Change type | Description |
---|---|
Introduced in version 6.0 | Added an option to grant specific access when creating a user profile. |
As a best practice, it is recommended that you:
- Replication user profile OMNIENT is created during installation with:
- USRCLS(*SECOFR)
- SPCAUT(*ALLOBJ *AUDIT *IOSYSCFG *JOBCTL *SAVSYS *SECADM *SERVICE *SPLCTL)
- Use the replication user as is to set up your models, validate and commit, and then test.
- Once everything runs as expected:
- Use the Update replication user server authority option to grant specific access.This will grant specific authorities on all objects involved in model definition
- Install library and objects
- Metabase library and contents
- Data libraries (Schemas) and files (Tables)
- Journals underlaying Change Selectors
- If you want to lower your user access, run this command:
CHGUSRPRF USRPRF(OMNIENT) USRCLS(*USER) SPCAUT(*JOBCTL *SPLCTL)
- Run production with restrained authorities
- Use the Update replication user server authority option to grant specific access.
-
Conversely, if your user access is already lowered, and you want to increase authorization, issue this command:
CHGUSRPRF USRPRF(OMNIENT) USRCLS(*SECOFR) SPCAUT(*ALLOBJ *AUDIT *IOSYSCFG *JOBCTL *SAVSYS *SECADM *SERVICE *SPLCTL)
You will only access permissions that are required for the job you are running. The Update replication user server authority option is only available for IBM i. Granted permissions are cumulative so using this feature for several models grants permissions to profiles but never remove previous ones.
Important: For security reasons, removing permissions must be done manually.
This manual operation performed by the power user makes sure all profiles are fitting security policy of the company. The power user can grant all necessary permission for Connect CDC execution on every objects:
- Install library
- metabase library
- libraries and tables define in the model to allow the use for CDC
- Right-click the server to open the menu.
- Select Update replication user server authority.
- Enter User id and password to grant permissions to the OMNIENT user profile. For example, QSECOFR.
- Click OK.
- (Optional). Add additional users to a specific profile. For example, RPUSER1, RPUSER2.
- Click OK.Note: Each time the Update replication user server authority option is used, OMNIENT and RPUSER are always granted.