Authority requirements
You need to ensure that the proper authorities are available for the CDC Replication Engine for Db2® for i users.
Installation of the CDC Replication Engine for Db2 for i is typically done using the QSECOFR user (or any user who has *SECOFR special authorities). At a minimum, the following special authorities are required for the user installing CDC Replication:
- *SAVRST
- *SERVICE
- *JOBCTL
- *ALLOBJ
- *SECADM
When configuring the authority for CDC Replication, there are 2 types of user profiles to take into consideration:
- CDC Replication operational user
- Users who run CDC Replication replication processes, typically users who are logged in through Management Console or who start replication processes from the command line/job scheduler. The CDC Replication source jobs are run under the CDC Replication operational user profile. The CDC Replication operational user requires authorities to the replicated source tables, journals and journal receivers. No authorities are required for the CDC Replication operational user on target tables since all the apply processes are run under the CDC Replication product user.
- CDC Replication owner or product user
- By default, the user profile D_MIRROR. The user profile D_MIRROR is automatically created during installation. CDC Replication requires this user profile to supervise replication operations for the CDC Replication apply processes. The D_MIRROR user profile does not need authorities to the replicated source tables, journals or journal receivers. However, all the CDC Replication apply processes are run under the D_MIRROR user profile, hence the need for this profile to have update rights to the target tables.
CDC Replication product library (*LIB) authorities
User | Authority level | Comment |
---|---|---|
Product user (D_MIRROR or specified user profile) | *ALL | Typically, D_MIRROR is the owner of the *LIB object |
Operational user | *USE | Needed to create and access objects in the product library |
Objects (*MSGQ, *USRQ) are created for new subscriptions. In order to ensure that all users entitled to use CDC Replication can view event log messages and monitor subscriptions activity, you should set the CRTAUT parameter to *ALL.
CDC Replication product object authorities
User | Object type | Authority level | Comment |
---|---|---|---|
Product user (D_MIRROR or specified user profile) | *ALL | *ALL | Typically, D_MIRROR is the owner of the objects in the product library |
Operational user | *FILE | *CHANGE | Needed to configure CDC Replication and monitor subscriptions |
Operational user | *MSGQ *USRQ |
*ALL | To monitor subscription activity, view event log messages, and remove subscriptions |
Operational user | Other object types | *USE |
You should set the CDC Replication product library create authority (CRTAUT) attribute to *ALL to ensure that newly created subscriptions can be monitored by any user entitled to use CDC Replication.
CDC Replication owner user profile authorities
User | Special authorities | Comment |
---|---|---|
Product user (D_MIRROR or specified user profile) | *JOBCTL | Control replication jobs submitted by any user |
Replicated source table authorities
User | Authority level | Comment |
---|---|---|
Product user (D_MIRROR or specified user profile) | None | The CDC Replication product user does not need authorities for the replicated source tables (*FILE PF-DTA). A potential exception is when you wish to control replicated tables through the D_MIRROR user profile (group profile, adopted authority) |
Operational user | *USE *OBJMGT |
An operational user needs *USE authorities to
refresh a table and to use it for continuous or net change mirroring. *OBJMGT authorities are required if journaling for the tables must be started as part of mapping the tables. If journaling is already started, the *OBJMGT authority is not required |
Journal authorities
User | Authority level | Comment |
---|---|---|
Product user (D_MIRROR or specified user profile) | None | The CDC Replication product user does not need authorities to the journal. A potential exception is when you wish to control replication through the D_MIRROR user profile (group profile, adopted authority) |
Operational user | *OBJOPR *OBJMGT *OBJEXIST *READ *ADD *UPDATE *EXECUTE |
These authorities are required to start journaling as part of mapping the tables, read the journal entries and the start the CDC Replication subscription |
Journal receiver authorities
User | Authority level | Comment |
---|---|---|
Product user (D_MIRROR or specified user profile) | None | The CDC Replication product user does not need authorities to the journal receiver. A potential exception is when you wish to control replication through the D_MIRROR user profile (group profile, adopted authority) |
Operational user | *OBJOPR *OBJMGT *OBJEXIST *READ *ADD *UPDATE *EXECUTE |
At different occasions (refresh table, start and end of mirroring), user-defined journal entries are written into the journal to mark starting and ending points. Add and update authorities are needed to be able to write these entries. |
Target table authorities
User | Authority level | Comment |
---|---|---|
Product user (D_MIRROR or specified user profile) | *CHANGE *OBJMGT |
Apply processes are run under this user profile, hence the need for this profile to have update rights to the target tables. Object management authority is required to clear the target table using CLRPFM in the event of a refresh |
Operational user | None | By default, all apply processes are run under the D_MIRROR user profile; no rights are needed for the CDC Replication operational user. |