Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
We used the RACF security server to control access to the data sets just as RACF controls<br />
access to the DB2 subsystem. For this task, we defined RACF profiles for data sets and<br />
permitted access to the data sets for certain DB2 IDs.<br />
To protection DB2 data sets:<br />
1. Add groups to control DB2 data sets:<br />
Define special RACF groups for protection of DB2 user databases with HLQ “DB0TD,”<br />
which must have access to DB2 data sets as illustrated in Example 8-32.<br />
Example 8-32 Defining RACF groups<br />
ADDGROUP DB0TD SUPGROUP(DB2GRP) OWNER(MAXIM)<br />
2. Create generic RACF profiles for DB2 data sets by using the high-level qualifier “DB0TD,”<br />
as shown in Example 8-33.<br />
Example 8-33 Creating generic RACF profiles for specific DB2 data sets<br />
ADDSD 'DB0TD.DSNDBD.**' UACC(NONE)<br />
PERMIT 'DB0TD.DSNDBD.**' ID(SYSDSP) ACCESS(ALTER)<br />
3. Authorize DB2 IDs to use dataset profiles.<br />
SYSDSP is the RACF user ID for DB2 started tasks and must have full access to DB2<br />
data sets. Security administrators can define RACF profiles for various DB2 data sets,<br />
such as active logs, archive logs, user databases, and installation libraries.<br />
Tip: If you use generic profiles, specify NO for ARCHIVE LOG RACF on the DSNTIPP<br />
installation panel, or you might receive a z/OS error message when DB2 tries to create<br />
the archive log data set. If you specify YES, DB2 asks RACF to create a separate profile<br />
for each archive log that is created, which means that you cannot use generic profiles<br />
for these data sets.<br />
Example 8-34 shows the command to give authority to DB2 IDs for creating new RACF<br />
database profiles.<br />
Example 8-34 Authority to create RACF database profiles<br />
CONNECT (SYSADM) GROUP(DB0TD) AUTHORITY(CREATE) UACC(NONE)<br />
4. Enable DB2 IDs to create data sets.<br />
Example 8-35 shows how to give the IDs (SYSADM and SYSOPR) complete control over<br />
DB0TD DB2 data sets.<br />
Example 8-35 Giving complete control of DB2 DB0TD data sets<br />
PERMIT 'DB0TD.DSNDBD.**' ID(SYSADM SYSOPR) ACCESS(ALTER)<br />
Chapter 8. Security enhancements of DB2 10 for SAP solutions 139