The synchronization process correlates the included users' authorizations in the DB2 catalog with the users' authorizations in CA Top Secret Option for DB2 for the included resources. REVOKE statements are generated for included users for privileges they hold in the DB2 catalog, but not in CA Top Secret Option for DB2, for the included resources. Similarly, GRANT statements are generated for included users for privileges they hold in CA Top Secret Option for DB2, but not in the DB2 catalog, for included resources. If the included user holds the same privilege in both the DB2 catalog and in CA Top Secret Option for DB2, nothing is generated. The optional CADB2SED trace report shows the privileges the included users hold in the DB2 catalog for included resources. The optional CADB2SUA trace report shows the privileges the included users hold in CA Top Secret Option for DB2 for the included resources. When multiple privileges are revoked from a user for the same resource, only one revoke statement is generated. Similarly, only one grant statement is generated when multiple privileges are granted to a user for the same resource. The generated revoke statements are written to the REVOKE file and the CADB2SGS report. The generated grant statements are written to the GRANT file and the CADB2SGS report.
To remove superfluous authorizations from the DB2 catalog, such as those for users who no longer exists, specify the OPTIONS(REVOKEALL) statement. The synchronization process then generates REVOKE statements for privileges held in the DB2 catalog by non‑included users for included resources without regard for what they hold in CA Top Secret Option for DB2. The CADB2SED optional trace report shows these privileges. The CADB2SGS report shows the generated revoke statement that is written to the REVOKE file.
The NORESCHK attribute grants the ACID access to all DB2 resources and therefore creates a large number of GRANT statements. The large volume of statements can be difficult to process. If you do not want CA Top Secret Option for DB2 to create GRANT statements based on this attribute, you can specify the NOPRIVCHECK option in the SYNC control statement. The result is that GRANT statements are generated based only on the appropriate resource authorizations.
The Catalog Synchronization Utility will not alter ownership information in the DB2 catalog in any way. CA Top Secret Option for DB2 does, however, indicate when a user is an owner so that it can include the WITH GRANT OPTION to owners on the SQL GRANT statement.
TSDB2SY3-Invokes DB2 to Perform SQL Statements
CADB2SY3 invokes DB2 to execute the SQL statements in the GRANTs and REVOKEs file which is produced by CADB2SY2. Prior to executing CADB2SY3, you can verify and optionally change the SQL statements. The first statement in both files is an internal control statement generated by CADB2SY2 for CADB2SY3 and might not be modified.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|