BIND Authorisations for program promotion

Michael Ebert

BIND Authorisations for program promotion
Hi List,

there's a group here that is trying to replace an existing program
promotion process with a new version. I want to use this to optimize the
existing authorisations given to the userid doing the promotions.
Currently this userid is connected to RACF groups named after schemas,
which gives object ownership to the userid - far too many privileges of
course. However, I'm confused as to all the different authorisations
around the BIND process and their interaction.

The binder userid has to be able to run this command to create new
packages (they should be able to rebind, free and replace existing
packages as well):

BIND PACKAGE(pppp) OWNER(xxxx) QUALIFIER(xxxx) ....

with various values of pppp (collection name) and xxxx (owner/qualifier).
Normally a given value of xxxx has one and sometimes two pppp values: one
online (transactional) and one batch collection.
The value of ZPARM BINDNV is BINDADD.

I think the binder ID would need BINDAGENT from xxxx as well as BINDADD
and PACKADM on pppp.

Would this be a good way to give the required privileges, is there
something that they can't do, is it too much, is there a different/easier
way...? What if they needed to run the command as BIND PACKAGE(pppp)
OWNER(xxxx) QUALIFIER(yyyy) (different owner & qualifier)? Being a SYSADM,
I don't normally have to know that sort of thing so any help is
appreciated.

Dr. Michael Ebert
DB2 & Oracle Database Administrator
aMaDEUS Data Processing
Erding / Munich, Germany

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm