Defining the HFM2PARM member

If auditing is to be controlled from parmlib (user has read access to FILEM.PARMLIB.DB2, see SAF-controlled auditing for Z Data Tools Db2 component) then member HFM2PARM must be defined in SYS1.PARMLIB (or any other library in the logical parmlib concatenation) as follows.

Default parmlib member HFM2PARM is provided in the SHFMSAM1 library. Copy this member to the appropriate system parmlib library. See below for details of methods that can be used to make this change.

Note: The sample HFM2PARM member supplied in SHFMSAM1 also includes a FMSECRTY statement. This option is not used in ZDT/Db2 and can be either omitted or commented out. It has no effect.

There are two methods that can be used to include the HFM2PARM member in a library in the logical parmlib concatenation. The choice of method depends on whether the installation's security software is configured to allow ZDT/Db2 users READ access to data set SYS1.PARMLIB.

Method 1 can only be used when ZDT/Db2 users have read access to all libraries in the logical parmlib concatenation.

Method 2 can be used regardless of whether ZDT/Db2 users have READ access to the libraries in the logical parmlib concatenation.

Method 2 must be used when ZDT/Db2 users do not have READ access to one or more libraries in the logical parmlib concatenation.

Method 1
Place the HFM2PARM member in any library in the current logical parmlib concatenation. No IPL or other action is required to active the new member (unless a new library was added to the logical parmlib concatenation).
Note: HFM2POPT controlled auditing cannot be used in any situation where ZDT/Db2 users do not have READ access to all of the libraries in the logical parmlib concatenation.
For example, when:
  • There are six libraries in the logical parmlib concatenation, for simplicity: libraries A, B, C, D, E and F.
  • ZDT/Db2 users have read access to five of these libraries: A, B, D, E, F.
  • Library C may be SYS1.PARMLIB, or any other library in the logical parmlib concatenation.

This will not work, the attempt by a ZDT/Db2 user to access the logical parmlib concatenation will fail with a security-related (913) abend.

Method 2
This method must be used when ZDT/Db2 users do not have READ access to all of the libraries in the logical parmlib concatenation.
  1. Create a new library with dataset attributes similar to SYS1.PARMLIB.
    The library name for this data set must include the string "HFMPARM" in one of the qualifiers. You can choose any data set name that meets this requirement. Examples of suitable data set names are:
    • SYS1.PARMLIB.HFMPARM
    • SYS8.HFMPARM.PARMLIB
    • HFMPARM.SYS8.PARMLIB
    • SYS2.HFMPARMS.LIB
    • SYS8.XHFMPARM.PARMLIB
  2. Add member HFM2PARM to the new library, specifying the appropriate FMAUDIT parameter.
  3. Add the new library to the logical parmlib concatenation. This can be done dynamically or via a system IPL.
Note: When Method 2 is used, the HFM2PARM member must be located in the library created in step 1. If the HFM2PARM member specifies any include statements (see Facilities for customizing the HFM2PARM definitions), all of the included members must also reside in the same library.

You use the HFM2PARM member to define the following:

See ZDT/Db2 options specified in HFM2PARM for more information.