z/OS Capture and Publisher processes can operate as standalone batch Jobs or under a Started Task. Once the decision has been made as to which configuration will be employed, a User-ID and/or Name of the Started Task must be assigned. RACF must then be used to grant access to the OMVS zFS file system.
JCL similar to the sample member RACFZFS included in the distribution can be edited to conform to the operating environment, and be used to provide the appropriate authorizations:
//RACFZFS JOB 1,MSGLEVEL=(1,1),MSGCLASS=H,NOTIFY=&SYSUID
//*
//*--------------------------------------------------------------------
//* Sample RACF Commands to Setup zFS Authorization
//*--------------------------------------------------------------------
//* Note: 1) The Task/User Names are provided as an example and
//* must be changed to fit your environment
//*
//* Started Tasks included:
//* SQDAMAST - z/OS Master Controller
//* SQDDB2C - DB2 z/OS Capture Agent
//* SQDZLOGC - IMS/VSAM LogStream Publisher
//* SQDAEMON - z/OS Listener Daemon
//* <admin_user> - Administrative User
//*
//* 2) MMAPAREAMAX Parm required only for DB2 CDCStore Capture
//*
//* 3) The FSACCESS step may be needed if the RACF FSACCESS
//* class is active. See comments in the step.
//*
//*--------------------------------------------------------------------
//*
//RACFZFS EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
ADDUSER SQDAMAST DFLTGRP(<stc_group>) OWNER(<owner_name>)
ALTUSER SQDAMAST NOPASSWORD NOOIDCARD
ALTUSER SQDAMAST NAME('STASK, SQDATA')
ALTUSER SQDAMAST DATA('FOR SQDATA CONTACT:<sqdata_contact_name>')
ALTUSER SQDAMAST WORKATTR(WAACCNT('**NOUID**'))
CONNECT SQDAMAST GROUP(<stc_group>) OWNER(<owner_name>)
PERMIT 'SQDATA.*' ID(SQDAMAST) ACCESS(READ) GEN
ADDUSER SQDDB2C DFLTGRP(<stc_group>) OWNER(<owner_name>)
ALTUSER SQDDB2C NOPASSWORD NOOIDCARD
ALTUSER SQDDB2C NAME('STASK, SQDATA')
ALTUSER SQDDB2C DATA('FOR SQDATA CONTACT:<sqdata_contact_name>')
ALTUSER SQDDB2C WORKATTR(WAACCNT('**NOUID**'))
CONNECT SQDDB2C GROUP(<stc_group>) OWNER(<owner_name>)
ALTUSER SQDDB2C OMVS(PROGRAM('/bin/sh'))
ALTUSER SQDDB2C OMVS(MMAPAREAMAX(262144))
PERMIT 'SQDATA.*' ID(SQDDB2C) ACCESS(READ) GEN
ADDUSER SQDZLOGC DFLTGRP(<stc_group>) OWNER(<owner_name>)
ALTUSER SQDZLOGC NOPASSWORD NOOIDCARD
ALTUSER SQDZLOGC NAME('STASK, SQDATA')
ALTUSER SQDZLOGC DATA('FOR SQDATA CONTACT:<sqdata_contact_name>')
ALTUSER SQDZLOGC WORKATTR(WAACCNT('**NOUID**'))
CONNECT SQDZLOGC GROUP(<stc_group>) OWNER(<owner_name>)
ALTUSER SQDZLOGC OMVS(PROGRAM('/bin/sh'))
PERMIT 'SQDATA.*' ID(SQDZLOGC) ACCESS(READ) GEN
ADDUSER SQDAEMON DFLTGRP(<stc_group>) OWNER(<owner_name>)
ALTUSER SQDAEMON NOPASSWORD NOOIDCARD
ALTUSER SQDAEMON NAME('STASK, SQDATA')
ALTUSER SQDAEMON DATA('FOR SQDATA CONTACT:<sqdata_contact_name>')
ALTUSER SQDAEMON WORKATTR(WAACCNT('**NOUID**'))
CONNECT SQDAEMON GROUP(<stc_group>) OWNER(<owner_name>)
ALTUSER SQDAEMON OMVS(PROGRAM('/bin/sh'))
PERMIT 'SQDATA.*' ID(SQDAEMON) ACCESS(READ) GEN
ADDUSER <admin_user> DFLTGRP(<stc_group>) OWNER(<owner_name>)
ALTUSER <admin_user> NOPASSWORD NOOIDCARD
ALTUSER <admin_user> NAME('STASK, SQDATA')
ALTUSER <admin_user> DATA('FOR SQDATA CONTACT:<contact_name>')
ALTUSER <admin_user> WORKATTR(WAACCNT('**NOUID**'))
CONNECT <admin_user> GROUP(<stc_group>) OWNER(<owner_name>)
ALTUSER <admin_user> OMVS(PROGRAM('/bin/sh'))
ALTUSER <admin_user> OMVS(MMAPAREAMAX(262144))
PERMIT 'SQDATA.*' ID(<admin_user>) ACCESS(READ) GEN
SETROPTS GENERIC (DATASET ) REFRESH
/*
//
//*--------------------------------------------------------------------
//* SETUP R/W ACCESS TO THE SQDATA ZFS FILE SYSTEM
//*
//* If the FSACCESS RACF class is not active, do not run this step.
//*
//* The FSACCESS class provides coarse-grained control to z/OS USS
//* file systems at the file system name level. It is inactive by
//* default and is not always used.
//*
//* If your RACF administrator has activated this class, and if any
//* protected file system will be accessed by a capture, publisher,
//* daemon, admin user, or other user or task, then you will need to
//* grant access to the relevant profile(s). Check with your RACF
//* administrator to determine if this is required.
//*
//* The example below shows the RACF commands to define a new profile
//* in the FSACCESS class for the DB2 CDCStore file system and grant
//* UPDATE permission to the users that will access it.
//*--------------------------------------------------------------------
//FSACCESS EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSUADS DD DISP=SHR,DSN=SYS1.UADS
//SYSLBC DD DISP=SHR,DSN=SYS1.BRODCAST
//SYSTSIN DD *
SETROPTS GENERIC(FSACCESS)
RDEFINE FSACCESS SQDATA.** UACC(NONE)
PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDAMAST) ACCESS(UPDATE)
PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDDB2C) ACCESS(UPDATE)
PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDZLOGC) ACCESS(UPDATE)
PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDAEMON) ACCESS(UPDATE)
PERMIT SQDATA.** CLASS(FSACCESS) ID(<admin_user>) ACCESS(UPDATE)
SETROPTS RACLIST(FSACCESS) REFRESH
/*
//
Note:
- The RACFZFS sample JCL includes users SQDDB2C and SQDZLOGC. These sections are only required when using the Db2 CDCSTORE Capture or the IMS/VSAM CDCzLog Publisher agents respectively.
- The Db2/z Log Reader Capture avoids "landing" captured data by using memory mapped storage. While Storage is not allocated until memory mapping is active, it is important to specify a value for MMAPAREAMAX using RACF that will accommodate the data space pages allocated for memory mapping of the z/OS UNIX (OMVS) files. Precisely recommends using a value of 262144 (256MB) because the default of 4096 (16MB) will likely cause the capture to fail as workload increases. The RACF ADDUSER or ALTUSER command, included in the sample RACFZFS JCL above, specifies the MMAPAREAMAX limit. You can read more about MMAPAREAMAX process limits and its relationship to MAXPMMAPAREA system limits here https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.bpxb200/maxmm.htm.