DOMEXIT1 - Set User ID for security processing

Version 1
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    MainView for DB2


    APPLIES TO:

    Apptune for DB2, Pool Advisor for DB2, System Performance for DB2, SQL Performance for DB2, BMC Performance for SQL, MainView for DB2 Management



    QUESTION:


    ANSWER:

    What is DOMEXIT1?
    The Data Collector (DOM) invokes DOMEXIT1 to set or restore the security ID at the task level for DB2 interactions, such as starting traces and executing Explains. By default, the user ID is equal to the install SYSADM for the DB2 subsystem.

    How to customize DOMEXIT1?
    DOMEXIT1 can be customized to use a different ID that is granted appropriate DB2 authorities. The sample DOMEXIT1 source includes instructions for changing the ID to a different user, or in the case of EXPLAIN, the ID of the user that issued the EXPLAIN request. The source for DOMEXIT1 is supplied in the DOMEXIT1 sample member. The #DOMEXIT sample member is used to assemble and link edit the exit. 

    How does DOMEXIT1 work?
    The sample and default DOMEXIT1 issues RACROUTE ENVIR=CREATE to establish a security identity for any task that interacts with DB2 for explains and DB2 trace commands. By default, the security identity is the DB2 install system administrator, and this can be modified to some other target identity via installation customization of the exit.                                                    
                 
    In order to accommodate situations where the target identity is a group instead of user, the RACROUTE call was made specifying the started task identity instead of the target identity, and then the target identity was substituted in the resulting security environment. That is,  if  the RACROUTE call fails, as would be the case if the target user is a group, then the fallback behavior by default is to issue RACROUTE ENVIR=CREATE using the started task identity and then substituting the target identity.   
                                           
    The default and sample DOMEXIT1 code support a switch from DB2-connect id back to started task id without  deleting the underlying ACEE control block until connection is  closed. Tasks for starting DB2 traces maintain the DB2-connect id for the duration of connection, while EXPLAIN tasks connect with this id, revert to started task id for any dataset access during EXPLAIN, but maintain the ACEE block until connection is closed.


    Article Number:

    000129690


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles