Creating Data Gate users and granting privileges on z/OS

Data Gate requires both a privileged user (for administration and load tasks) and a log reader user (to read Db2 for z/OS log data).

About this task

The log reader user should be a dedicated user ID to access the log interface and to retrieve the log records of the copied tables for the Data Gate. The privileged user should be responsible for administration tasks (like stored procedure invocation, SELECT on Data Gate metadata tables and Db2® catalog, etc.) and the initial load of data (UNLOAD/SELECT on business tables).

You can define one user ID with all required privileges for both the log reader user and the privileged user. Data Gate supports using a single user ID during configuration by choosing the Same as source database option.

Procedure

  • Grant the following privileges to the Data Gate log reader user (named LOGUSR in the examples).
    1. Add a DSNR profile.
      Ownership must be assigned to the user ID that starts the Db2 subsystem or data sharing member to which you want to connect. In the following examples, the name of this user is DB2USER. The profile name must consist of the Db2 subsystem or member name followed by a dot and the keyword ACCEL.
      For example:
      DB2A.ACCEL
      The RACF® commands that you need to run to create this profile and grant the required read access are (in accordance with the names previously introduced):
      RDEFINE DSNR (DB2A.ACCEL) OWNER(DB2USER) UACC(NONE)
PERMIT DB2A.ACCEL CLASS(DSNR) ID(LOGUSR) ACCESS(READ)
    2. Assign read access to the DB2A.DIST profile.
      Most likely, this.DIST profile exists because it controls all remote access to Db2. If it does not yet exist, define it in the same way as the DB2A.ACCEL profile.
      For example:
      RDEFINE DSNR (DB2A.DIST) OWNER(DB2USER) UACC(NONE)
PERMIT DB2A.DIST CLASS(DSNR) ID(LOGUSR) ACCESS(READ)
    3. Grant MONITOR2 authority by issuing the command: 
      GRANT MONITOR2 TO LOGUSR;
    4. For schema change support, grant the SELECT privilege on the following system tables:
      • SYSIBM.SYSTABLES
      • SYSIBM.SYSCOLUMNS
      • SYSIBM.SYSDUMMY1

      To set these privileges for the sample user ID LOGUSR:

      GRANT SELECT ON SYSIBM.SYSTABLES TO LOGUSR;
GRANT SELECT ON SYSIBM.SYSCOLUMNS TO LOGUSR;
GRANT SELECT ON SYSIBM.SYSDUMMY1 TO LOGUSR;
COMMIT;

      For more information about schema changes, see Support for schema changes in Data Gate tables

    5. For schema change support, also grant the SELECT and UPDATE privileges on the SYSACCEL.SYSACCELERATEDTABLES table.

      To set this privilege for the sample user ID LOGUSR:

      GRANT SELECT, UPDATE ON SYSACCEL.SYSACCELERATEDTABLES TO LOGUSR;
COMMIT;
    6. The LOGUSR user ID also requires permission to run the SYSPROC.ACCEL_SET_TABLES_ACCELERATION and SYSPROC.ACCEL_REMOVE_TABLES stored procedures.
      For details, see the Authorizations for z/OS sections in these topics:
    7. In addition, the LOGUSR user ID requires read access to the AQTDEF6 and AQTENV data set members of your installation. The name of the data set that these members belong to depends on your product configuration. Grant the read privilege to the RACF user profile that has access to these members.
      This will probably not be one of the profiles that are already mentioned, but yet another RACF profile. On a generic basis, the command for this reads:
      PERMIT <profile name> ID(LOGUSR) ACCESS(READ)

      Where <profile name> is the name of the identified RACF profile.

  • Grant the following privileges and authorizations to the privileged user (privileged-user):
    z/OS® privileges:
    • Read privilege on the stored procedure configuration data set SAQTSAMP, members AQTENV and AQTDEF6
    • For the initial load of data to Data Gate:
      • GRANT STARTDB ON DATABASE Db2-database TO privileged-user
      • GRANT UNLOAD/SELECT ON Db2-table TO privileged-user
    RACF and z/OS UNIX file system (zFS) privileges:
    • OMVS segment for the privileged user ID
    • Write access to the /tmp directory (UNIX System Services pipes are created in this directory).
    • RACF ACCESS(READ) on the data set high-level-qualifier.ETC.IPNODES
    • Permission to read the RACF group profiles associated with the privileged user. In the following example, this permission is granted to the user IBMDBUSR:
      PE IRR.DIGTCERT.LIST CL(FACILITY) ID(IBMDBUSR) ACC(READ)
    • Permission to update RACF key rings associated with the privileged user. In the following example, this permission is granted to the user IBMDBUSR:
      
PE IRR.DIGTCERT.LISTRING CL(FACILITY) ID(IBMDBUSR) ACC(UPDATE)
    • Permission to read the dbsubsystem.ACCEL profile. In the following example, this permission is granted to the user IBMDBUSR on a profile named DB2A.ACCEL
      PERMIT DB2A.ACCEL CLASS(DSNR) ID(IBMDBUSR) ACCESS(READ)
    • Permission to read the dbsubsystem.DIST profile. In the following example, this permission is granted to the user IBMDBUSR on a profile named DB2A.DIST:
      PERMIT DB2A.DIST CLASS(DSNR) ID(IBMDBUSR) ACCESS(READ)
    Db2 for z/OS privileges:
    • GRANT EXECUTE ON FUNCTION DSNAQT.* TO privileged-user
    • GRANT EXECUTE ON PROCEDURE SYSPROC.* TO privileged-user
    • GRANT EXECUTE ON PACKAGE SYSACCEL.* TO privileged-user
    • GRANT MONITOR1 TO privileged-user
    • GRANT TRACE TO privileged-user
    • GRANT DISPLAY TO privileged-user
    • GRANT SYSOPR TO privileged-user
    • GRANT SELECT ON DSNAQT.ACCEL_NAMES TO privileged-user
    • GRANT SELECT ON SYSACCEL.* TO privileged-user
    • GRANT SELECT ON SYSIBM.SYSCOLUMNS TO privileged-user
    • GRANT SELECT ON SYSIBM.SYSCONTROLS TO privileged-user
    • GRANT SELECT ON SYSIBM.SYSDATABASE TO privileged-user
    • GRANT SELECT ON SYSIBM.SYSDUMMY1 TO privileged-user
    • GRANT SELECT ON SYSIBM.SYSINDEXES TO privileged-user
    • GRANT SELECT ON SYSIBM.SYSRELS TO privileged-user
    • GRANT SELECT ON SYSIBM.SYSTABLEPART TO privileged-user
    • GRANT SELECT ON SYSIBM.SYSTABLES TO privileged-user
    • GRANT SELECT ON SYSIBM.SYSVIEWS TO privileged-user