Alternatives for controlling ZDT/IMS auditing

ZDT/IMS auditing is an optional facility. There is no requirement to implement it and ZDT/IMS works if auditing is not implemented. You should consider:

  • Whether user access to IMS databases using Z Data Tools IMS component requires auditing.
  • The information that Z Data Tools audit log records can provide.
  • The information that Z Data Tools audit log records cannot provide, and possible alternatives to obtaining that information.
  • If you do decide to use Z Data Tools auditing, how you will handle any issues associated with large audit log data sets, or additional SMF records.
  • How you will use the information provided by Z Data Tools audit log records.

If your site requires a record of a user's read access to IMS databases, an external security product such as RACF® can be configured to log access by some or all users, and may be a better alternative.

Z Data Tools audit of read access to IMS data does not write audit log records for every segment processed, rather the name of the database and how many segments were processed are written to the audit log.

Z Data Tools audit of changes to IMS data typically writes two log records, a before and after image of the segment that was changed. If you intend to log update changes to IMS databases that are subject to heavy update activity you need to consider the performance impact of writing many audit log records, also the size of any audit log data sets that may be produced

You have two choices as to how you control auditing of ZDT/IMS activities:

Use HFM1POPT controlled audit logging
This was the original method of controlling auditing and as such only provides limited functionality.

With this method, you control audit logging by specifying the required audit settings in the ZDT/IMS installation options module.

These points summarize the facilities available with HFM1POPT controlled auditing:

  • The ZDT/IMS Edit function provides audit logging support, but the other ZDT/IMS functions do not create audit trails.
  • You can specify different audit settings (such as whether or not auditing is required) for each IMS subsystem that ZDT/IMS accesses.
  • The audit settings specified for any IMS subsystem apply equally to all ZDT/IMS users accessing that IMS subsystem.
  • The audit settings specified for any IMS subsystem apply equally to all databases within that IMS subsystem.
  • The Create audit trail option on the Edit Entry panel allows users to request audit logging of their Edit sessions when audit logging is not required.
  • You can specify audit logging to SMF or to the user's audit log data set, but this is an installation-wide setting and you can only get logging to both the user's log data set and SMF if you specify logging to SMF and you request that the audit log is printed at the end of the Edit session.
Use System Authorization Facility (SAF) controlled audit logging
With this method, audit logging is controlled by RACF® (or an equivalent security product) and FACILITY and XFACILIT class profiles that you define.

These points summarize the facilities available with SAF-rule controlled auditing:

  • All ZDT/IMS functions that access IMS databases provide audit logging support.
  • You can specify different audit settings (such as whether or not auditing is required) for each IMS subsystem that ZDT/IMS accesses.
  • You can specify different audit settings for different ZDT/IMS users.
  • You can specify different audit settings for different databases.
  • You can specify different audit settings for each ZDT/IMS function.
  • You can control whether or not the Create audit trail option on the Edit Entry can be used:
    • To request an audit trail when one is not required.
    • To stop an audit trail being created when one is required.
  • You can specify audit logging to SMF, to the user's audit log data set or, for Edit and Browse only, to the user's audit log data set with automatic (mandatory) printing of the audit log at the end of the session. You can also specify dual logging (to the user's audit log data set and to SMF).
Some other points to consider are:
  • Audit logging to SMF requires additional set-up, but provides a more reliable and secure environment for capturing audit information than audit logging to the user's audit log data set.
  • If an attempt to write an audit log record to SMF or the user's log data set fails, the ZDT/IMS function terminates.
  • If you implement SAF-rule controlled auditing you need to decide how Z Data Tools auditing will be enabled. This is described in more detail in Customizing the Z Data Tools audit facility for IMS component. There are two alternatives. One requires an enabling SAF rule and the presence of a member in SYS1.PARMLIB. The other requires an enabling SAF rule but has no requirement for a member in SYS1.PARMLIB. The use of a member in SYS1.PARMLIB provides additional facilities compared with the alternative that does not require the use of SYS1.PARMLIB. The additional facilities are documented in Z Data Tools options specified in PARMLIB members.

When you have determined the appropriate type of auditing for your installation, follow the relevant instructions in Customizing the Z Data Tools audit facility for IMS component.