Controlling where FM/Db2 writes audit log records
You can use SAF to control whether FM/Db2 writes audit log records to SMF, the user's audit log data set, or to both.
FM/Db2 auditing FACILITY class resource names shows the
SAF FACILITY class resource names used to control FM/Db2 to logging
and the user's audit log data set.
Example 1
- Disable audit logging to a user data set for all FM/Db2 users, for Db2® system DSNA.
- Enable FM/Db2 audit logging to SMF for the PROD logonid, for Db2® system DSNA.
You could write the following RACF® rules:
RDEL FACILITY FILEM.AUDIT2.DSNA.TOSMF1
RDEL FACILITY FILEM.AUDIT2.DSNA.TODSN1
RDEF FACILITY FILEM.AUDIT2.DSNA.TOSMF UACC(NONE) OWNER(XXXXXXX)2
RDEF FACILITY FILEM.AUDIT2.DSNA.TODSN UACC(NONE) OWNER(XXXXXXX)3
PE FILEM.AUDIT2.DSNA.TOSMF ACC(READ) ID(PROD) CLASS(FACILITY)4
Example 2
- Enable audit logging to a user data set for all FM/Db2 users, for Db2® system DSNB.
- Enable demand logging for the following users, PROD1, PROD2, PROD3
- Disable audit logging to SMF for all FM/Db2 users, for Db2® system DSNB.
You could write the following RACF® rules:
RDEL FACILITY FILEM.AUDIT2.DSNB.TOSMF1
RDEL FACILITY FILEM.AUDIT2.DSNB.TODSN1
RDEF FACILITY FILEM.AUDIT2.DSNB.TOSMF UACC(NONE) OWNER(XXXXXXX)5
RDEF FACILITY FILEM.AUDIT2.DSNB.TODSN UACC(READ) OWNER(XXXXXXX)6
PE FILEM.AUDIT2.DSNB.TODSN ACC(UPDATE) ID(PROD1) CLASS(FACILITY)7
PE FILEM.AUDIT2.DSNB.TODSN ACC(UPDATE) ID(PROD2) CLASS(FACILITY)7
PE FILEM.AUDIT2.DSNB.TODSN ACC(UPDATE) ID(PROD3) CLASS(FACILITY)7
Example 3
- Disable audit logging completely for all FM/Db2 users, for Db2® system DSND.
- Enable dual logging for all FM/Db2 users for Db2® system DSNP.
You could write the following RACF® rules:
RDEL FACILITY FILEM.AUDIT2.DSND.TOSMF1
RDEL FACILITY FILEM.AUDIT2.DSND.TODSN1
RDEL FACILITY FILEM.AUDIT2.DSNP.TOSMF1
RDEL FACILITY FILEM.AUDIT2.DSNP.TODSN1
RDEF FACILITY FILEM.AUDIT2.DSND.TOSMF UACC(NONE) OWNER(XXXXXXX)8
RDEF FACILITY FILEM.AUDIT2.DSND.TODSN UACC(NONE) OWNER(XXXXXXX)9
RDEF FACILITY FILEM.AUDIT2.DSNP.TOSMF UACC(READ) OWNER(XXXXXXX)10
RDEF FACILITY FILEM.AUDIT2.DSNP.TODSN UACC(READ) OWNER(XXXXXXX)11
1 Delete any existing facility rule
2 Define the facility rule for Db2® system DSNA and audit logging to SMF (TOSMF suffix). UACC(NONE) is used so that any user, for which there is no specific rule, has no access.
3 Define the facility rule for Db2® system DSNA and audit logging to the user's audit log data set (TODSN suffix). UACC(NONE) is used so that any user, for which there is no specific rule, has no access.
4 Allow logonid PROD to write audit log records (ACC(READ)), to SMF.
5 Define the facility rule for Db2® system DSNB and audit logging to SMF (TOSMF suffix). UACC(NONE) is used so that any user, for which there is no specific rule, has no access.
6 Define the facility rule for Db2® system DSNB and audit logging to the user's audit log data set (TODSN suffix). UACC(READ) is used so that any user, for which there is no specific rule, has read access, and can therefore write audit log records.
7 Allow logonids PROD1, PROD2, PROD3 to write audit log records with automatic printing of the audit report ("Demand logging") (ACC(UPDATE)), to SMF.
8 Define the facility rule for Db2® system DSND and audit logging to SMF (TOSMF suffix). UACC(NONE) is used so that any user, for which there is no specific rule, has no access.
9 Define the facility rule for Db2® system DSND and audit logging to the user's audit log data set (TODSN suffix). UACC(NONE) is used so that any user, for which there is no specific rule, has no access.
10 Define the facility rule for Db2® system DSNP and audit logging to SMF (TOSMF suffix). UACC(READ) is used so that any user, for which there is no specific rule, has access (and can therefore write audit records to SMF).
11 Define the facility rule for Db2® system DSNP and audit logging to the user's audit log data set (TODSN suffix). UACC(READ) is used so that any user, for which there is no specific rule, has access (and can therefore write audit records to the user's audit log data set).