Defining the FMN2PARM member
If auditing is to be controlled from parmlib (user has read access to FILEM.PARMLIB.DB2, see SAF-controlled auditing for File Manager Db2 component) then member FMN2PARM must be defined in SYS1.PARMLIB (or any other library in the logical parmlib concatenation) as follows.
Default parmlib member FMN2PARM is provided in the SFMNSAM1 library. Copy this member to the appropriate system parmlib library. See below for details of methods that can be used to make this change.
There are two methods that can be used to include the FMN2PARM member in a library in the logical parmlib concatenation. The choice of method depends on whether the installation's security software is configured to allow FM/Db2 users READ access to data set SYS1.PARMLIB.
Method 1 can only be used when FM/Db2 users have read access to all libraries in the logical parmlib concatenation.
Method 2 can be used regardless of whether FM/Db2 users have READ access to the libraries in the logical parmlib concatenation.
Method 2 must be used when FM/Db2 users do not have READ access to one or more libraries in the logical parmlib concatenation.
- Method 1
- Place the FMN2PARM
member in any library in the current logical parmlib concatenation.
No IPL or other action is required to active the new member
(unless a new library was added to the logical parmlib concatenation).
Note: FMN2POPT controlled auditing cannot be used in any situation where FM/Db2 users do not have READ access to all of the libraries in the logical parmlib concatenation.For example, when:
- There are six libraries in the logical parmlib concatenation, for simplicity: libraries A, B, C, D, E and F.
- FM/Db2 users have read access to five of these libraries: A, B, D, E, F.
- Library C may be SYS1.PARMLIB, or any other library in the logical parmlib concatenation.
This will not work, the attempt by a File Manager/Db2 user to access the logical parmlib concatenation will fail with a security-related (913) abend.
- Method 2
- This method must be used when FM/Db2
users do not have READ access to all of the libraries in the logical parmlib
concatenation.
- Create a new library with dataset attributes similar to
SYS1.PARMLIB.
The library name for this data set must include the string "FMNPARM" in one of the qualifiers. You can choose any data set name that meets this requirement. Examples of suitable data set names are:
- SYS1.PARMLIB.FMNPARM
- SYS8.FMNPARM.PARMLIB
- FMNPARM.SYS8.PARMLIB
- SYS2.FMNPARMS.LIB
- SYS8.XFMNPARM.PARMLIB
- Add member FMN2PARM to the new library, specifying the appropriate FMAUDIT parameter.
- Add the new library to the logical parmlib concatenation. This can be done dynamically or via a system IPL.
Note: When Method 2 is used, the FMN2PARM member must be located in the library created in step 1. If the FMN2PARM member specifies any include statements (see Facilities for customizing the FMN2PARM definitions), all of the included members must also reside in the same library. - Create a new library with dataset attributes similar to
SYS1.PARMLIB.
You use the FMN2PARM member to define the following:
- Whether File Manager will use SAF to control File Manager audit logging.
- The SAF resource name prefix to be used by File Manager when determining access to various resources.
- Whether File Manager should load the FMN2POPT module from a specific library.
See FM/Db2 options specified in FMN2PARM for more information.