Controlling auditing of Z Data Tools functions

You can use SAF to control whether Z Data Tools writes audit log records for functions which access resources. Z Data Tools function codes that can be audited using SAF shows Z Data Tools function codes which may be logged.

Example 1

  • Enable audit logging of all modifications to data set HFM.TEST.DATA using the Z Data Tools Edit function for all users except TSO logonid MAINT1.

You could write the following RACF® rules:

RDEL XFACILIT FILEM.AUDIT.DSE.UPDATE.HFM.TEST.DATA1
RDEF XFACILIT FILEM.AUDIT.DSE.UPDATE.HFM.TEST.DATA OWNER(XXXXXXXX) UACC(READ)2
PE FILEM.AUDIT.DSE.UPDATE.HFM.TEST.DATA CLASS(XFACILIT) ID(MAINT1) ACC(NONE)3
Explanation:
  1. Delete any existing XFACILIT rule.
  2. Define the XFACILIT rule to log all modifications to data set HFM.TEST.DATA using the Z Data Tools Edit function (DSE). UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).
  3. A specific rule for logonid MAINT1 to prevent audit log records being written.

Example 2

  • Enable audit logging of all records which are read or modified for data set HFM.TEST.DATA using the Z Data Tools Edit function for user SERVIC1.

You could write the following RACF® rules:

RDEL XFACILIT FILEM.AUDIT.DSE.ALL.HFM.TEST.DATA1
RDEF XFACILIT FILEM.AUDIT.DSE.ALL.HFM.TEST.DATA OWNER(XXXXXXXX) UACC(NONE)2
PE FILEM.AUDIT.DSE.ALL.HFM.TEST.DATA CLASS(XFACILIT) ID(SERVIC1) ACC(READ)3
Explanation:
  1. Delete any existing XFACILIT rule.
  2. Define the XFACILIT rule to log all records which are read or modified for data set HFM.TEST.DATA using the Z Data Tools Edit function (DSE). UACC(NONE) specifies that no TSO user IDs write audit log records (in the absence of any over-riding more specific rule).
  3. A specific rule for logonid SERVICE1 to write audit log records.

Example 3

  • Enable audit logging of functional information for member MEM1 in library HFM.TEST.DATA.PDS using the Z Data Tools Print utility for all users.

You could write the following RACF® rules:

RDEL XFACILIT FILEM.AUDIT.DSP.FUNCTION.HFM.TEST.DATA.PDS.MEM11
RDEF XFACILIT FILEM.AUDIT.DSP.FUNCTION.HFM.TEST.DATA.PDS.MEM1
     OWNER(XXXXXXXX) UACC(READ)2
Explanation:
  1. Delete any existing XFACILIT rule.
  2. Define the XFACILIT rule to log function information when member MEM1 in library HFM.TEST.DATA.PDS is printed using the Z Data Tools Print utility (DSP). UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).

Example 4

  • Enable audit logging of functional information for all access to Websphere MQ Queue HFM.TEST.QUEUE which is managed by Websphere MQ Queue Manager FMN1 for all users.

You could write the following RACF® rules:

RDEL XFACILIT FILEM.AUDIT.*.FUNCTION.FMN1:HFM.TEST.QUEUE1
RDEF XFACILIT FILEM.AUDIT.*.FUNCTION.FMN1:HFM.TEST.QUEUE
     OWNER(XXXXXXXX) UACC(READ)2
Explanation:
  1. Delete any existing XFACILIT rule.
  2. Define the XFACILIT rule to log function information when Websphere MQ Queue FMN1:HFM.TEST.QUEUE is accessed using any Z Data Tools function (*). UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).