Familiarizing Yourself With A Selective Synchronization

Using the Catalog Synchronization Utility › Implementation Considerations › Familiarizing Yourself With A Selective Synchronization

Familiarizing Yourself With A Selective Synchronization

To familiarize yourself with a selective synchronization, you must:

Understand the basic approach to this process.
Determine the best way to INCLUDE users.

Basic Process

An effective way to understand a selective synchronization is to run the TSDB2SY2 program. This program processes all of the selection options and control statements, correlates the authorizations between CA Top Secret Option for DB2 and the DB2 catalog, and generates the REVOKE and GRANT statements. It will provide a clearer understanding of what this process is about.

Note: We recommend that you refrain from using the TSDB2SY3 program, which processes the generated REVOKE and GRANT statements, until you have a better understanding of the synchronization process.

The following steps outline information you must be aware of before performing a selective synchronization.

Always run with OPTIONS(TRACE) when testing. This option will produce the optional trace reports that are necessary to gain an understanding of the utility.
INCLUDE/EXCLUDE specific users. For the initial testing, keep the user specifications simple and to the point. That is, use the USER keyword without masking characters.
Note: The use of PROFILE, FACILITY, DEPARTMENT, DIVISION keywords, or masking using the USER keyword, requires the utility to build an internal list of all users and their attributes. It might take several minutes to generate this list. You might want to avoid this overhead during your initial testing.
INCLUDE/EXCLUDE specific resources or use masking to limit the number of resources that get synchronized.
Review the reports to become familiar with the synchronization process. In particular, review the following reports:

Report	Description
CADB2SCP	Indicates which users and resources are being synchronized.
CADB2SED	Indicates the current authorizations the included users have for the included resources in the DB2 catalog. If OPTIONS(REVOKEALL) is specified, it will indicate the current authorizations for all users belonging to all of the included resources.
CADB2SUA	Indicates what authorizations the included users have for the included resources in CA Top Secret Option for DB2.
CADB2SGS	Indicates the REVOKE and GRANT statements that were generated.

The Best Method for Including Users

Now that you have a basic understanding of how the selective synchronization process works, the next step is to determine the best ways to identify the users in your environment that must be synchronized. Here are a couple suggestions:

Determine which users must be synchronized.
Note: The Security File contains all users, some of which are not DB2 users. Including non‑DB2 users can significantly increase the amount of time and system resources required for the synchronization.
INCLUDE/EXCLUDE users using PROFILE, FACILITY, DEPARTMENT, DIVISION, and USER keywords. Your best keyword selection is PROFILE or FACILITY. You might use masking where applicable.