp from the DB2 server.
Example: 2012-04-25-11.51.40.005951
Ack Response Time Microsecond value from Timestamp.
Example: 677032
It is not recommended to use this field for sorting as it does not include leading zeros. Use FullSQL ID instead.
Records Affected Number of rows, valid for SELECT, INSERT, or DELETE. -1 if not applicable or if number of rows is not available.
More Information: TSSTOC=; stmttyp=; pds=

This contains a variety of information.

TSSTOC=. Store clock value. Example: TSSTOC=0x00D13309E22C45D8D4000000012F0001; May be useful to facilitation correlation of events within a commit or rollback.

Stmttyp= ‘S’ for Static and ‘D’ for Dynamic. If you want to sort by this field, then it’s recommended that you use the DB2 z Statement Type attribute of this Entity instead, which pulls this value into a separate attribute.

pds- For a Bind Package command, this is the PDS Name for the DBRM members.

Bind Variables Values The values of the host variables. To log masked data instead, use LOG MASKED DETAILS policy rule for the appliance.
Full SQL

Full SQL statement logged for each occurrence. Example: INSERT INTO GDMC_LABEC247_VA1A VALUES ('/08/15/16 19:49:56.653', '/08/15/16 19:49:56.653','--' , 1 , 1 , 1, 'guardiumz4 -count -update -server nulldn9seq -test_duration 7 -delay 999 -concurrent_connections 1' )

This can also contain the full BIND PLAN and BIND PACKAGE commands.

Note: Values can be masked by using LOG MASKED DETAILS in the appliance policy.
App User Name Displays the user name from the App Event entity of an App Event exists; otherwise, displays Application User from Access Period Entity.
DB2 z/IMS/DATA SET Unit of Work Computed attribute containing the CICS Unit of Work ID that can be used to correlate CICS traffic across multiple S-TAP Entities (IMS, Data Sets, and DB2).
DB2 z Statement Type Computed attribute that contains either ‘Static’ or ‘Dynamic’.
DB2 z/IMS/DATA SET Unit of Work

CICS unit of work ID, in hex. Can be used to correlate data access events across DB2, IMS and Data Sets within a CICS Transaction.

This field is blank if this activity is not part of a CICS transaction.

Note: The appliance-side policy for DB2 for z/OS activities must include the logging action LOG FULL DETAILS to collect Full SQL data. Otherwise, you will only get data in the SQL Entity attributes.
Table 6. Attributes for Application Events Entity (DB2 for z/OS)
Attribute Description
DB2 Client Info

Information in the DB2 Client Info depends on what the application assigns to these fields. None, some, or all values could be populated:

WSUSER= The user ID of the client end user. Can be CICS original signon client, if used.

APPL= The application or transaction name of the end user's application.

WKSTN= The workstation name of the client end user.

The following two fields are populated only when z/OS Identity propagation is used: DN=X.500 distinguished name

REG=X.500 registry name

Example: WSUSER=SYSADM;WRKSTN=guardiumz4.svl.ibm;APPL=db2jcc_application;DN=;REG=
Table 7. Attributes for SQL Entity (DB2 for z/OS)
Attribute Description
SQL SQL text by construct. Constructs only reflect the SQL template text and will not log each instance that a matching statement is executed, only once per hour (reporting period).
Example: INSERT INTO GDMC_LABEC247_VA1A VALUES (?, ?,? , ? , ? , ?, ? )
Truncated SQL Yes or No. This is historical and is not used any more.
Table 8. Attributes for Command Entity
Attribute Description
SQL Verb

This is the SQL verb, such as SELECT, INSERT, UPDATE, DELETE, BIND PLAN or BIND PACKAGE.

Prior to 10.1.3, the SQL Verb would be recorded differently when Quick Parse Native is used (TABLE READ or TABLE WRITE). With 10.1.3, the Verb will more closely match what is used when LOG FULL DETAILS or ALLOW is used.
Note: SQL Verb will only be a count in a report created with a Full SQL main entity.
Table 9. Attributes for Object Entity (DB2 for z/OS)
Attribute Description
Object Name

This is the object used in the SQL, such as the table, view, alias name, plan name, package name, bind plan owner.

However, if the policy uses a Quick Parse Native action, then a data object will always be the base table in the format schema-name.table-name.
Table 10. Attributes for Field Entity (DB2 for z/OS)
Attribute Description
Field Name

This is the column name used in the SQL. Note you will get field names in other Entities (SQL or Full SQL); this Entity is used for reporting on lists of fields, for example. This value is not populated unless you use LOG FULL DETAILS for the rule action. Use of Quick Parse Native or Quick Parse No Fields will not allow population of this field.

Table 11. Attributes for the Exception Entity (Main entity: Exception) (DB2 for z/OS)
Attribute Description
Exception Description Contains the negative SQLCODE.
Database Error Text The text associated with this error.
Attention:
  • With z/OS, you must specify on the Collection Profile policy rule that you want to collect negative SQLCODEs, and you must also specify which codes to collect. See the following table for a list of negative SQL codes that you might find useful. Refer to the Knowledge Center documentation for DB2 for z/OS to see the complete list of codes to tailor the list to your own needs.
  • Some negative SQL codes support descriptions with real SQL values. Where available, these descriptions are included in the "SQL string that caused the exception" report column. Take for example the base description of SQLCODE -556:
    revoke-target CANNOT HAVE THE privilege PRIVILEGE object-name REVOKED BY revoker-id 
    BECAUSE THE REVOKEE DOES NOT POSSESS THE PRIVILEGE OR THE REVOKER DID NOT MAKE THE GRANT
    This description can be presented with real values:
    ADMF002 CANNOT HAVE THE SELECT PRIVILEGE ON SYSADM.HOLLK REVOKED BY ADMF001 
    BECAUSE THE REVOKEE DOES NOT POSSESS THE PRIVILEGE OR THE REVOKER DID NOT MAKE THE GRANT
Table 12. Suggested list of negative SQL Codes to audit
  Description
-164 authorization-id DOES NOT HAVE THE PRIVILEGE TO CREATE A VIEW WITH QUALIFICATION qualifier-name
-204 name IS AN UNDEFINED NAME
-206 object-name IS NOT VALID IN THE CONTEXT WHERE IT IS USED
-551 auth-id DOES NOT HAVE THE PRIVILEGE TO PERFORM OPERATION operation ON OBJECT object-name
-552 authorization-id DOES NOT HAVE THE PRIVILEGE TO PERFORM OPERATION operation
-553 AUTHORIZATION ID OR SCHEMA NAME name SPECIFIED IS NOT VALID FOR REQUESTED OPERATION
-554 AN AUTHORIZATION ID OR ROLE CANNOT GRANT A PRIVILEGE TO ITSELF
-555 AN AUTHORIZATION ID OR ROLE CANNOT REVOKE A PRIVILEGE FROM ITSELF
-556 revoke-target CANNOT HAVE THE privilege PRIVILEGE object-name REVOKED BY revoker-id BECAUSE THE REVOKEE DOES NOT POSSESS THE PRIVILEGE OR THE REVOKER DID NOT MAKE THE GRANT
-557 INCONSISTENT GRANT/REVOKE KEYWORD keyword. PERMITTED KEYWORDS ARE keyword-list
-559 ALL AUTHORIZATION FUNCTIONS HAVE BEEN DISABLED
-562 THE SPECIFIED PRIVILEGES CANNOT BE GRANTED TO PUBLIC.
-567 bind-type AUTHORIZATION ERROR USING auth-id AUTHORITY PACKAGE = package-name PRIVILEGE = privilege
-592 NOT AUTHORIZED TO CREATE FUNCTIONS OR PROCEDURES IN WLM ENVIRONMENT env-name
-807 ACCESS DENIED: PACKAGE package-name IS NOT ENABLED FOR ACCESS FROM connection-type connection-name
-908 bind-type ERROR USING auth-id AUTHORITY. BIND, REBIND OR AUTO-REBIND OPERATION IS NOT ALLOWED
-922 AUTHORIZATION FAILURE: error-type ERROR. REASON reason-code
-20264 FOR TABLE table-name, primary-auth-id WITH SECURITY LABEL primary-auth-id-seclabel IS NOT AUTHORIZED TO PERFORM operation ON A ROW WITH SECURITY LABEL row-seclabel. THE RECORD IDENTIFIER (RID) OF THIS ROW IS rid-number.
-20361 AUTHORIZATION ID authorization-name IS NOT DEFINED FOR THE TRUSTED CONTEXT context-name
-20372 THE SYSTEM AUTHID CLAUSE OF A CREATE OR ALTER TRUSTED CONTEXT STATEMENT FOR context-name SPECIFIED authorization-name, BUT ANOTHER TRUSTED CONTEXT IS ALREADY DEFINED FOR THAT AUTHORIZATION ID.
-20373 A CREATE OR ALTER TRUSTED CONTEXT STATEMENT SPECIFIED authorization-name MORE THAN ONCE OR THE TRUSTED CONTEXT IS ALREADY DEFINED TO BE USED BY THIS AUTHORIZATION ID, PROFILE NAME, OR PUBLIC.
-20374 AN ALTER TRUSTED CONTEXT STATEMENT FOR context-name SPECIFIED authorization-name BUT THE TRUSTED CONTEXT IS NOT CURRENTLY DEFINED TO BE USED BY THIS AUTHORIZATION ID, PROFILE NAME, OR PUBLIC
-30053 OWNER AUTHORIZATION FAILURE
-30060 RDB AUTHORIZATION FAILURE