Installation step 10: Establish subsystem security (optional)

Db2 can control access to data within a Db2 subsystem. Db2 also works with outside security systems, such as RACF®, that control access to the Db2 subsystem.

Before you begin

Your system security administrator should have provided a Db2 for z/OS® security environment as outlined in the information about managing Db2 security, including user IDs and resource profiles for batch connections. If you are using RACF, ensure that the system security administrator also defined your Db2 resources to RACF.

The following IDs should have been specified on installation panel DSNTIPP1:

  • Two system administrator (installation SYSADM) authorization IDs
  • Two system operator (installation SYSOPR) authorization IDs
  • Two security administrator (installation SECADM) authorization IDs or roles
  • One authorization ID (installation IBMUSER) if RACF is not available for batch access and USER= is not specified in the JOB statement

Procedure

To establish subsystem security:

  • Ensure that the specified installation SYSADM IDs are defined in your TSO and RACF systems before attempting to access Db2. You can also define installation SYSOPR IDs, SECADM IDs, and the installation IBMUSER ID.
  • To enable primary and secondary user IDs to issue Db2 commands from the z/OS console or TSO SDSF, define RACF classes to authorize Db2 commands. Use the following RACF commands: 
    SETR CLASSACT(DSNADM)
RDEFINE DSNADM DSN1.SYSOPR UACC(NONE)                        
SETR RACLIST(DSNADM) REFRESH
PERMIT DSN1.SYSOPR CLASS(DSNADM) ID(userid) ACCESS(READ)    
SETR RACLIST(DSNADM) REFRESH

    You can grant SYSOPR authority to all primary and secondary user IDs that issue Db2 commands from the z/OS console or TSO SDSF, but only after Db2 can process SQL.

  • To separate security tasks from system administration tasks, use the SEPARATE SECURITY field on the DSNTIPP1 panel. Before setting the SEPARATE SECURITY field to YES, set at least one SECADM system parameter to an authorization ID, or create the necessary trusted contexts and roles. If you specify YES for SEPARATE SECURITY, system administrator authority cannot be used to perform security tasks, and the SECADM authority is required to manage trusted contexts and roles. If both SECADM system parameters are set to roles and those roles have not been created, no one will have the authority to manage trusted contexts and roles.
  • Run job DSNTIJRA to complete the following tasks:
    • Define the administrative task scheduler started task module to RACF program control
    • Define the administrative task scheduler as a trusted context in RACF

    If you are using a Db2 data sharing environment, customize and run DSNTIJRA for each member of the group.