Protection Installation Parameters (DSNTIPP)

This topic shows detailed information about System Parameters - Protection Installation Parameters (DSNTIPP).

This block shows security settings.

Data sets, including data sets defined to DFSMS, should be protected by a security manager, such as RACF.

Fields in this block can contain long names. When a long name exceeds the available space, it is truncated, the parameter identifier and the full name are printed in a separate list at the end of the report.

System Parameters - Protection Installation Parameters (DSNTIPP)

The field labels shown in the following sample layout of System Parameters - Protection Installation Parameters (DSNTIPP) are described in the following section.


PROTECTION INSTALLATION PARAMETERS (DSNTIPP)
--------------------------------------------
ARCHIVE LOG RACF PROTECTION (PROTECT)........................NO
DB2 AUTHORIZATION ENABLED (AUTH)............................YES
PLAN AUTHORIZATION CACHE SIZE (AUTHCACH)..................3,072
AUTH EXIT CHECK (AUTHEXIT_CHECK)........................PRIMARY
AUTH EXIT CACHE REFRESH (AUTHEXIT_CACHEREFRESH)............NONE
SYSTEM ADMINISTRATOR 1 AUTHORIZATION ID (SYSADM)...........HELM
SYSTEM ADMINISTRATOR 2 AUTHORIZATION ID (SYSADM2)........SYSADM
SYSTEM OPERATOR 1 AUTHORIZATION ID (SYSOPR1)...............HELM
SYSTEM OPERATOR 2 AUTHORIZATION ID (SYSOPR2)...............EMIL
DEFAULT (UNKNOWN) USER AUTHORIZATION ID (DEFLTID).......IBMUSER
RESOURCE LIMIT TABLE CREATOR AUTH ID (RLFAUTH)...........SYSIBM
BIND NEW PACKAGE (BINDNV)...............................BINDADD
DBA CREATE VIEW (DBACRVW)....................................NO
MFA_AUTHCACHE_UNUSED_TIME (QWP4MFAT)..........................0
ARCHIVE LOG RACF PROTECTION (PROTECT)

Indicates whether archive log data sets are protected with individual RACF profiles when they are created.

When YES, RACF protection must be active for Db2. YES also means that you cannot use RACF generic profiles for archive log data sets. If your archive log is on tape, RACF class TAPEVOL must be active, otherwise, the off-load will fail.

Install parameter ARCHIVE LOG RACF on panel DSNTIPP, or ZPARM PROTECT in DSN6ARVP.

Field Name: QWP3RTCT

DB2 AUTHORIZATION ENABLED (AUTH)

Shows whether Db2 performs authorization checking.

When all authorization checking by Db2 is disabled, the GRANT statement is also disabled (granting every privilege to PUBLIC); this is not recommended.

Install parameter USE PROTECTION on panel DSNTIPP, or ZPARM AUTH in DSN6SPRM.

Field Name: QWP4AUTH

PLAN AUTHORIZATION CACHE SIZE (AUTHCACH)

The size of the authorization cache to be used if no CACHESIZE is specified on the BIND PLAN subcommand.

The size of the cache is 32 bytes of overhead + (8 bytes of storage X number of concurrent users).

0 means authorization caching is not used.

Install parameter PLAN AUTH CACHE on panel DSNTIPP, or ZPARM AUTHCACH in DSN6SPRM.

Field Name: QWP4AUCA

AUTH EXIT CHECK (AUTHEXIT_CHECK)

Specifies whether the Db2 authorization ID or the RACF primary authorization ID is to be used for authorization checks, when the access control authorization exit is active:

Primary
Db2 provides:
  • The ACEE of the package owner to perform statement authorization checks during AUTOMATIC REBIND, BIND, and REBIND processing
  • The ACEE of the package owner, routine definer, or routine invoker, as determined by the dynamic rules behavior for dynamic SQL authorization checking, when a DYNAMICRULES BIND option value other than run is in effect.
The access control authorization exit uses the ACEE for the XAPLUCHK authorization ID field to perform the authorization. The authorization ID in XAPLUCHK must be defined as a RACF user and must have the privileges required to execute the SQL statements in the package.
DB2
Db2 provides the ACEE of the primary authorization ID for performing all authorization checks. The primary authorization ID must have the privileges required to execute the SQL statements in the package. This field corresponds to field "RACF AUTH CHECK" on installation panel DSNTIPP. ZPARM name is RACF_AUTHCHECK in DSN6SPRM.

Field Name: QWP4RACK

AUTH EXIT CACHE REFRESH (AUTHEXIT_CACHEREFRESH)

Specifies whether the package authorization cache, routine authorization cache, and dynamic statement cache entries are refreshed when an access control authorization exit is active, and the user profile is changed in RACF. Possible values are:

  • All
  • None

This field corresponds to field AUTH EXIT CACHE REFR in installation panel DSNTIPP. ZPARM name is AUTHEXIT_CACHEREFRESH in DSN6SPRM.

Field Name: QWP4AECR

SYSTEM ADMINISTRATOR 1 AUTHORIZATION ID (SYSADM)

One of two authorization IDs with SYSADM authority. SYSADM users can access to Db2 in all cases.

This identifier can be a long string. If there is insufficient space to show the complete string, the string is truncated in the report block. The complete string is shown in a separate list of long names at the end of the report.

Install parameter SYSTEM ADMIN 1 on panel DSNTIPP, or ZPARM SYSADM in DSN6SPRM.

Field Name: QWP4SADM

SYSTEM ADMINISTRATOR 2 AUTHORIZATION ID (SYSADM2)

One of two authorization IDs with SYSADM authority. SYSADM users can access to Db2 in all cases.

This identifier can be a long string. If there is insufficient space to show the complete string, the string is truncated in the report block. The complete string is shown in a separate list of long names at the end of the report.

Install parameter SYSTEM ADMIN 2 on panel DSNTIPP, or ZPARM SYSADM2 in DSN6SPRM.

Field Name: QWP4ADM2

SYSTEM OPERATOR 1 AUTHORIZATION ID (SYSOPR1)

One of two authorization IDs with SYSOPR authority. SYSOPR users can access Db2 even if the Db2 catalog is unavailable.

This identifier can be a long string. If there is insufficient space to show the complete string, the string is truncated in the report block. The complete string is shown in a separate list of long names at the end of the report.

Install parameter SYSTEM OPERATOR 1 on panel DSNTIPP, or ZPARM SYSOPR1 in DSN6SPRM.

Field Name: QWP4OPR1

SYSTEM OPERATOR 2 AUTHORIZATION ID (SYSOPR2)

One of two authorization IDs with SYSOPR authority. SYSOPR users can access Db2 even if the Db2 catalog is unavailable.

This identifier can be a long string. If there is insufficient space to show the complete string, the string is truncated in the report block. The complete string is shown in a separate list of long names at the end of the report.

Install parameter SYSTEM OPERATOR 2 on panel DSNTIPP, or ZPARM SYSOPR2 in DSN6SPRM.

Field Name: QWP4OPR2

DEFAULT (UNKNOWN) USER AUTHORIZATION ID (DEFLTID)

The authorization ID used if RACF is not available for batch access and USER= is not specified in the job statement.

This identifier can be a long string. If there is insufficient space to show the complete string, the string is truncated in the report block. The complete string is shown in a separate list of long names at the end of the report.

Install parameter UNKNOWN AUTHID on panel DSNTIPP, or ZPARM DEFLTID in DSN6SPRM.

Field Name: QWP4DFID

RESOURCE LIMIT TABLE CREATOR AUTH ID (RLFAUTH)

The authorization ID used for the resource limit facility (governor).

This identifier can be a long string. If there is insufficient space to show the complete string, the string is truncated in the report block. The complete string is shown in a separate list of long names at the end of the report.

Install parameter RESOURCE AUTHID on panel DSNTIPP, or ZPARM RLFAUTH in DSN6SYSP.

Field Name: QWP1RLFA

BIND NEW PACKAGE (BINDNV)

Shows whether BIND or BINDADD authority is required to BIND a new version of an existing package.

When BINDADD (default), only users with BINDADD system privilege can create a new package.

BIND users with BIND privilege for a package or collection can create a new version of an existing package when they bind it. This also allows users with PACKADM authority to add a new package or a new version of a package to a collection.

Install parameter BIND NEW PACKAGE on panel DSNTIPP, or ZPARM BINDNV in DSN6SPRM.

Field Name: QWP4BNVA

DBA CREATE VIEW (DBACRVW)

Shows whether a Db2 administrator can create a view or alias for another user. Possible values are YES or NO. The default is NO.

Install parameter DBADM CREATE AUTH on panel DSNTIPP. ZPARM DBACRVW in macro DSN6SPRM.

Field Name: QWP4CRVW

MFA_AUTHCACHE_UNUSED_TIME (QWP4MFAT)

MFA UNUSED TIME specifies how long in seconds that MFA security credentials from a distributed client can remain unused in the Db2 global authentication cache before new security credentials must be provided.

Field Name: QWP4MFAT