Previous Topic: IBM DB2 UDB for z/OS ConnectorNext Topic: IBM i5/OS (OS/400) Connector

CA Identity Manager Connector GuidesConnectors GuideConnecting to EndpointsIBM DB2 UDB for z/OS ConnectorDBZ Endpoint

DBZ Endpoint

The DBZ endpoint registers a Windows System ODBC Data Source Name (DSN) for the database and saves the necessary information to establish a connection and execute SQL statements with the database.

Acquire a DBZ Database Using the User Console

You must acquire the DB2 z/OS database before you can administer it with CA Identity Manager.

To acquire an DBZ database using the User Console

  1. Select Endpoints, Manage Endpoints,Create Endpoint
  2. Select DB2 ZOS Server from the drop-down list box on Create a new endpoint of Endpoint Type, and click Ok

    Use the Create DB2 ZOS Endpoint page to register a DB2 ZOS database. During the registration process, CA Identity Manager identifies the DBZ database and gathers information about it.

  3. After entering the required information, click Submit.

    You are now ready to explore and Correlate the endpoint.

  4. Click Endpoints, Explore and Correlate Definitions, Create Explore and Correlate Definition to explore the objects that exist on the endpoint.

    The Exploration process finds all DBZ accounts and groups. You can correlate the accounts with global users at this time or you can correlate them later.

  5. Click OK to start a new definition.
  6. Complete the Explore and Correlate Tab as follows:
    1. Fill in Explore and Correlate name with any meaningful name.

      Click Select Container/Endpoint/Explore Method to click a DBZ endpoint to explore.

    2. Click the Explore/Correlate Actions to perform:
      • Explore directory for managed objects—Finds objects that are stored on the endpoint and not in the provisioning directory.
      • Correlate accounts to users—Correlates the objects that were found in the explore function with users in the provisioning directory. If the user is found, the object is correlated with the user. However, you can instead select that you want to assign the account to the existing user (the default user) or create the user.
      • Update user fields—If a mapping exists between the object fields and the user fields, the user fields are updated with data from the objects fields.
  7. Complete the Recurrence tab if you want to schedule when the task to executes.
    1. Click Schedule.
    2. Complete the fields to determine when this task should execute.

      You may prefer to schedule the task to execute overnight to interfere less with routine access of the system.

    Note: This operation requires the client browser to be in the same time zone as the server. For example, if the client time is 10:00 PM on Tuesday when the server time is 7:00 AM, the Explore and Correlate definition will not work.

  8. Click Submit.

To use an explore and correlate definition

  1. In a CA Identity Manager environment, click Endpoints, Execute Explore and Correlate.
  2. Click an explore and correlate definition to execute.
  3. Click Submit.

    The user accounts that exist on the endpoint are created or updated in CA Identity Manager based on the explore and correlate definition you created.

Acquire a DBZ Database Using the Provisioning Manager

To acquire a DBZ database, you must do the following:

From the Endpoint Type task view

  1. Register the database as an endpoint in CA Identity Manager.

    Use the DBZ Endpoint property sheet to register a DB2 z/OS database. During the registration process, CA Identity Manager identifies the DBZ database you want to administer and gathers information about it.

  2. Explore the objects that exist on the endpoint.

    After registering the database in CA Identity Manager, you can explore its contents. Use the Explore and Correlate Endpoint dialog. The Exploration process finds all DBZ database authorization names that exist in the database authorization tables. You can correlate the authorization names of the User type (DBZ Users) with global users at this time, or you can wait to correlate them.

  3. Correlate the explored DBZ users with global users.

    When you correlate DBZ users, CA Identity Manager creates or links the DBZ users to an endpoint with global users, as follows:

    1. CA Identity Manager attempts to match the DBZ user name with each existing global user name. If a match is found, CA Identity Manager associates the DBZ user name with the global user. If a match is not found, CA Identity Manager performs the following step.
    2. If the Create Global Users as Needed button is checked, CA Identity Manager creates a new global user and then associates the DBZ account with the global user. If the Create Global Users as Needed button is unchecked, CA Identity Manager performs the next step.
    3. CA Identity Manager associates the DBZ user with the [default user] object.
Acquire or Remove a New Endpoint

When the DBZ connector receives an 'Add new endpoint' or 'Remove an endpoint' request, the following steps are taken:

On the machine running the C++ Connector Server

  1. Catalog or un-catalog a database entry for a database within the DBZ instance.
  2. Register or un-register an ODBC system data source.
DBZ Account Templates

The DBZ Default Policy, provided with your connector, gives a user the minimum security level needed to access an endpoint. You can use it as a model to create new account templates.

Synchronize an Account from an Account Template

There are several rules for account synchronization from an account template in the DBZ Connector.

During the account synchronization process

  1. When there are multiple account templates associated with a DBZ account, the DBZ Connector merges those account templates to generate an intermediate effective account template. During the merge, if there are conflicting settings with the same authority, database privilege, or object privilege among the different account templates, the DBZ Connector selects the setting with the highest restriction.

    For example, if Account Template One grants DBADM and Account Template Two does not, the effective account template does not grant DBADM. Another example: If Account Template One grants CONTROL and SELECT with GRANT option on view SYSCAT.ATTRIBUTES, but Account Template Two revokes CONTROL from and grants SELECT on view SYSCAT.ATTRIBUTES, the effective account template grants only SELECT on view SYSCAT.ATTRIBUTES and revokes CONTROL from SYSCAT.ATTRIBUTES.

  2. If one of the merged account templates is set to use strong synchronization, the DBZ Connector applies the effective account template to the account using strong synchronization. If not, the effective account template uses weak synchronization.
  3. For strong synchronization, the DBZ Connector replaces the account's authorities and privilege settings with that of the effective account template.
  4. For weak synchronization, if there is a difference between the account settings and the effective account template, the DBZ Connector uses the setting that has the higher restriction.

    For example, if an account is granted DBADM, and the effective account template does not grant DBADM, the account will not be granted DBADM. If an account is not granted DBADM and the effective account template grants DBADM, the account will still not be granted DBADM.

    Another example: If an account is granted CONTROL and SELECT with GRANT option on view SYSCAT.ATTRIBUTES, but the effective account template revokes CONTROL from and grants SELECT on view SYSCAT.ATTRIBUTES, the account is granted only SELECT on view SYSCAT.ATTRIBUTES and CONTROL is revoked from SYSCAT.ATTRIBUTES.

When checking account or account template synchronization, the same process of generating effective account template applies, as do the rules of comparison. If you are going to synchronize account settings with the effective account template, and the account's authority and privilege settings do not change, the DBZ Connector considers the account synchronized with its associated account templates.

DBZ Accounts

The DBZ Account represents the authentication and privileges of the DBZ users of the DBZ instance and database on a z/OS mainframe.

The DBZ Connector does not manage user accounts and groups of the operating system. The DB2 Users that are managed by the DB2 z/OS Connector are the user identifiers, authorizations, and privileges that exist in the DB2 authorization and privileges tables.

Create DBZ Accounts

CA Identity Manager lets you manage accounts from the Endpoint Type task view. Use the DBZ User property sheet when managing your accounts

To create DBZ Accounts

  1. Click the Endpoint Type task button and select DBZ Endpoint from the drop-down list box.
  2. Search for the endpoint on which you want to create an account.
  3. Right-click on the endpoint in the list view and choose Content from the pop-up menu.
  4. Select Accounts in the Container Tree box and click New.

    The DBZ User Property Sheet appears.

  5. Complete the DBZ User Property Sheet and click OK.

    A new DBZ account is now created.

DBZ User Property Sheet

The DBZ User Property Sheet consists of 16 property pages with the following 14 pages specific to the DBZ Connector that show specific authorization and property information: