Each control statement and keyword is described below:
Dictates the DB2 subsystem and options that CA ACF2 Option for DB2 uses for this execution of the utility. This statement must begin the synchronization.
Identifies the one‑ to four‑character DB2 subsystem ID where synchronization occurs. Specify only one DB2 subsystem ID. To synchronize multiple DB2 subsystems, you must run the utility for each subsystem. This keyword is required.
Specifies the options for this execution of the utility. Separate multiple options with a comma, but no extra space. This keyword is optional.
Indicates that all GRANT access privileges for all users in the DB2 catalog are revoked for the specified resources unless the included user has a corresponding CA ACF2 Option for DB2 privilege. This option ensures that the CA ACF2 Option for DB2 catalog synchronization utility starts with a clean catalog for the resources that you specify. By default, REVOKEALL is not specified and current user access privileges for non‑included users are retained in the DB2 catalog.
Specify this option when you want to ensure that authorizations for deleted logonids are removed from the DB2 catalog. Use this option only when you are including for synchronization all users who are authorized in CA ACF2 Option for DB2 for the included resources. Do not use this option for an incremental synchronization.
Produces trace reports to trace each user extracted from the logonid database and each DB2 resource extracted from the DB2 system. Security validations are also traced. This option can help you determine the logonids extracted from CA ACF2, check the results of processing INCLUDE and EXCLUDE statements, check the access in the DB2 catalog, and trace the results of security resource validations. This option is useful in a debugging situation. See the trace report for an example of output that this option can generate.
Specifies that the CA ACF2 Option for DB2 synchronization utility does not use the SECURITY or NON‑CNCL privilege as a basis to grant access to DB2 resources. Without this option, CADB2SY2 grants the WITH GRANT option to users with the SECURITY option, and grants users with the SECURITY and NON‑CNCL attributes access to all resources.
Honoring the SECURITY and NON‑CNCL privilege is the default, but this results in a large number of GRANT statements to process. In addition, the resulting number of GRANT statements might exceed the original number of statements on the DB2 catalog to such a degree that the catalog might be too small. To avoid this situation, you can specify the NOPRIVCHECK option so that CADB2SY2 generates GRANT and REVOKE statements based solely on DB2 resource rule validation. This option does not make any permanent changes to the contents of the Logonid database or to DB2 resource rules.
Controls whether CADB2SY2 generates REVOKE statements that cause views to be dropped. If you specify more than one keyword, separate them with a comma. Do not add extra space.
Note: You can specify only one VIEW control statement for each execution of the synchronization utility.
Specifies that CADB2SY2 evaluates the revokes for SYSADM, SYSCTRL, system DBADM, and DBADM administrative authorities to determine whether views are dropped as a result of executing the revoke statement. REVOKEADMIN can significantly increase the run time for the catalog synchronization utility due to the number of catalog queries required for the view evaluation of revoking an administrative authority and the affects of cascade revoke in native DB2. If you omit this keyword, the DROP and WARN keywords are ignored for the SYSADM, SYSCTRL, system DBADM, and DBADM administrative authorities (regardless of their impact on views).
Specifies that CADB2SY2 generates REVOKE statements that, when executed by CADB2SY3, drops views from the catalog.
Specifies that CADB2SY2 issues a warning message if a REVOKE statement can be generated that, if executed, drops views.
If you specify both the DROP and WARN keywords, CADB2SY2 issues the warning message, and the views are dropped when CADB2SY3 executes the REVOKE statement.
If you do not specify VIEW ACTION, REVOKEs are not generated if they would cause views to be dropped. No warning messages are issued to inform you about such potential REVOKEs. Not specifying VIEW ACTION conceptually acts the same as if you specified VIEW ACTION(NOWARN,NODROP), even though you cannot specify VIEW ACTION this way.
Indicates the keywords that limit the users and DB2 resources that undergo synchronization. These control statements follow the SYNC or GO statement. The CA ACF2 Option for DB2 synchronization utility matches the specified user information with the specified DB2 resource information from the batch to form security resource validation calls. A batch consists of all INCLUDE and EXCLUDE statements preceding a GO statement or end‑of‑file condition.
You can specify one or more INCLUDE or EXCLUDE statements after a SYNC or GO statement. However, to specify an EXCLUDE statement, you should first specify an INCLUDE statement, otherwise, CA ACF2 Option for DB2 cannot find any information to exclude. Do not continue INCLUDE or EXCLUDE statements to a second line, instead, use another INCLUDE or EXCLUDE statement to specify additional user or resource information in the batch. You can specify multiple keywords for each INCLUDE or EXCLUDE statement, but specify only one value for each keyword. Separate multiple keywords with a blank.
You cannot EXCLUDE the PUBLIC ID from CADB2SY2 processing.
To select multiple users or resources with one keyword, use the following masking characters:
Matches any single character if used as part of a name consisting of any other characters. If you use an asterisk by itself, the asterisk matches any number of characters.
Matches any number of characters.
Specifies the one‑ to eight‑character logonid or logonid mask that the CA ACF2 Option for DB2 synchronization utility extracts from the Logonid database to synchronize with the DB2 catalog. If you specify a mask, the utility searches the Logonid database and finds all of the logonids that match the mask. The utility then includes or excludes each logonid from the synchronization batch (depending on the INCLUDE or EXCLUDE statement selected).
Remember: Use the IF or UID methods to include all DB2 users instead of USER(*). While INCLUDE USER(*) synchronizes all DB2 users, it also performs validation checks for all non‑DB2 users for all included DB2 resources. This can significantly increase the amount of time and use of system resources required to run a synchronization.
Specifies the UIDs of logonids that the CA ACF2 Option for DB2 synchronization utility must find in the Logonid database to synchronize with user information in the DB2 catalog. This field is considered a mask and can contain asterisks or a dash as masking characters. Embedded blanks are permitted. Trailing blanks are truncated to the last nonblank character. See the discussions on access and resource rules and the TEST subcommand for information about the format of the UID.
Indicates the logonid bit field that must be present in the matched logonid for the user to be selected. For example, if you specify SECURITY in this field, the CA ACF2 Option for DB2 synchronization utility selects a logonid for synchronization only if the logonid record specifies SECURITY. To select only logonids that do not have a certain bit field turned on, specify NO in front of the field name. For example, specify NOSECURITY to select only users that do not have the SECURITY privilege. You can specify up to eight characters for the field name (ten characters including the NO).
Identifies the buffer pools that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the collections that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the databases that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the functions that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the JAR files that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the packages that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the plans that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the stored procedures that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the schemas that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the sequences that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the storage groups that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the system privileges and utilities that the CA ACF2 Option for DB2 synchronization utility synchronizes. For a list of DB2 system privileges and utilities that you can specify, see the What Are DB2 Privileges and Authorities section in the “Understanding DB2” chapter. You can use the DB2 (that is, IBM) system privilege or utility or the CA ACF2 Option for DB2 shortened name to specify this keyword.
Specifies the tables that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the table spaces that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Specifies the distinct types that the CA ACF2 Option for DB2 synchronization utility synchronizes.
Indicates the end of a batch of INCLUDE and EXCLUDE statements. This is required on every batch except the final one. If no GO statement is found at the end of the last batch, the end‑of‑file statement is interpreted as a GO.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|