Security for IBM Replication is a matter of database security. The entire system is table driven, and therefore security of all IBM Replication objects involves database security mechanisms.
Each database has an administrator, who requires sufficient privileges to define replication sources and targets. Additionally, the Apply program uses a qualifier that must be coordinated, but the same user ID can be used to run multiple Apply program instances.
During the initial defining of replication sources and subscriptions, many tables are created. Depending on the platform, table spaces or dbspaces might also be created. All of these actions require a fairly high level of database privilege, and therefore you should plan on having at least one user ID that acts as the replication administrator and has the authority to create objects and bind plans on each of the replication databases.
The administrator user ID must be a valid logon ID at both the workstation where the Control Center is installed and the source and target sites. The administrator user ID can be used as the user ID running the Capture program or the Apply program, but this is not a requirement.
The user ID that runs the Capture program must be able to access the system catalog tables, be able to access and update all IBM Replication control tables that are built at the source database, subsystem, or data sharing group, and have execute privileges on the Capture program plan.
The Capture for MVS load library must be APF authorized.
To run the Capture program, you need the following privileges:
The Apply program user ID must be a valid logon ID on the source, control, and target servers, and the workstation where the Control Center is installed. The user ID that runs the Apply program must be able to access the replication source tables; access and update all IBM Replication control tables that are built at the source and target database, subsystem, or data sharing group; and update the replication target tables. This user ID must also have execute privileges on the Apply program plan. With the proper authorization, any user ID can run any Apply program instance. The restriction of one user ID per Apply program instance for DPROPR V1 has been removed. On DB2 for MVS, the Apply for MVS load library must be APF authorized.
For DB2 for MVS, you need to have SYSADM, DBADM, or CREATETAB and CREATETS privileges at the source, control, and target server.
For DB2 Universal Database, you must have DBADM or CONTROL or SELECT authority that meets all requirements for defining a replication source.
An Apply program running on DB2 Universal Database might require a password file to connect to the source or target server. For an explanation of configuring security when the Apply program is running on DB2 Universal Database, see the Capture and Apply chapter in this book for your platform.