CA Top Secret Option for DB2 processes the INCLUDE and EXCLUDE statements in batches. A batch begins with an INCLUDE or EXCLUDE statement and ends with a GO statement or end‑of‑file condition. A subsequent INCLUDE or EXCLUDE statement begins a new batch; your input file can contain multiple batches.
For each batch, CA Top Secret Option for DB2 processes the INCLUDE and EXCLUDE statements to determine which user and DB2 resource information to extract from the Security File and DB2 catalog, respectively. CA Top Secret Option for DB2 extracts ACIDs that match the criteria specified in the USER, DIVISION, DEPARTMENT, FACILITY, or PROFILE keywords. If you mask the USER, DIVISION, DEPARTMENT, FACILITY, or PROFILE keywords, CA Top Secret Option for DB2 searches the entire Security File to extract the users that match the mask. Then, CA Top Secret Option for DB2 extracts the DB2 resources from DB2 tables.
The DB2 resources must match the criteria specified by the resource keywords to be extracted:
|
Resource Keywords |
|
|---|---|
|
BPL |
Buffer pools |
|
COL |
Collections |
|
DBS |
Databases |
|
FNC |
Functions |
|
JAR |
JAR Files |
|
PKG |
Packages |
|
PLN |
Plans |
|
PRC |
Stored procedures |
|
SCH |
Schemas |
|
SEQ |
Sequences |
|
STG |
Storage groups |
|
SYS |
System privileges and utilities |
|
TBL |
Tables and views |
|
TSP |
Table spaces |
|
TYP |
Distinct Types |
For example, to synchronize all table resources, for all users, specify the following INCLUDE statement:
INCLUDE USER(*) TBL(*)
This example selects all users in the Security File and all tables in the DB2 catalog. This results in a resource validation call for each table to be made for each user. By including all users, you are significantly increasing the amount of system resources and time required for the synchronization. It is strongly recommended that you only include DB2 users to conserve time and resources.
For example, if all DB2 users for the production DB2 system have the facility DB2PROD, you can replace the previously mentioned INCLUDE statement using:
INCLUDE FACILITY(DB2PROD) TBL(*)
To further narrow the synchronization, you can synchronize a subset of the table resources. For example, synchronize only the PAYROLL tables by entering:
INCLUDE FACILITY(DB2PROD) TBL(PAYROLL.*)
Because CA Top Secret Option for DB2 processes the statements sequentially, the order of the INCLUDE and EXCLUDE statements is very important. An INCLUDE statement placed before an EXCLUDE statement generates very different results from the same INCLUDE placed after the EXCLUDE. In the list of ACIDs and resource names generated by an INCLUDE statement, the utility marks the entries that are specified in any of the following EXCLUDE statements as excluded. The utility uses the remaining entries to perform resource validation calls. To illustrate the importance of statement order, consider the following example:
EXCLUDE USER(WALBE02) INCLUDE USER(WAL*) EXCLUDE USER(WALRA*) INCLUDE USER(WALRA03)
The first EXCLUDE statement does not work as intended: WALBE02 has not been included yet, so it cannot be excluded. The first INCLUDE statement generates an internal table that lists all ACIDs that begin with WAL. The subsequent EXCLUDE statements mark all ACIDs in this table that begin with WALRA. The marked ACIDs are excluded from the batch to be synchronized. However, the second INCLUDE statement causes the utility to return to the table and remove the mark that excludes WALRA03 from the synchronization.
Therefore, the Catalog Synchronization Utility performs resource validation calls on the following:
To perform resource validation calls, the utility correlates each ACID with a DB2 resource name. The call determines whether the ACID has access to that resource, and which DB2 privileges are assigned to that ACID for that resource. This information is used to create GRANT and REVOKE statements, as described in the next section.
Each batch of INCLUDE and EXCLUDE statements is processed independently. The ACIDs and resource names that are validated for one batch do not affect the processing of a subsequent batch.
The CADB2SCP trace reports list the ACIDs or resources that are included or excluded for a particular synchronization batch. For more information about these reports, see the “Using the Catalog Synchronization Utility Reports” section.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|