Synchronization control statements are created by the TSDB2SY1 job or by you. They define which users and DB2 resources are to be synchronized. You can synchronize a specific user, a group of users (through their PROFILES, FACILITIES, DIVISIONS, and DEPARTMENTS), a specific DB2 resource, or a group of resources. Each synchronization control statement contains one of the following verbs:
Defines the DB2 subsystem and options of the synchronization run.
Defines the user and DB2 resource information that is to be included in the synchronization run.
Defines the user and DB2 resource information that is to be excluded from information specified by previous INCLUDE statements.
Lets you control whether views are dropped and whether warning messages are issued for these views.
Signals the end of a group or batch of INCLUDE and EXCLUDE statements.
Begin each synchronization with one SYNC statement. Follow the SYNC statement with one or more INCLUDE or EXCLUDE statements. You can also place a GO statement between sets of INCLUDE and EXCLUDE statements to include several batches in one synchronization.
Begin each control statement anywhere in columns 1 through 72. You can use columns 73 through 80 for sequence numbers because these columns are ignored. Specify at least one blank between keywords. Specify comments between /* and */ anywhere in columns 2 through 71. Do not continue control statements to a second line; instead, begin again with the control statement on the next line to specify additional user or resource information in a batch.
Here is the format of the SYNC, INCLUDE|EXCLUDE, VIEW, and GO statements:
SYNC SYSTEM(subsystemid) [OPTIONS(REVOKEALL] [,TRACE] [NOPRIVCHECK])
INCLUDE|EXCLUDE \{USER(ACIDmask) }
{PROFILE(profile|profilemask) }
{FACILITY(facility|facilitymask) }
{DIVISION(division|divisionmask) }
{DEPARTMENT(department|departmentmask) }
{BPL(bufferpool|bufferpoolmask) }
{COL(collection|collectionmask) }
{DBS(database|databasemask) }
{FNC(function|functionmask) }
{JAR(jarfile|jarfilemask) }
{PKG(package|packagemask) }
{PLN(plan|planmask) }
{PRC(procedure|proceduremask) }
{SCH(schema|schemamask) }
{SEQ(sequence|sequencemask) }
{STG(storagegroup|storagegroupmask) }
{SYS(systemprivilege|systemprivilegemask)}
{TBL(table|tablemask) }
{TSP(tablespace|tablespacemask) }
{TYP(type|typemask)
[VIEW ACTION([WARN][,DROP][,REVOKEADMIN])]
[GO]
Each control statement and keyword is described in the following:
Indicates the DB2 subsystem and options that CA Top Secret Option for DB2 will use for this execution of the utility. This statement must begin the synchronization.
Identifies the one‑ to four‑character DB2 subsystem ID where synchronization occurs. Specify only one DB2 subsystem ID. To synchronize multiple DB2 subsystems, you must run the utility for each subsystem. This keyword is required.
Specifies the options for this execution of the utility. Separate multiple options with a comma, leaving no extra spaces. This keyword is optional.
Indicates that all GRANT access privileges for all users in the DB2 catalog are revoked for the specified resources, unless the included user has a corresponding CA Top Secret Option for DB2 privilege. This option ensures that the CA Top Secret Option for DB2 Catalog Synchronization Utility starts with a clean catalog for the resources that you specify. By default, REVOKEALL is not specified and current user access privileges for non‑included users are retained in the DB2 catalog.
Specify this option when you want to ensure that authorizations for deleted ACIDs are removed from the DB2 catalog. Use this option only when you are including for synchronization, all users who are authorized for the included resources.
Note: You should not use this option for an incremental synchronization.
Produces Trace reports to trace each user extracted from the CA Top Secret Security File and each DB2 resource extracted from the DB2 system. Security validations are also traced. This option can help you determine the ACIDs extracted from CA Top Secret, check the results of processing INCLUDE and EXCLUDE statements, check the access in the DB2 catalog, and trace the results of security resource validations. This option is useful in a debugging situation. See the “Using the Catalog Synchronization Utility Reports” for an example of the output that this option generates.
Specifies that the CA Top Secret Option for DB2 Catalog Synchronization Utility will not use the NORESCHK attribute as a basis to grant access to DB2 resources. Without this option, TSDB2SY2 grants to users with the NORESCHK attribute complete access to all included DB2 resources. Honoring the NORESCHK attribute is the default, but this results in a large number of GRANT statements to process. In addition, the resulting number of GRANT statements might exceed the original number of statements on the DB2 catalog to such a degree that the catalog might be too small. To avoid this situation, you can specify the NOPRIVCHECK option so that TSDB2SY2 generates GRANT and REVOKE statements based solely on DB2 resource access authorizations. This option does not make any permanent changes to the contents of the Security File.
Indicates the keywords that limit the users and DB2 resources that will undergo synchronization. These control statements follow the SYNC or GO statement. The CA Top Secret Option for DB2 Catalog Synchronization Utility matches the specified user information with the specified DB2 resource information from the batch to form security resource validation calls. A batch consists of all INCLUDE and EXCLUDE statements preceding a GO statement or end‑of‑file condition. You can specify one or more INCLUDE or EXCLUDE statements after a SYNC or GO statement. However, to specify an EXCLUDE statement, you should first specify an INCLUDE statement; otherwise, CA Top Secret Option for DB2 cannot find any information to exclude. Do not continue INCLUDE or EXCLUDE statements to a second line; instead, use another INCLUDE or EXCLUDE statement to specify additional user or resource information in the batch. You can specify multiple keywords for each INCLUDE or EXCLUDE statement, but specify only one value for each keyword. Separate multiple keywords with a blank.
To select multiple users or resources with one keyword, use the following masking characters:
Specifies the one‑ to eight‑character ACID or ACID mask that the CA Top Secret Option for DB2 Catalog Synchronization Utility extracts from the Security File to synchronize with the DB2 catalog. If you specify a mask, the utility searches the Security File and finds all of the user or control ACIDs that match the mask. The utility then includes or excludes each ACID from the synchronization batch (depending on the INCLUDE or EXCLUDE statement selected).
Note: Specify INCLUDE USER(PUBLIC) to synchronize authorizations PERMITted to the ALL Record. USER(*) will also synchronize these authorizations. However, using any other type of user masking might not provide the proper synchronization authorization. See “GRANT TO PUBLIC” section for more information.
We recommend that you use PROFILE, FACILITY or other selection methods in place of USER(*) when including all DB2 users. INCLUDE USER(*) will synchronize all users including any non‑DB2 users. Resource validation calls for each non‑DB2 user is made for each included resource. This can significantly increase the amount of time required to run a synchronization.
Identifies users for synchronization that have this profile ACID or profile ACID mask. Profile might be abbreviated as PROF.
Identifies users for synchronization that have this facility ACID or facility ACID mask. Facility might be abbreviated as FAC.
Identifies users for synchronization that have this division ACID or division ACID mask. Division might be abbreviated as DIV.
Identifies users for synchronization that have this department ACID or department ACID mask. Department might be abbreviated as DEPT.
Identifies the buffer pools that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize.
Specifies the collections that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize.
Specifies the databases that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize.
Specifies the functions that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize.
Specifies the Java archive (JAR) files that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize. You must be running DB2 Version 7.1 or higher to specify this keyword, otherwise the job terminates.
Specifies the packages that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize.
Specifies the plans that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize.
Specifies the stored procedures that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize.
Specifies the schemas that the CA Top Secret Option for DB2 synchronization utility will synchronize.
Specifies the sequences that the CA Top Secret Option for DB2 synchronization utility will synchronize.
Specifies the storage groups that the CA Top Secret Option for DB2 synchronization utility will synchronize.
Specifies the system privileges and utilities that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize. For a list of DB2 system privileges and utilities that you can specify, see the “What Are DB2 Authorities and Privileges” section in the “Native DB2 Security” chapter. You can use the DB2 (that is, IBM) system privilege or utility or the CA Top Secret Option for DB2 shortened name to specify this keyword.
Specifies the tables that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize.
Specifies the table spaces that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize.
Specifies the distinct types that the CA Top Secret Option for DB2 Catalog Synchronization Utility will synchronize.
Controls whether TSDB2SY2 generates REVOKE statements that cause views to be dropped. See the “Views” section for more information about why DB2 drops views. If you specify multiple keywords, separate them with a comma. Do not add extra space.
Specifies that TSDB2SY2 should evaluate the REVOKEs for SYSADM, SYSCTRL, system DBADM, and DBADM administrative authorities to determine whether views are dropped as a result of executing the REVOKE statement. REVOKEADMIN might significantly increase the run time for the catalog queries required for the view evaluation of revoking an administrative authority and the affects of cascade REVOKE in native DB2. If this keyword is omitted, the DROP and WARN keywords are ignored for the SYSADM, SYSCTRL, system DBADM, and DBADM administrative authorities (regardless of their impact on views).
Specifies that TSDB2SY2 generates REVOKE statements that, when executed by TSDB2SY3, will cause views to be dropped from the catalog.
Specifies that TSDB2SY2 issues a warning message if a REVOKE statement can be generated that, if executed, will cause a view to be dropped.
If you specify both the DROP and WARN keywords, TSDB2SY2 issues the warning message, and the views are dropped when the REVOKE statement is executed by TSDB2SY3.
Indicates the end of a batch of INCLUDE and EXCLUDE statements. This is required on every batch except the final one. If no GO statement is found at the end of the last batch, the end‑of‑file statement is interpreted as a GO.
To provide an example of a synchronization control statement, let's assume that you want to synchronize the DB2 catalog for the DSNP subsystem. You want to include all users who use the DB2 customer profile CUSTDB2, the customer and accounts payable tables, and a special accounts payable table that is named ACCT.XREF. Additionally, you want to revoke access to these tables for any user that does not have the CUSTDB2 profile. Finally, you want to see trace reports for this synchronization.
Your keyword values are:
To achieve the results described above, create these synchronization control statements:
SYNC SYSTEM(DSNP) OPTIONS(REVOKEALL,TRACE) INCLUDE PROFILE(CUSTDB2) INCLUDE TBL(CUST*) INCLUDE TBL(ACCTPAY*) INCLUDE TBL(ACCT.XREF)
The trace reports list the users and tables that are actually included in the synchronization and the DB2 catalog and CA Top Secret Option for DB2 privileges that existed for these users and tables before the synchronization.
After reviewing the above statement, perhaps you realize that you need to make a couple of modifications:
Here are the revised synchronization control statements that address your additional needs:
SYNC SYSTEM(DSNP) OPTIONS(TRACE) INCLUDE PROFILE(CUSTDB2) EXCLUDE DEPT(DP12?) INCLUDE TBL(CUST*) INCLUDE TBL(ACCTPAY*) INCLUDE TBL(ACCT.XREF)
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|