The CA Top Secret Recovery File is used to identify new and deleted users and changes made to DB2 authorizations in the Security File.
If your Recovery File wraps between incremental synchronization runs, you must ensure that you execute TSSRECVR prior to the file wrapping to avoid losing changes. You can concatenate the output from multiple runs of TSSRECVR as input to TSDB2SY1.
To determine the authorization a user has in CA Top Secret Option for DB2, the Catalog Synchronization Utility internally signs on each included user and performs a resource authorization check for each included DB2 resource. This process involves two CA Top Secret facilities. The first facility is used for sign on verification. By default, this is the BATCH facility. This is used for the internal signons performed by the Catalog Synchronization Utility. The second facility is used for DB2 resource authorization checks. This is the facility associated with the DB2 subsystem name. This association is defined by the DB2FAC control option.
The sign on process requires that each included user be authorized for the BATCH facility. If this is a problem in your environment, you can override the default facility of BATCH with a different facility of your choice. This is accomplished through the use of the MASTFAC attribute for the ACID running the Catalog Synchronization Utility.
You might override BATCH with the facility that is associated with the DB2 subsystem being synchronized. For example, if you are synchronizing DB2P, a DB2 subsystem, which is associated with the DB2PROD facility, and you created an ACID called DB2SYNC for running the Catalog Synchronization Utility, execute the following TSS command:
TSS ADD(DB2SYNC) MASTFAC(DB2PROD)
Note: We suggest that you create a special ACID for running the Catalog Synchronization Utility. If you are using the facility associated with the DB2 subsystem that is being synchronized, define a separate ACID for each DB2 facility. Otherwise, you might have to remove or add the MASTFAC attribute for the ACID running the utility, each time the utility is run.
The DB2PROD facility is then added to each user whose authorizations you want synchronized between CA Top Secret Option for DB2 and the DB2 catalog. In this example, you are using the facility that was associated with the DB2 subsystem being synchronized. Therefore, you might have already added the DB2PROD facility to the appropriate users. If you have profiles that only contain DB2 permissions for the DB2P subsystem, you can add the DB2PROD facility to those profiles. Otherwise, you can add it to the individual user ACIDs.
Note: If you restrict your DB2 permits by DB2 facility, do not add this to the ALL record.
You might also define a dummy facility for signon use by the Catalog Synchronization Utility. First, you must find an unused user‑facility and rename it. Next, add the facility to the user running the utility.
For example, if you want to create a dummy facility called SYNCDB2, using USER4 as the user facility and DB2SYNC as the user running the utility, execute the following TSS commands:
TSS MODIFY(USER4=NAME=SYNCDB2)) TSS ADD(DB2SYNC) MASTFAC(SYNCDB2)
CA Top Secret Option for DB2 lets you define security for DB2 resources before those resources are created in DB2. This enables you to set up your security environment before implementing a new system.
The first incremental synchronization you run once your new system is defined, attempts to synchronize the DB2 resources that you had defined or changed authorizations for in CA Top Secret Option for DB2. The CADB2SCP report lists those resources that do not exist in the DB2 catalog as exceptions. Once the resources are created in the DB2 catalog, the next incremental synchronization you run includes them for synchronization.
The Catalog Synchronization Utility uses information from the DB2 catalog to determine the creation date for collections, databases, functions, JAR files, packages, plans, sequences, stored procedures, schemas, storage groups, tables, and distinct types. Creation dates for bufferpools and system privileges are not applicable because these are predefined resources. There is insufficient information in the DB2 catalog to determine the creation date for table spaces. Therefore, you have to run a selective synchronization for table spaces after the table space is created.
The AUDIT and TRACE keywords for an ACID are ignored for a resource validation call made by the Synchronization Utility. TRACE records are written, however, for internal signons and signoffs.
An incremental synchronization cannot detect when CA Top Secret Option for DB2 suspends ACIDs after established violation thresholds are exceeded. If during subsequent processing the ACID is not referenced by a CA Top Secret Option for DB2 authorization change, the DB2 catalog might continue to maintain an invalid access permission. You can correct this situation by performing an entire synchronization using the REVOKEALL option, which will remove all user information from the catalog before synchronization is complete.
Shift controls in the resource or ACID are ignored for purposes of synchronization.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|