Understanding how FM/Db2 uses SAF rules to control auditing

SAF (System Authorization Facility) allows applications, such as File Manager, to define "resources" that might need to be protected. The "resource" to be protected need not be something specific, such as a data set; it can be essentially any type of resource or facility that the application considers to be important. For FM/Db2 and auditing, the "resource" is the ability to write audit log records. The resource names reflect either the type of auditing that is to occur (eg to SMF), or the type of Db2® object, SQL statement, or Db2® command that is being processed, for example, a Db2® object name.

FM/Db2 uses two types of SAF resource names to control auditing. Note that a user's ability to write audit log records under SAF control is independent of, for example, the user's ability to access a particular Db2® object, issue a particular Db2® command and so on. A user may be able to write audit records when using the FM/Db2 editor to look at a particular Db2® object, but lack the Db2® authority to actually look at the object.

The SAF resource rules used by FM/Db2 to control auditing are shown in FM/Db2 auditing FACILITY class resource names and FM/Db2 auditing XFACILIT class resource names).