RACF and Db2® security configuration for the agent for z/OS®

Authorization

The recording, stubbing or both, of Db2® EXEC SQL commands involves the following multiple User IDs:

• The ID that is associated with the batch program or CICS program.
• The ID that is used by Rational® Integration Tester to connect to Db2® to obtain information about tables and other artifacts.
• The ID that is used by Rational® Integration Tester to access a simulation database.
• The ID that accesses the Profile Service in IBM z/OS Debugger.

The following list contains the authorizations required for each User ID:

• The authorization required for the user ID that is associated with the batch program whose interactions with Db2® are to be recorded or virtualized is as follows:
  • UPDATE access to the EQADTOOL.BROWSE.MVS FACILITY
• The User Name field within the Connection Parameters section of the Database transport Connection tab specifies the ID to be used by both Rational® Integration Tester and the agent for z/OS when you connect to Db2® on z/OS. This field requires the same user ID that is associated with the batch job or CICS program. This ID is used to access data and information related to the tables and artifacts to record or stub. The ID must have the following permissions granted within Db2®:
  • SELECT access on the tables being accessed
  • SELECT ON SYSIBM.SYSDATATYPES
  • SELECT ON SYSIBM.SYSPACKAGE

  This ID must also have the RACF permission to READ access to the xxxx.DIST profile within the DSNR class, where xxxx represents the Db2® subsystem.

• The User Name field within the Simulation Database section of the Database transport Stub tab specifies the ID that owns the tables and the artifacts within the simulation database. If Db2® for z/OS is used as the simulation database, the ID must have the following permissions granted within Db2®:
  • SELECT ON SYSIBM.SYSPACKAGE
  • SELECT ON SYSIBM.SYSTABLES
  • SELECT ON SYSIBM.SYSSEQUENCES
  • SELECT ON SYSIBM.SYSPARMS
  • SELECT ON SYSIBM.SYSROUTINES
  • USE OF STOGROUP SYSDEFLT
• The UserID field on the z/OS tab of the Database transport specifies the ID that is used to connect to the Profile Service in IBM z/OS Debugger to define DTCN profiles for CICS and DTSP profiles for batch jobs. The ID must have the following permissions for capturing Db2® calls from programs that run under CICS:
  • Permission to connect to CICS that includes READ access to the RACF profile that controls access to the CWBA transaction (CWBA within the TCICSTRN class).
  • Update access to the EQATOOL.BROWSE.CICS FACILITY.
  • If the CICS system initialization RENTPGM=PROTECT is specified, the ID requires READ access to the EQADTOOL.AUTHDEBUG RACF facility.
  • If your eqaprof.env default_dsname parameter includes \&USERID as part of the data set name, you must use the User ID associated with the batch job to be recorded as the User ID to connect to the Profile Service.

  To capture Db2® calls from batch jobs, you have the option of using the IBM z/OS Debugger Profile Service with Delay Debug mode to pass the DBRM dataset name and other required information to the batch job automatically. This simplifies the JCL updates required to record and virtualize the program runs as batch jobs. To use this option, specify the user ID that is associated with the batch job as the Debugger Profile Service UserId. The ID must have the authority to create data sets with names that correspond to the pattern that is specified in the Profile Service eqaprof.env parameter default_dsname. The Profile Service must also have READ access to a SURROGAT class profile for BPX.SRV.xxxx, where xxxx is either an explicit or generic value that includes this user ID.

  If you associate your batch jobs with a RACF protected user ID, that ID cannot be used with the Profile Service. You must then clear the Use Profile Service checkbox on the physical resource z/OS tab, and you must specify the CEEOPTS ENVAR parameters within your JCL. For more information, see Updating JCL.