1. Microservices Architecture Documentation
  2. Prepare
  3. Prepare Databases
  4. Db2 for i
  5. Prepare Database Users and Privileges for Db2 for i

Prepare Database Users and Privileges for Db2 for i

User Profiles and Security Privileges

The user who installs Oracle GoldenGate must have read and write privileges on the Oracle GoldenGate installation directory, as these privileges will be required later to perform steps to create sub-folders and run specific programs.

The objects in the Oracle GoldenGate library (specified with GGSCHEMA), should have their ownership changed to the dedicated user profile or group profile for Oracle GoldenGate.

Dedicated User Profile Account

It is recommended that the Oracle GoldenGate processes on Db2 for i database be assigned a dedicated user or group profile, and is used by all Oracle GoldenGate processes. This user profile should not be used by any other application(s).

The dedicated user profile should be granted permission only to the objects that the Oracle GoldenGate will be operating on. If there is specific change data that is not to be accessed by Oracle GoldenGate processes, then such change data should not be included in the journals, which are accessed by Oracle GoldenGate and its dedicated user profile. All Oracle GoldenGate processes must have read, write, and delete object privileges within the Oracle GoldenGate installation library, as specified by GGSCHEMA.

Security Privileges on a Db2 for i System

The Extract and Replicat user profiles need to be assigned the following authorities at a minimum:

  • The simplest way to ensure Oracle GoldenGate will be able to operate is to assign *ALLOBJ authority to the Oracle GoldenGate user profile(s), however this is not necessary.

  • The Manager process must have privileges to control all other Oracle GoldenGate processes (Db2 for i *JOBCTL authority).

  • The Oracle GoldenGate user profiles(s) need at least the *USE authority to the*FILE objects in the QSYS2 library which contains the SQL catalog (which by default should be accessible to any user).

  • Assign at least the *USE authority (*OBJOPR, *READ, *EXECUTE) to all the *FILE (table) and *JRNRCV (journal receiver) objects on the system that are accessed by the Extract user profile.

  • Assign the following authorities to the *JRN (journal) objects that are accessed by the Extract user profile, in addition to the *USE authority (*OBJOPR, *READ, *EXECUTE): *OBJEXIST,*OBJREF, and *ADD.

  • Assign the *CHANGE authority to all the *FILE objects on the system that are accessed by the Replicat user profile.

The Oracle GoldenGate user profile that runs the Extract process needs to have the *USE authority on the QSYS/QPMLPMGT service program.

These authorities must be granted through the native Db2 for i interface through a 5250 terminal session or through the Db2 for i Navigator product available from IBM.