Controlling auditing of read access to Db2® objects

You can use SAF to control whether ZDT/Db2 writes audit log records for ZDT/Db2 functions that read data from Db2® objects. Examples of such functions are:

  • The ZDT/Db2 editor operating in view or browse modes (but not edit mode)
  • ZDT/Db2 print.
  • ZDT/Db2 Copy, for the source Db2® object
  • ZDT/Db2 Export
ZDT/Db2 auditing XFACILIT class resource names shows the SAF XFACILIT class resource names used to control ZDT/Db2 audit logging.

Example 1

  • Enable audit logging for read access to DSN8910.DEPT in Db2® system DSNC, for all users except TSO logonid MASTER1.

You could write the following RACF® rules:

RDEL XFACILIT FILEM.AUDIT.DSNC.READ.OBJ.DSN8910.DEPT1

RDEF XFACILIT FILEM.AUDIT.DSNC.READ.OBJ.DSN8910.DEPT +
     OWNER(XXXXXXXX) UACC(READ)2

PE FILEM.AUDIT.DSNC.READ.OBJ.DSN8910.DEPT +
     CLASS(XFACILIT) ID(MASTER1) ACC(NONE)3
Explanation:
  1. Delete any existing XFACILIT rule
  2. Define the XFACILIT rule for Db2® system DSNC and READ access to Db2® object (OBJ) DSN8910.EMP. UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).
  3. A specific rule for logonid MASTER1 to prevent audit log records being written.

Example 2

  • Enable audit logging for update access to remote object DSN8910.ACT. This object is accessed from Db2® system DSNP. The location of the remote Db2® system is MONTANA. Audit logging is to be performed for all users except DEV1.

You could write the following RACF® rules:

RDEL XFACILIT FILEM.AUDIT.DSNP.READ.REMOBJ.MONTANA.DSN8910.ACT1

RDEF XFACILIT FILEM.AUDIT.DSNP.READ.REMOBJ.MONTANA.DSN8910.ACT +
     OWNER(XXXXXXXX) UACC(READ)2

PE FILEM.AUDIT.DSNP.READ.REMOBJ.MONTANA.DSN8910.ACT +
     CLASS(XFACILIT) ID(DEV1) ACC(NONE)3
Explanation:
  1. Delete any existing XFACILIT rule
  2. Define the XFACILIT rule for Db2® system DSNP and READ access to remote Db2® object (REMOBJ) MONTANA.DSN8910.ACR. UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).
  3. Specific rule for logonid DEV1 to prevent audit log records being written.