Currently the CHCMDMUT utility generates and executes DDL required for maintenance updates. The utility has a CURRENT SQLID parameter which is intended to be set to the Security Identifier that is being used to run the IIDR CDC for z/OS instance. The ACID running our CDC z/OS task has limited security privileges by design to meet current audit applications. The privileges are sufficient for the operation of CDC but do not include the ability to drop/create objects. Currently we have to temporarily grant SYSDBADM privileges to the started task ACID, run the CHCMDMUT utility and then revoke those privileges. Audit rules and interfaces with security administration teams make this process difficult, especially in our Production environment.
|Who would benefit from this IDEA?||z/OS CDC customers|
How should it work?
We would like to request an option to generate the required DDL in a dataset versus executing it immediately. That DDL could them be run by a Db2 Systems technician who will be authorized to make the necessary changes. This would allow us to separate the privileges needed by the ACIF to run the z/OS CDC started task and the privileges to drop/create objects or other necessary maintenance tasks.
More details regarding this situation can be viewed in service request 46530,122,000.
|Priority Justification||Applying CDC maintenance is more difficult than other products for us. We can make the current process work but are hoping this request would not require a large change effort and it will be consistent with other products that allow the DDL to be written to a dataset.|
|Customer Name||Tracey Beason - Wells Fargo|
NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "email@example.com" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions