Authority requirements

You need to ensure that the proper authorities are available for the CDC Replication Engine for Db2® for i users.

Installation of the CDC Replication Engine for Db2 for i is typically done using the QSECOFR user (or any user who has *SECOFR special authorities). At a minimum, the following special authorities are required for the user installing CDC Replication:

  • *SAVRST
  • *SERVICE
  • *JOBCTL
  • *ALLOBJ
  • *SECADM

When configuring the authority for CDC Replication, there are 2 types of user profiles to take into consideration:

CDC Replication operational user
Users who run CDC Replication replication processes, typically users who are logged in through Management Console or who start replication processes from the command line/job scheduler. The CDC Replication source jobs are run under the CDC Replication operational user profile. The CDC Replication operational user requires authorities to the replicated source tables, journals and journal receivers. No authorities are required for the CDC Replication operational user on target tables since all the apply processes are run under the CDC Replication product user.
CDC Replication owner or product user
By default, the user profile D_MIRROR. The user profile D_MIRROR is automatically created during installation. CDC Replication requires this user profile to supervise replication operations for the CDC Replication apply processes. The D_MIRROR user profile does not need authorities to the replicated source tables, journals or journal receivers. However, all the CDC Replication apply processes are run under the D_MIRROR user profile, hence the need for this profile to have update rights to the target tables.
The password for this user profile is intentionally set to *NONE. This prevents users from signing on interactively and also prevents the password from expiring which would stop CDC Replication apply processes. Optionally, a password can be placed on the D_MIRROR account. If a password is used then the password expiration must be properly managed so that it does not interfere with CDC Replication processing.
Note: By placing a password on the D_MIRROR user profile the recursion prevention, bidirectional replication and cascaded replication features will not be available.
The CDC Replication product user profile should be reserved for CDC Replication. Do not use this profile to log on or for other purposes.

CDC Replication product library (*LIB) authorities

User Authority level Comment
Product user (D_MIRROR or specified user profile) *ALL Typically, D_MIRROR is the owner of the *LIB object
Operational user *USE Needed to create and access objects in the product library

Objects (*MSGQ, *USRQ) are created for new subscriptions. In order to ensure that all users entitled to use CDC Replication can view event log messages and monitor subscriptions activity, you should set the CRTAUT parameter to *ALL.

CDC Replication product object authorities

User Object type Authority level Comment
Product user (D_MIRROR or specified user profile) *ALL *ALL Typically, D_MIRROR is the owner of the objects in the product library
Operational user *FILE *CHANGE Needed to configure CDC Replication and monitor subscriptions
Operational user *MSGQ

*USRQ

*ALL To monitor subscription activity, view event log messages, and remove subscriptions
Operational user Other object types *USE  

You should set the CDC Replication product library create authority (CRTAUT) attribute to *ALL to ensure that newly created subscriptions can be monitored by any user entitled to use CDC Replication.

CDC Replication owner user profile authorities

User Special authorities Comment
Product user (D_MIRROR or specified user profile) *JOBCTL Control replication jobs submitted by any user

Replicated source table authorities

User Authority level Comment
Product user (D_MIRROR or specified user profile) None The CDC Replication product user does not need authorities for the replicated source tables (*FILE PF-DTA). A potential exception is when you wish to control replicated tables through the D_MIRROR user profile (group profile, adopted authority)
Operational user *USE

*OBJMGT

An operational user needs *USE authorities to refresh a table and to use it for continuous or net change mirroring.

*OBJMGT authorities are required if journaling for the tables must be started as part of mapping the tables. If journaling is already started, the *OBJMGT authority is not required

Journal authorities

User Authority level Comment
Product user (D_MIRROR or specified user profile) None The CDC Replication product user does not need authorities to the journal. A potential exception is when you wish to control replication through the D_MIRROR user profile (group profile, adopted authority)
Operational user *OBJOPR

*OBJMGT

*OBJEXIST

*READ

*ADD

*UPDATE

*EXECUTE

These authorities are required to start journaling as part of mapping the tables, read the journal entries and the start the CDC Replication subscription

Journal receiver authorities

User Authority level Comment
Product user (D_MIRROR or specified user profile) None The CDC Replication product user does not need authorities to the journal receiver. A potential exception is when you wish to control replication through the D_MIRROR user profile (group profile, adopted authority)
Operational user *OBJOPR

*OBJMGT

*OBJEXIST

*READ

*ADD

*UPDATE

*EXECUTE

At different occasions (refresh table, start and end of mirroring), user-defined journal entries are written into the journal to mark starting and ending points. Add and update authorities are needed to be able to write these entries.

Target table authorities

User Authority level Comment
Product user (D_MIRROR or specified user profile) *CHANGE

*OBJMGT

Apply processes are run under this user profile, hence the need for this profile to have update rights to the target tables. Object management authority is required to clear the target table using CLRPFM in the event of a refresh
Operational user None By default, all apply processes are run under the D_MIRROR user profile; no rights are needed for the CDC Replication operational user.