Example of tag usage
Tags can be used to specify different FMN2PARM options based on certain environment variables (the z/OS® system ID, the FM/Db2 version and the user's TSO logonid). The most usual usage of tags is to provide an exception to the normal processing, for some particular set of circumstances.
Example 1:
FMAUDIT SAF_CTRL=NO
FMAUDIT SAF_CTRL=NO (1)
<U TEST1> (2)
FMAUDIT SAF_CTRL=YES (3)
<EU> (4)
Explanation:
When FM/Db2 parses the above, the line (1) is processed for all users, and turns SAF-rule controlled auditing off. When line (2) is processed, the user's TSO logonid is compared with the value TEST1. For all users other than TEST1, the test fails. When a tag fails to match a condition, all lines from the start tag to the matching end tag (inclusive) are ignored, so the net result is that, in the above example, only line (1) is processed. This ensures that the default of no SAF-rule controlled auditing applies to all users other than TEST1.
For user TEST1 however, the tag comparison on line (2) matches, so line (3) is included. FM/Db2 re-processes the FMAUDIT statement for line (3), this time with SAF_CTRL=YES, resulting in SAF-rule controlled auditing being turned on for user TEST1.
- Multiple statements for the same option are allowed.
- If multiple statements for the same option are encountered, the last statement processed is the one that determines the setting.
Example 2:
Suppose in a sysplex environment there are nine z/OS® images, with system IDs SYS1, SYS2, SYS3 … SYS9. File Manager is available on all images, and SAF-rule controlled auditing is not required on SYS1, SYS2, … SYS7 inclusive, but is required on SYS8 and SYS9. Further, on z/OS® system SYS8, only TSO logonids that commence with DEV should be subject to SAF rule controlled audit; all other TSO logonids are exempt. On system SYS9 however, all TSO logonids should be subject to SAF-rule controlled audit, with the single exception of TSO logonid MASTER1.
FMAUDIT SAF_CTRL=NO (1)
<Z SYS8> (2)
<U DEV*> (3)
FMAUDIT SAF_CTRL=YES (4)
</U> (5)
</Z> (6)
<Z SYS9> (7)
FMAUDIT SAF_CTRL=YES (8)
<U MASTER1> (9)
FMAUDIT SAF_CTRL=NO (10)
</U> (11)
</Z> (12)
Explanation:
Line (1) sets the default, which is not to use SAF- rule controlled auditing.
For all users on z/OS® systems SYS1 … SYS7 inclusive, the Z tags for SYS8 on line (2) and SYS9 on line (7) will not match the current environment, resulting in lines 2-12 inclusive being ignored.
For users running on z/OS® system SYS8, line (2)-(6) inclusive are considered; lines (7)-(12) are ignored. Any TSO logonid that does not start with DEV (for example, PROD1) will not match the U tag (line 3), resulting in lines 3-5 inclusive being ignored. This leaves only line (1) to consider, which sets SAF-rule controlled auditing off. For a TSO logonid such as DEV76, the U tag on line (3) matches, so line (4) is included. FM/Db2 processes the FMAUDIT statement on line (4) and sets SAF-rule controlled auditing on.
For users running on z/OS® system SYS9, lines (2)-(6) inclusive are ignored; lines (7)-(12) inclusive are considered. Line (8) changes the default (for all users on system SYS9) to use SAF- rule controlled auditing. For all users other than TSO logonid MASTER1, lines (9)-(11) are ignored, resulting in the new default (line 8) being used. This turns SAF-rule controlled auditing on. For TSO logonid MASTER1 only, the U tag on line (9) matches and the FMAUDIT statement on line (10) is included. This turns SAF-rule controlled auditing off for user MASTER1.