Adjusting authorization for the data collector

You can customize authorization for the data collector.

Data collector authorization adjustment is based on the Db2 authorization exit that is activated by using the following parameters:

Operation mode

The following describes both exits:
Db2 authorization exit
During connection to a Db2 system, the primary and secondary authorization IDs of a user determine the user’s authority (for example, MONITOR1 or MONITOR2). You can obtain the primary authorization ID and a list of the secondary authorization IDs by using one of these methods:
  • Use the authorization routine supplied by OMEGAMON for Db2® Performance Expert. This routine uses the authorization ID in the MVS control block and the secondary authorization IDs returned by RACF (if installed).
  • The Db2 system provides an exit point for an authorization routine in connection processing. It performs crucial steps in the assignment of values to the primary, secondary, and SQL IDs. You must have an authorization routine for this exit. Db2 provides the default routine DSN3@ATH for connections.

For more information about the exit and connection routine, refer to the section on connection routines and sign-on routines in IBM® Db2 for z/OS® in IBM Documentation.

User authorization exit
In general, OMEGAMON for Db2 Performance Expert relies on the Db2 security scheme. In particular, each Online Monitor user needs the authorities MONITOR1 or MONITOR2. Db2 does not provide the capability to restrict the authority to specific areas, for example, statistics data only or specific threads only.
The OMEGAMON for Db2 Performance Expert user authorization exit is designed to provide your installation with such a capability. When the exit is used, the Online Monitor user no longer needs MONITOR1 or MONITOR2 authority. Instead, the exit is in full control of the authorization. Data is requested under data collector authorization and is passed to the exit. The authorization can be defined for the type of data requested and, in case of thread data, for each thread.
The interface is described in detail in Customizing and activating user exits.

Syntax diagram of startup parameters

Read syntax diagramSkip visual syntax diagram KD2_OMPE_DB2_EXIT=NOKD2_OMPE_DB2_EXIT=YES KD2_OMPE_DB2_USER=NOKD2_OMPE_DB2_USER=YES

Parameter description

The following list shows the options for the data collector authorization adjustment:
=value
Used to specify whether the Db2 authorization exit or the supplied OMEGAMON for Db2 Performance Expert authorization exit is called, where value can be any of the following:
NO
The supplied OMEGAMON for Db2 Performance Expert authorization exit is called. This is the default. You can abbreviate this value to “N”.
YES
The Db2 authorization exit is called. You can abbreviate this value to “Y”.
This parameter cannot be changed from the console.
You can abbreviate this parameter to “UDAE”.
For more information about how Db2 checks authorization, see IBM Db2 for z/OS in IBM Documentation.
=value
Used to specify whether the user exit routine DGOVUUAE is called, where value can be any of the following:
NO
The OMEGAMON for Db2 Performance Expert authorization is used. This is the default. You can abbreviate this value to “N”.
YES
The user-modifiable exit routine DGOVUUAE is called. You can abbreviate this value to “Y”.
This parameter cannot be changed from the console. You can abbreviate this parameter to “UUAE”.

Installation hints

For KD2_OMPE_DB2_EXIT
Use the job DSNTIJEX to assemble and link the DSN3@ATH exit. Both the job and the exit are supplied by Db2 in the SDSNSAMP library. Store the linked exit into a data set. This data set must be the first entry in the STEPLIB of the data collector started-task JCL.
For KD2_OMPE_DB2_USER
Use the job DGOVJUAE to assemble and link-edit the user authorization exit DGOVUUAE. Both the job and the exit are supplied in the SDGOSAMP library. Be aware that DGOVUUAE is a user-modifiable routine, which might have been changed in your installation.

Example

Customize the data collector to activate the user authorization exit.
***********************************************
* Activate User Authorization Exit            *
***********************************************
 
KD2_OMPE_DB2_USER=YES

*