DB2 Server for VSE & VM: Database Administration

Chapter 4. Supporting Your Users

As the database administrator, you provide the support that users need to gain access to your DB2 Server for VSE & VM application server and the data it manages.

This chapter describes the tasks involved in supporting new users, and removing the data and access of those who have left.

Adding a New User

To a DB2 Server for VSE & VM Application Server:

The following are the steps involved in adding new users to DB2 Server for VSE & VM application servers.

New users need CONNECT authority on the application server (alternatively, this may be granted to ALLUSERS). To add a new user to the system, perform the following tasks:

|In VM, define the user's virtual machine as a DB2 Server for VM user machine. This involves making VM directory changes and is discussed in the DB2 Server for VM System Administration manual.
Setup the user as a new ISQL user.
Grant the user an appropriate level of authority to access data and use resources.
Specify the default application server.
If required, load initial tables.
Ensure that the new user obtains adequate system training.

To a Non-DB2 Server for VSE & VM Application Server:

To enable a user to access a non-DB2 Server for VSE & VM application server perform the following tasks:

Notes:

|In VM, if the user is not already a DB2 Server for VM user, define the user's virtual machine as a DB2 Server for VM user machine. This involves making VM directory changes and is discussed in the DB2 Server for VM System Administration manual.
Arrange system-level sign-on authority with the system administrator of each remote application server.
Note: A new user ID and password may be required at some of the remote application servers, depending on the LU 6.2 security level that is required for the connection. See the Distributed Relational Database Connectivity Guide manual.
|In VM, setup a new entry in the CMS Communication Directory (COMDIR) for the remote application server (if it has not already been done), and make the COMDIR accessible to the user.
|In VSE, set up a new entry in the DBNAME Directory for the remote |application server (if it has not already been done).
If the user will be accessing an application server through ISQL, then setup the user as a new ISQL user. Make sure that ISQL has been installed on the remote application server.
Grant the user (or arrange to have granted) the appropriate level of authority to access data and use resources at each of the remote application servers.
Specify the default application server.
If required, load initial tables.
Ensure that the new user obtains adequate training on the remote application server and on how to access it from the local |DB2 Server for VSE & VM application requester.

To set up a new ISQL user to access the resources of an application server, run the SQLDBA.ARINEWUS routine supplied by IBM and previously loaded into the SQLDBA.ROUTINE table during database generation.
Note: The ARINEWUS routine is intended for DB2 Server for VSE & VM application servers only. If you need to add a new ISQL user to a non-DB2 Server for VSE & VM application server create your own routine using ARINEWUS as a sample. This routine uses a CONNECT statement containing an IDENTIFIED BY clause, as well as a GRANT CONNECT statement. These statements are unique to DB2 Server for VSE & VM application servers and may not be supported by non-DB2 Server for VSE & VM application servers.

Start ISQL and connect as SQLDBA (or some other user ID with DBA authority), then type:

   RUN SQLDBA.ARINEWUS (newuser newuserpw)

For newuser, specify:

In VM, the CP LOGON user ID (the name of the user's virtual machine) or,
In VSE, the user's CICS sign-on ID.

For newuserpw, specify a password for the new user.

The ARINEWUS routine does the following:

Issues an ISQL SET RUNMODE CANCEL command.
Issues an ISQL SET AUTOCOMMIT OFF command.
Grants CONNECT authority to the new user. The routine parameters newuser and newuserpw are used on the CONNECT statement.
Creates a copy of a set of sample tables for the user, and grants him or her full authority on them. These tables are named:

newuser.DEPARTMENT
newuser.EMPLOYEE
newuser.PROJECT
newuser.ACTIVITY
newuser.PROJ_ACT
newuser.EMP_ACT
newuser.CL_SCHED
newuser.IN_TRAY
Copies data from the sample tables owned by user ID SQLDBA into the new user's sample tables. (Only the rows needed to duplicate the examples shown in the DB2 Server for VSE & VM Interactive SQL Guide and Reference manual are copied.)
Creates indexes on the sample tables.

Creates and loads an ISQL routine table (newuser.ROUTINE), which includes an ISQL PROFILE routine, as follows:

   NAME      SEQNO   COMMAND          REMARKS
   -------   -----   --------------   -------
   PROFILE      10   SET VARCHAR 35   NULL
   PROFILE      20   SET CASE UPPER   NULL

Creates an index on the routine table.
Issues an ISQL SET AUTOCOMMIT ON command.

When you run ARINEWUS, you will be prompted to enter either COMMIT or ROLLBACK. If no errors occurred, enter COMMIT; otherwise, enter ROLLBACK.

The ARINEWUS routine sets up the new user only in the application server that you are connected to when you invoke the routine. If a user is to have access to more than one application server, connect to these other application servers and run ARINEWUS again for each one.

Example

A new user with a user ID of ALEX and a password of ALEXPW is defined. Alex does application development work and needs access to two application servers: PROD and TEST.

Do the following in a VM system:

Log on to your own user machine, and IPL CMS.
Issue SQLINIT DBNAME(PROD). (Assume that the PROD application server is currently being accessed by some database machine in multiple user mode.)
Start the ISQL program.
Connect to the PROD application server under a user ID with DBA authority. In the example below, the user ID is SQLDBA. The step is optional if you already have DBA authority. Enter:
```
CONNECT SQLDBA IDENTIFIED BY sqldbapw
```
Assume you know the password of the SQLDBA user ID for both application servers
Start the ARINEWUS routine:
```
RUN SQLDBA.ARINEWUS (ALEX ALEXPW)
```
Connect to the TEST application server under a user ID with DBA authority:
```
CONNECT SQLDBA IDENTIFIED BY sqldbapw TO TEST
```
Start the ARINEWUS routine:
```
RUN SQLDBA.ARINEWUS (ALEX ALEXPW)
```
Exit from the ISQL program.

Do the following in a VSE system:

Ensure that the application servers PROD and TEST have been started with the DLBL and LIBDEF statements required for accessing the application servers. Also ensure that the CICS system has been started and initialized for DB2 Server for VSE on-line access to both PROD and TEST.
Start the ISQL program.
Connect to the PROD application server under a user ID with DBA authority. In the example below, the user ID is SQLDBA. The step is optional if you already have DBA authority. Enter:
```
CONNECT SQLDBA IDENTIFIED BY sqldbapw TO PROD
```
Assume you know the password of the SQLDBA user ID for both application servers
Start the ARINEWUS routine:
```
RUN SQLDBA.ARINEWUS (ALEX ALEXPW)
```
Connect to the TEST application server as SQLDBA (or with any ID that has DBA authority).
```
CONNECT SQLDBA IDENTIFIED BY sqldbapw TO TEST
```
Start the ARINEWUS routine:
```
RUN SQLDBA.ARINEWUS (ALEX ALEXPW)
```
Exit from the ISQL program.

Alex is now set up to use both application servers.

If you want to review the contents of the ARINEWUS routine before you invoke it, issue the following SELECT statement on either application server:

   SELECT COMMAND FROM SQLDBA.ROUTINE WHERE NAME = 'ARINEWUS'

Authorizing Access

Once you have run ARINEWUS, your new user has CONNECT authority to the application server. This is the lowest level of authority. To decide if this is the appropriate level for this user, and to change it if not, see Chapter 5, Providing Security.

After providing new users with CONNECT authority, you can do any of the following:

Acquire PRIVATE dbspaces for them so that they can create their own tables
Grant them RESOURCE authority
Grant them DBA authority
Ensure that they are granted privileges on other users' tables and views
Create new views on tables to restrict their access to data that is appropriate for them to see.

Specifying a Default Application Server in VM

Before VM users can access an application server, a default application server needs to be established. Users must process the SQLINIT EXEC to specify the application server they intend to access. For example, if the user intends to access the TEST application server, he or she must enter:

   SQLINIT DBNAME(TEST)

Users only need to re-process the SQLINIT EXEC if they want to explicitly change the current SQLINIT options. The most current SQLINIT information is stored on each user's A-disk. For more information, see SQLINIT EXEC.

Loading Initial Tables

New users likely have existing files of data that they want to store in the database. If the files are short, the data they contain can be typed in at the terminal using ISQL statements. This method, however, is not suitable for large files. Here, you can use the DBS Utility to transfer data into a database. For information on how to use the DBS Utility, see Loading Data into Tables.

Training New Users

It is your responsibility to assist new users with the DB2 Server for VSE & VM database manager, and to deal with their questions and problems. Ensuring new users are adequately trained will reduce your problem-solving duties.

Removing Users from an Application Server

When users leave your area, both their access to the application server and any unwanted data should be removed. You should try to get people to remove their own data before they leave; however, you will often have to do so yourself.

The following steps describe how to remove a user's access to an application server. If a user was using multiple application servers, you must perform this process for each server. You must have DBA authority to perform these steps.

If you have DBA authority, you can revoke a user's authority to access the application server at any time by issuing the REVOKE CONNECT statement listing the user(s) affected.

For example:

   REVOKE CONNECT FROM JOHN,KAREN,ALICE

Revoking a user's CONNECT authority prevents that user ID from accessing the application server. This action only removes the user IDs from the SYSTEM.SYSUSERAUTH catalog table; it does not affect any objects (for example, tables) in the database which those users may have created, nor does it affect any privileges that may have been granted to them.

Example

An employee whose user ID was SMITH has left the company. To remove SMITH's database objects, do the following:

Determine the names of PRIVATE dbspaces owned by SMITH. Type:

   SELECT DBSPACENAME FROM SYSTEM.SYSDBSPACES
     WHERE OWNER='SMITH'

Determine the names of tables owned by SMITH. Type:
```
   SELECT TNAME,DBSPACENAME FROM SYSTEM.SYSCATALOG
     WHERE CREATOR='SMITH'
     AND TABLETYPE='R'
```
This command displays the names of the tables that SMITH created, and the dbspaces where they were created. The TABLETYPE='R' (R stands for real table) indicates that you want to see only the tables at this point; you do not yet want to see any views that SMITH defined. Record those tables that are in PUBLIC dbspaces for later use in step 8.
Determine whether any of SMITH's tables participate in a referential structure that is not wholly owned by SMITH.
```
   SELECT TNAME, TCREATOR, REFTNAME, REFTCREATOR FROM SYSTEM.SYSKEYS
   WHERE  (TCREATOR ¬= 'SMITH' AND REFTCREATOR = 'SMITH')
   OR (TCREATOR = 'SMITH' AND REFTCREATOR ¬= 'SMITH')
```
This command displays tables created by others that reference tables created by SMITH, as well as tables created by SMITH that reference tables created by others. Make note of the tables you want to save.
Determine if the PRIVATE dbspace owned by SMITH contains any tables that were created by other users. Remember that when you drop a dbspace, you drop all tables that exist in it, whether they were created by the owner or by other users.
For each PRIVATE dbspace owned by SMITH, type:
```
   SELECT TNAME,CREATOR FROM SYSTEM.SYSCATALOG
     WHERE CREATOR¬='SMITH'
     AND DBSPACENAME='dbspacename'
     AND TABLETYPE='R'
```
This command lists the names of all tables in dbspacename that SMITH did not create, along with the names of who created them. The TABLETYPE='R' (R stands for real table) indicates that you want to see only the tables at this point, not views.
Based on the information you acquired in the last three steps, transfer any tables that you want to save. If any of these tables participate in referential structures, the referential constraints must be rebuilt to reflect the changed ownership of the tables.
There are many ways to transfer (copy) tables to another dbspace. One way is to first create a new table with the same format in a different dbspace; then use an INSERT with Subselect statement to retrieve data from the original table and insert it into the new table.
There are more sophisticated techniques available using the DBS Utility. For information, refer to Maintaining Tables or to the DB2 Server for VSE & VM Database Services Utility manual.
Copy any programs that you want to save that currently reside in SMITH's PRIVATE dbspaces into another dbspace.
Drop the PRIVATE dbspaces owned by SMITH, which you determined in step 1, by issuing the DROP statement:
```
   DROP DBSPACE SMITH.dbspacename
```
Drop any of SMITH's tables you no longer need, as determined in step 2. All associated indexes and views are also dropped.
```
   DROP TABLE SMITH.tablename
```
Drop any of SMITH's views that were defined on other users' objects in PUBLIC dbspaces or in other users' PRIVATE dbspaces. To get the names of those views from the catalog tables, type:
```
   SELECT VIEWNAME FROM SYSTEM.SYSVIEWS
      WHERE VCREATOR='SMITH'
 
   DROP VIEW SMITH.viewname
```
Drop any of SMITH's indexes that were defined on other users' objects in PUBLIC dbspaces or in other users' PRIVATE dbspaces. To get the names of those indexes from the catalog tables, type:
```
   SELECT INAME FROM SYSTEM.SYSINDEXES
      WHERE ICREATOR='SMITH'
 
   DROP INDEX SMITH.indexname
```
Drop any of the packages created by SMITH. To display the names of those packages from the catalog tables, type:
```
   SELECT TNAME FROM SYSTEM.SYSACCESS
      WHERE CREATOR='SMITH'
 
   DROP PACKAGE SMITH.packagename
```

Delete any synonyms created by SMITH:

   DELETE FROM SYSTEM.SYSSYNONYMS
      WHERE USERID='SMITH'

Delete any ISQL stored queries created by SMITH.

To determine these queries, type:
```
   SELECT STMTNAME FROM SQLDBA."STORED QUERIES"
      WHERE CREATOR='SMITH'
```
Then issue a single DELETE statement:
```
   DELETE FROM SQLDBA."STORED QUERIES"
      WHERE CREATOR='SMITH'
```
It is helpful if departing employees remove their own data from the database. Only someone with DBA authority can delete stored queries in the above manner; others use the ISQL ERASE command. For example, to delete a stored query called MYQUERY, SMITH would start ISQL and type:
```
   ERASE MYQUERY
```
Revoke any privileges granted to SMITH. To get the names of all users who granted privileges to SMITH, type:
```
   SELECT * FROM SYSTEM.SYSTABAUTH
      WHERE GRANTEE='SMITH'
 
   SELECT * FROM SYSTEM.SYSPROGAUTH
      WHERE GRANTEE='SMITH'
```
Contact these users and have them revoke all of SMITH's privileges. Or, if a user is not available, you can explicitly connect with his or her password to revoke them yourself.
In VM, remove any IUCV links.

If SMITH's VM directory contains IUCV entries or the MAXCONN OPTION for the database resources, these entries should be removed, as well as access to the 195 production disk.
Remove Access from VSE guests.

If SMITH accessed a DB2 Server for VM application server from a VSE guest, and used the CICS system, you should remove the transaction IDs used by SMITH in the CICS system. For more information on transaction IDs, see the DB2 Server for VM System Administration manual.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]