IBM BPM, V8.0.1, All platforms > Install IBM BPM > IBM BPM Advanced > Install IBM BPM Advanced > On AIX > Network deployment environment > Configure profiles and create an ND environment > Create or augment ND profiles > DB2 for z/OS database server > Create DB2 for z/OS databases after profile creation

Granting table privileges to the JCA authentication alias user ID

If the schema name you are using is not the same as the JCA authentication alias user ID, you must grant a subset of DB2 for z/OS privileges to the JCA authentication alias user ID.

The database scripts for the service integration bus (SIB) contain commented GRANT commands that you can use as a basis for granting access to the SIB tables. However, the other IBM BPM components do not supply GRANT statements.

Use a schema name that is different from the JCA authentication alias to prevent the alias user ID from having the authority to drop tables. (The authority to drop tables is implicitly granted to the creator, that is, the schema.) If that it does not make sense to grant a privilege like DBADM to the JCA authentication alias user ID because DBADM also has the ability to drop tables.

If you want IBM BPM to function while not allowing the alias user ID to have DROP capability, create some GRANT statements by copying the database scripts and editing them to construct GRANT commands from the CREATE commands. You can create GRANT commands like the one shown in the following example:

GRANT ALL PRIVILEGES ON TABLE
 cell. tablename TO  userid/sqlid

where userid/sqlid is the JCA authentication alias user ID.

Typically, the creator of a database object has implicit use of that object without requiring additional GRANT permissions. However, for DB2 for z/OS Version 10, additional GRANT permissions might be required for views because access to views is not implicitly granted to the creator.

Create DB2 for z/OS databases after ND profile creation