Adjusting authorization for the data collector
You can customize authorization for the data collector.
Data collector authorization adjustment is based on the Db2 authorization exit that is
activated by using the following parameters:
- KD2_OMPE_DB2_EXIT - The data collector startup parameter.
- KD2_OMPE_DB2_USER - The user authorization exit parameter.
Operation mode
The following describes both exits:
- Db2 authorization exit
- During connection to a Db2 system, the primary and secondary authorization IDs of a
user determine the user’s authority (for example, MONITOR1 or MONITOR2). You can
obtain the primary authorization ID and a list of the secondary authorization IDs by
using one of these methods:
- Use the authorization routine supplied by OMEGAMON for Db2® Performance Expert. This routine uses the authorization ID in the MVS control block and the secondary authorization IDs returned by RACF (if installed).
- The Db2 system provides an exit point for an authorization routine in connection processing. It performs crucial steps in the assignment of values to the primary, secondary, and SQL IDs. You must have an authorization routine for this exit. Db2 provides the default routine DSN3@ATH for connections.
For more information about the exit and connection routine, refer to the section on connection routines and sign-on routines in IBM® Db2 for z/OS® in IBM Documentation.
- User authorization exit
- In general, OMEGAMON for Db2 Performance Expert relies on the Db2 security scheme. In particular, each Online Monitor user needs the authorities MONITOR1 or MONITOR2. Db2 does not provide the capability to restrict the authority to specific areas, for example, statistics data only or specific threads only.
Syntax diagram of startup parameters
Parameter description
The following list shows the options for the data collector authorization adjustment:
- =value
- Used to specify whether the Db2 authorization exit or the supplied OMEGAMON for Db2
Performance Expert authorization exit is called, where
value can be any of the following:
- NO
- The supplied OMEGAMON for Db2 Performance Expert authorization exit is called. This is the default. You can abbreviate this value to “N”.
- YES
- The Db2 authorization exit is called. You can abbreviate this value to “Y”.
- =value
- Used to specify whether the user exit routine DGOVUUAE is called, where
value can be any of the following:
- NO
- The OMEGAMON for Db2 Performance Expert authorization is used. This is the default. You can abbreviate this value to “N”.
- YES
- The user-modifiable exit routine DGOVUUAE is called. You can abbreviate this value to “Y”.
Installation hints
- For KD2_OMPE_DB2_EXIT
- Use the job DSNTIJEX to assemble and link the DSN3@ATH exit. Both the job and the exit are supplied by Db2 in the SDSNSAMP library. Store the linked exit into a data set. This data set must be the first entry in the STEPLIB of the data collector started-task JCL.
- For KD2_OMPE_DB2_USER
- Use the job DGOVJUAE to assemble and link-edit the user authorization exit DGOVUUAE. Both the job and the exit are supplied in the SDGOSAMP library. Be aware that DGOVUUAE is a user-modifiable routine, which might have been changed in your installation.
Example
Customize the data collector to activate the user authorization
exit.
***********************************************
* Activate User Authorization Exit *
***********************************************
KD2_OMPE_DB2_USER=YES
*