How File Manager determines whether audit log records should be written

The determination of whether audit records are to be written for a particular File Manager function and a given TSO logonid follows this three step process:

  1. Step 1.
    • If auditing is being controlled by means of parmlib, the FMAUDIT specification of the FMN0PARM member is used as follows.

      The FMAUDIT specification setting in the FMN0PARM member (in SYS1.PARMLIB or any other library in the logical parmlib concatenation) is the "master" switch for SAF-rule controlled auditing. Note that there are facilities available to specify different settings in the FMN0PARM member for different TSO logonids, see File Manager options specified in FMN0PARM for more information. For any given TSO logonid, there are two possibilities:

      SAF_CTRL=NO
      SAF-rule controlled auditing is not in effect. Auditing is determined by the settings in the FMN0POPT module, see Customizing the File Manager audit facility for Base component.
      SAF_CTRL=YES
      SAF-rule controlled auditing is in effect. Processing continues to Step 2.
    • If auditing is being controlled using the method which does not access the parmlib concatenation, the TSO logonid has READ access to the SAF FACILITY rule FILEM.SAFAUDIT.BASE for processing to continue to Step 2.
  2. Step 2.

    Does the user have access to write audit records?

    This is determined by the user's access to rules 1 and 2 in File Manager auditing FACILITY class resource names; the various outcomes are summarized in Determination of a user's ability to write audit log records.
    Table 1. Determination of a user's ability to write audit log records

    This table has six columns, except for the last row, "Note", which spans all six columns.

    TODSN access1 TOSMF access2 OPTION access3 Can write audit records? Demand logging? "Create audit trail" option4
    NONE NONE ANY No No Not visible
    READ NONE NONE Yes, data set only No Not visible
    READ NONE READ Yes, data set only No Visible
    UPDATE NONE NONE Yes, data set only Yes Not visible
    UPDATE NONE READ Yes, data set only Yes Visible
    NONE READ NONE Yes, SMF only No Not visible
    NONE READ READ Yes, SMF only No Visible
    READ READ NONE Yes, to data set and SMF No Not visible
    READ READ READ Yes, to data set and SMF No Visible
    UPDATE READ NONE Yes, to data set and SMF Yes Not visible
    UPDATE READ READ Yes, to data set and SMF Yes Visible

    If the user does not have the ability to write audit log records, then no check of SAF resource names in Step 3 occurs.

    A user's access to write audit log records at Step 2 only indicates that auditing might occur. The final decision depends on the user's level of access to the XFACILIT resource name (or names) that apply to the particular File Manager function.

  3. Step 3.

    Does the user have access to write audit records for the current function and data set?

    The XFACILIT resource names that are used by File Manager to determine whether audit records should be written depend on the File Manager function being executed and the data set being accessed.

    File Manager function codes that can be audited using SAF shows the function codes which are supported.

    Table 2. File Manager function codes that can be audited using SAF
    Function code Online option Description
    DSB BROWSE prefix command Browse
    DSV 1 View
    DSE 2 Edit
    DSC 3.3 Copy
    DSG 3.1 Create
    DSP 3.2 Print
    DSM 3.11 Compare
    FCH 3.6 Find/Change
    DSCMP Batch compare
    DSEB Batch data set edit
    DSU Batch data set update

    These restrictions apply:

    • When copying data sets and SAF XFACILIT rules have been supplied for both data sets and these rules are different, the most inclusive rule is applied. For example, if the SAF XFACILIT rule for the old data set specifies UPDATE logging, and the rule for the new data set specifies FUNCTION logging, UPDATE logging is applied.
    • When comparing data sets and SAF XFACILIT rules have been supplied for both data sets and these rules are different, the most inclusive rule is applied. For example, if the SAF XFACILIT rule for the old data set specifies ALL logging, and the rule for the new data set specifies FUNCTION logging, ALL logging is applied.
    • SAF XFACILIT rules do not check for data sets which are written to using the WRITE function in a REXX procedure. The SAF XFACILIT rule supplied for the function and data sets is applied to any records written using the WRITE function.
    • If a data set can be copied using DFSORT, but SAF logging is required, DFSORT is not used. If PDS members can be copied using IEBCOPY, but SAF logging is required for one or more members, IEBCOPY is not used.
    • If the "Use File Manager editor" option has not been selected, and a member is selected from a selection list to be browsed, edited, or viewed, and there is a SAF logging rule which affects this function and resource, the ISPF editor is not used. Instead, the File Manager function is invoked to ensure the requested logging is performed.
1 Refers to the level of access the user has to SAF FACILITY rule 1 in File Manager auditing FACILITY class resource names.
2 Refers to the level of access the user has to SAF FACILITY rule 2 in File Manager auditing FACILITY class resource names.
3 Refers to the level of access the user has to SAF FACILITY rule 3 in File Manager auditing FACILITY class resource names.
4 The visibility of the "Create audit trail" option does not influence whether a user can write audit log records, although the user must have access to write audit log records (to either a data set or SMF), for the option to be visible.