 |
|
| SAS/ACCESS Interface to DB2 Under z/OS |
Understanding DB2 Under z/OS Client/Server Authorization
| Libref Connections |
When you use SAS/ACCESS Interface to DB2 under z/OS, you can enable each client to control its own connections using its own authority (instead of sharing connections with other clients) by using the DB2 Recoverable Resource Manager Services Attachment Facility (RRSAF). See DB2 Attachment Facilities (CAF and RRSAF) for information about this facility.
When you use SAS/ACCESS Interface to DB2 under z/OS with RRSAF, the authorization mechanism works differently than it does in Base SAS:
-
In Base SAS, the SAS server always validates the client's authority before allowing the client to access a resource.
-
In SAS/ACCESS Interface to DB2 under z/OS (with RRSAF), DB2 checks the authorization identifier that is carried by the connection from the SAS server. In most situations, this is the client's authorization identifier. In one situation, however, this is the SAS server's authorization identifier. A client can access a resource by using the server's authorization identifier only if the client uses a libref that was predefined in the server session.
In this next example, a user assigns the libref SRVPRELIB in the SRV1 server session. In the client session, a user then issues a LIBNAME statement that makes a logical assignment using the libref MYPRELIB, and the user specifies the LIBNAME option SERVER=srv1. The client can then access resources by using the server's authority for the connection.
-
libname srvprelib db2 ssid=db25; proc server id=srv1; run;
-
libname myprelib server=srv1 slibref=srvprelib; proc print data=myprelib.db2table; run;
In this example, because the client specifies a regular libref, MYDBLIB, the client has its own authority for the connections.
-
libname myprelib db2 ssid=db25; proc server id=srv1; run;
-
libname mydblib server=srv1 roptions='ssid=db25' rengine=db2; proc print data=mydblib.db2table; run;
In this table, SAS/SHARE clients use LIBNAME statements to access SAS libraries and DB2 data through the server. In this description, a logical LIBNAME statement is a statement that associates a libref with another libref that was previously assigned.
| Client Session | |
| libname local v8 'SAS.data.library' disp=old; | These statements execute in the client session. these are local assignments. The authority ID is the ID of the client. |
|
libname remote 'SAS.data.library' server=serv1 rengine=v8
roptions='disp=old';
libname dbremote server=serv1 rengine=db2 roptions='connection=unique'; |
These statements execute in the server session on behalf of the client. Libref Remote is a Base SAS engine remote assignment. Libref DbRemote is a DB2 engine remote assignment. In both cases, the authority ID is the ID of the client. |
| Server Session (id=serv1) | |
| libname predef v8 'SAS.data.library' disp=old; | Because librefs PreDef and DbPreDef are defined in the server session, they can be referenced only by a client using a logical LIBNAME statement. There is no authority ID because clients cannot access these librefs directly. |
| Logical Assignments - Client Session | |
| libname alias (local); | These statements create aliases ALIAS and DBALIAS for librefs Local and DbLocal, which were assigned in the client session above. The authority ID is the ID of the client. |
| libname logic server=serv1 slibref=predef; |
These statements refer to librefs PreDef and DbPreDef,
which were assigned in the server session above.
Libref Logic is a Base SAS engine logical assignment of remote libref PreDef. The authority ID for libref Logic is the ID of the client. Libref DbLogic is a DB2 engine logical assignment of remote libref DbPreDef. The authority ID for libref DbLogic is the ID of the server. |
For the Base SAS engine Remote and Logic librefs, the authority that is verified is the client's. (This is true for all Base SAS engine assignments.) Although the DB2 engine librefs DbRemote and DbLogic refer to the same resources, the authority verified for DbRemote is that of the client, whereas the authority verified for DbLogic is that of the server. When using SAS/ACCESS Interface to DB2 under z/OS, you can determine whose authority (client or server) is used to access DB2 data.
| Non-Libref Connections |
When you make connections using the SQL pass-through facility or view descriptors, the connections to the database are not based on a DB2 engine libref. A connection that is created in the server, by using these features from a client, always has the authority of the client, because there is no server-established connection to reference.
This example uses the SAS/SHARE Remote SQL pass-through facility. The client has its own authority for the connections.
-
proc server id=srv1; run;
-
proc sql; connect to remote (server=srv1 dbms=db2 dbmsarg=(ssid=db25)); select * from connection to remote (select * from db2table); disconnect from remote; quit;
This example uses a previously created view descriptor. The client has its own authority for the connections. The PreLib libref PreLib that was previously assigned and the client-assigned libref MyLib have no relevant difference. These are Base SAS engine librefs and not DB2 engine librefs.
-
libname prelib V8 'SAS.data.library'; proc server id=srv1; run;
-
libname prelib server=srv1; proc print data=prelib.accview; run;
-
libname mylib 'SAS.data.library2' server=srv1 rengine=v8; proc print data=mylib.accview; run;
| Known Issues with RRSAF Support |
SAS/SHARE can use various communication access methods to communicate with clients. You can specify these through the COMAMID and COMAUX1 system options.
When you use XMS (Cross Memory Services) as an access method, DB2 also uses XMS in the same address space. Predefining DB2 server librefs before starting PROC SERVER can result in errors due to the loss of the XMS Authorization Index, because both SAS and DB2 are acquiring and releasing it. When using XMS as an access method, use only client-assigned librefs on the server.
This problem does not occur when you use the TCPIP access method. So if you use TCPIP instead of XMS, you can use both client-assigned (client authority) and server-preassigned (server authority) librefs. You can also use either access method if your connection is not based on a libref (client authority).
|
|
Copyright © 2010 by SAS Institute Inc., Cary, NC, USA. All rights reserved.