What are the necessary RACF permissions needed for the Sysview MVS monitor DB2 option ?

book

Article ID: 195120

calendar_today

Updated On:

Products

CA Bind Analyzer for DB2 for z/OS CA SQL-Ease for DB2 for z/OS CA Sysview Performance Management Option for DB2 for z/OS CA Plan Analyzer for DB2 for z/OS CA Subsystem Analyzer for DB2 for z/OS CA Database Management for DB2 for z/OS - Performance Suite CA Database Management for DB2 for z/OS - SQL Performance Suite CA Detector for DB2 for z/OS CA-Insight Performance Monitor for DB2 UDB for z/OS

Issue/Introduction

What are the necessary RACF  permissions needed for the Sysview MVS monitor DB2 option?

Environment

Release : 20.0

Component : CA Insight Database Performance Monitor for DB for z/OS

Resolution

The following RACF statements are needed for the Sysview -mvs monitor (DB2 Option) :


RDEFINE APPL DB2TOOLS UACC(NONE) <== define the DB2TOOLS application
SETROPTS CLASSACT(APPL) <== define the DB2TOOLS application
SETROPTS GENERIC(PTKTDATA) <== specify this command if you want to implement a generic user ID

SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA) <== activate the PassTicket class if currently not active

RDEFINE PTKTDATA DB2TOOLS SSIGNON(KEYMASKED(012345679ABCDEF)) <== define profiles for the applications and specify an encryption key (KEYMASKED). Replace SSKEY with 16 hex digits of your choosing. Each application key must be the same on all systems in the configuration and the values must be secret.

RDEFINE PTKTDATA IRRPTAUTH.DB2TOOLS.* OWNER(userid) UACC(NONE) <==designate no universal access, so that explicit permissions must be granted to individual users
PERMIT IRRPTAUTH.DB2TOOLS.* ID(userid) CLASS(PTKTDATA) ACCESS(UPDATE) <== grant update access to user id

RALTER PTKTDATA DB2TOOLS APPLDATA('NO REPLAY PROTECTION') <==bypass PassTicket replay protection when the threat of PassTicket replay is not a security concern

PERMIT DB2TOOLS CLASS(APPL) ID(userid) <== permit access to the DB2TOOLS application for each CA SYSVIEW for DB2 component user that is permitted to access the component data from CA SYSVIEW for DB2 using Xnet
--
Also, If the XNET stc userID is not a logon-able ID it is recommended to specify NOOPSPTCKT or supply a TSO ID that has an associated pw and specify it with the parm OPSPTCKTID(tso id) in the PXNPARM member used by the xnet task.