search cancel

How to Integrate RACF security into IDb2- Sysview for DB2?

book

Article ID: 202821

calendar_today

Updated On:

Products

SYSVIEW Performance Management Option for DB2 for z/OS Database Management for DB2 for z/OS - Performance Suite Database Management for DB2 for z/OS - SQL Performance Suite Insight Performance Monitor for DB2 UDB for z/OS Database Management for DB2 for z/OS - Administration Suite Database Management for DB2 for z/OS - Recovery Suite Database Management for DB2 for z/OS - Utilities Suite

Issue/Introduction

Using the CA/Broadcom security file to control what authorities a user has within the IDB2. To switch from using a security file which list each userid and the access permitted to using RACF groups to control access. For example, the Db2 engineering team has SYSADM authority all the time since the userids are listed in the security file. How to switch to having the RACF group the userids are connected to control access. How to accomplish this?  

Environment

Release : 20.0

Component : CA SYSVIEW Performance Management Option for DB2 for z/OS

Resolution

Insight works with RACF to establish whether or not a user is authorized to use Insight.

This is accomplished using the NSIGHTEX security exit. When a user connects to Insight, this exit is called. It will establish whether or not the user has basic access to Insight by issuing a RACROUTE call to the client's external security package, in this case, RACF.

The Insight security file is used to validate users to Insight and associate their user id with a profile.

This can be done in one of the two ways:

One is establish a list of userids. If the client's ids follow a pattern, wildcarding can be used to minimize administration.
One or more lists can be specified and each list can be associated with a different profile. It is the profiles that control access to various Insight features. Adding and removing users would involve editing the Insight security file, then using the Insight SECURITY command to refresh the content of the file in the Data Collector memory.

The other is using groups. Groups can be established in the external security environment, like RACF. Then the facilities  in RACF can be used to associate users with these groups. The group entries in the security file are associated with a profile. Wildcarding can be used with this approach as well. Group names can be either the default ones that are defined in the standard security file, or the client's own group names.

The default group names all start with INS, then have a 4th character that usually associates the group name with a profile, like S for SYSADM, D for DBA, and so on. A client would need to establish these groups in the RACF environment in order to be able to use them. If the client does not want to use the default group names, then they would need to modify the NSIGHTEX security exit to use their group names.

This is detailed in Appendix A of the Insight System Guide, under the section entitled: 'Use Other Security Group Names'.

which you can access using this link: Security

https://techdocs.broadcom.com/us/en/ca-mainframe-software/database-management/ca-sysview-performance-management-option-for-db2/20-0/configuring/security.html