User authorization exits

You can configure user authorization exits to restrict user authority to specific data or specific threads.

About this task

In general, OMEGAMON for Db2® Performance Expert relies on the Db2 security scheme. Each Online Monitor user must have the authorities that are described in IBM® Db2 for z/OS® in IBM Documentation. In particular, MONITOR1 or MONITOR2 privilege is required. Db2 does not provide the capability to restrict user authority to specific areas. For example, it is not possible to restrict authority to only statistics data or to specific threads.

The OMEGAMON for Db2 Performance Expert user authorization exit is designed to provide your installation with such a capability. When the user authorization exit is used, the Online Monitor user no longer needs MONITOR1 or MONITOR2 privilege. Instead, the exit is in full control of the authorization. The authorization can be defined for the type of data requested and, in case of thread data, for each thread.

The user authorization exit is an extension of the Data Collector. Therefore, you must start the Data Collector to take advantage of the user authorization exit. The exit works for both the host Online Monitor and the workstation Online Monitor.

The authorization handling of the exit supersedes the Db2 authorizations. This means that if a user has MONITOR1 or MONITOR2 privilege, but the exit denies access to the data of a certain thread, the user cannot see this thread using the Online Monitor.

If the user authorization exit or the Data Collector fails, security falls back to Db2 authorizations. If, in such a situation, a user has no MONITOR1 or MONITOR2 privilege and if the Online Monitor authorizations are usually handled by the exit, the user cannot see any data. This ensures that there is no security exposure in case the user exit or the Data Collector fails.

When the exit is active, each Online Monitor user still needs access to Db2 and EXECUTE authority for the online monitor plan.

The user authorization exit is implemented as an asynchronous task and runs in the Data Collector address space. It is provided as a load module named DGOVMUAE, which contains, among others, the object module DGOVUUAE. This is the compiled exit routine that you can modify.

Procedure

You can activate or deactivate a user exit.

  1. To activate a user exit, complete the following steps:
    1. Stop the Data Collector (unless it has already been stopped before).
    2. Set the Data Collector parameter KD2_OMPE_DB2_USER to “YES”.
    3. Start (or restart) the Data Collector.
  2. To deactivate a user exit, complete the following steps:
    1. Stop the Data Collector.
    2. Set the Data Collector parameter KD2_OMPE_DB2_USER to “NO”.
    3. Restart the Data Collector.

Results

If the user authorization exit is active, module DGOVMUAE is posted for each request for:
  • Statistics data
  • System parameters data
  • Thread data
  • SQL statement text
This happens during the decision phase of the user exit. In addition, module DGOVMUAE is posted once during Data Collector startup (initialization phase) and once when the Data Collector is shut down (cleanup phase). OMEGAMON for Db2 Performance Expert provides a sample of DGOVUUAE in RKO2SAMP. You can change module DGOVUUAE to meet your installation requirements.

The user exit is called synchronously when handling an Online Monitor request, that is, its performance adds directly to the user response time. It is, therefore, important that its performance is optimal. To avoid operations that impact performance, for example, allocate storage or read data from disk, you can set up and initialize an exit environment when the Data Collector is started, and use this environment whenever the exit is called. The exit environment can be set up when DGOVUUAE gets control for the first time during Data Collector startup (initialization phase). You may also wish to clean up the user exit environment on completion of the exit, for example, free previously allocated storage. You can do this when DGOVUUAE receives control during Data Collector shutdown (cleanup phase).

To maintain your own storage area during the processing of the user exit, a pointer is provided, which you can set during the initialization phase. Once this pointer is set, it is passed to the user exit routine each time this routine is posted during the decision phase and ultimately during the cleanup phase.