Understanding how ZDT/Db2 uses SAF rules to control auditing

SAF (System Authorization Facility) allows applications, such as Z Data Tools, to define "resources" that might need to be protected. The "resource" to be protected need not be something specific, such as a data set; it can be essentially any type of resource or facility that the application considers to be important. For ZDT/Db2 and auditing, the "resource" is the ability to write audit log records. The resource names reflect either the type of auditing that is to occur (eg to SMF), or the type of Db2® object, SQL statement, or Db2® command that is being processed, for example, a Db2® object name.

ZDT/Db2 uses two types of SAF resource names to control auditing. Note that a user's ability to write audit log records under SAF control is independent of, for example, the user's ability to access a particular Db2® object, issue a particular Db2® command and so on. A user may be able to write audit records when using the ZDT/Db2 editor to look at a particular Db2® object, but lack the Db2® authority to actually look at the object.

The SAF resource rules used by ZDT/Db2 to control auditing are shown in ZDT/Db2 auditing FACILITY class resource names and ZDT/Db2 auditing XFACILIT class resource names).