Security Access Facility (SAF) and Db2 authorization

DB2® supports two approaches to security authorization:

  • GRANT and REVOKE SQL statements, the original implementation of access control in DB2
  • DB2 Access Control Module (ACM), a newer method for centralizing access control of DB2 resources within a common facility (RACF®, ACF2, TopSecret, etc.).

Each address space that executes programs on a z/OS® system must do so under the control of a security identifier. The installation process requires that such a security identifier be assigned for use by the CDC Replication Engine for Db2® for z/OS address space. It is under this security identifier that access to Db2 resources by CDC Replication will occur. The CDC Replication Engine for Db2 for z/OS address space's security identifier is granted SYSCTRL authority during installation. This grant gives the engine's address space the ability to access the Db2 catalog tables.

To establish an administration connection with a CDC Replication Engine for Db2 for z/OS replication engine, you must specify access parameters that include a valid user identifier. For security reasons, the user identifier must be created by your system administrator through a SAF-compliant security administration product. When a Management Console user logs on to a CDC Replication engine, the user identifier and password are validated by using an SAF call (which interrogates RACF, TopSecret, and so on). When the user passes validation, the user's primary identifier (security identifier) and secondary identifiers (connected-to groups) are used to determine whether the user can access a Db2 resource at the level that is required to perform a specific action. This user identifier is used to control access to application tables that are made the objects of replication by administrative actions. This user identifier is the CDC Replication replication engine's security identifier.

Depending on which approach to security authorization has been chosen for DB2, the CDC Replication Engine for Db2 for z/OS will use the same approach to validate the access of CDC Replication to the DB2 resources it is attempting to access. If GRANT or REVOKE is being used by DB2, then the CDC Replication Engine for Db2 for z/OS interrogates the DB2 authority tables to see if CDC Replication has the access at the appropriate level to the DB2 resources. If a DB2 ACM is installed, then the CDC Replication Engine for Db2 for z/OS will call the installed ACM for authority validation instead of querying the DB2 authority tables.

Once access to the DB2 resources at the required level has been validated for the CDC Replication replication engine's security identifier, the actual access occurs under the authority of the CDC Replication Engine for Db2 for z/OS address space. This means that it will be necessary to authorize access to the DB2 resources at the appropriate level to the CDC Replication Engine for Db2 for z/OS security identifier for those resources that the CDC Replication Engine for Db2 for z/OS replication engine will access. Typically, this is done by authorizing DBADM authority over the databases containing the resources involved to the CDC Replication Engine for Db2 for z/OS security identifier.

For this reason, the user identifier used to logon to CDC Replication must be assigned the appropriate database authorities and privileges to perform common subscription and table operations in Management Console. The following table identifies common Management Console subscription and table operations that can be performed under different authority and privilege levels.

Function SYSADM SYSCTRL DBADM CREATEABAUTH SELECT INSERT, UPDATE, DELETE
Adding tables X X X
Viewing subscriptions X X
Assigning tables X X X
Creating subscription tables X X
Considerations:
  • SYSADM authority grants full database privileges to the z/OS user identifier. It allows the identifier to work with all subscriptions and tables accessible through the replication engine.
  • DBADM authority only applies to a single database. If a subscription contains one or more tables that reside in a different database and the z/OS user identifier does not have the authority to work with the tables, the subscription will not be presented through Management Console.
  • INSERT, UPDATE, and DELETE privileges must all be granted to the z/OS user identifier in order to perform the supported Management Console operations indicated for the privileges in the table above.

If you are unable to perform necessary operations with the z/OS user identifier that is specified as an access parameter, consult your system administrator to determine the database authority or privileges currently granted to the user identifier.