How File Manager determines whether audit log records should be written
The determination of whether audit records are to be written for a particular File Manager function and a given TSO logonid follows this three step process:
- Step 1.
- If auditing is being controlled by means of parmlib, the FMAUDIT specification of the FMN0PARM member is used as follows.
The FMAUDIT specification setting in the FMN0PARM member (in SYS1.PARMLIB or any other library in the logical parmlib concatenation) is the "main" switch for SAF-rule controlled auditing. Note that there are facilities available to specify different settings in the FMN0PARM member for different TSO logonids, see File Manager options specified in FMN0PARM for more information. For any given TSO logonid, there are two possibilities:
- SAF_CTRL=NO
- SAF-rule controlled auditing is not in effect. Auditing is determined by the settings in the FMN0POPT module, see Customizing the File Manager audit facility for the File Manager Base component.
- SAF_CTRL=YES
- SAF-rule controlled auditing is in effect. Processing continues to Step 2.
- If auditing is being controlled using the method which does not access the parmlib concatenation, the TSO logonid has READ access to the SAF FACILITY rule FILEM.SAFAUDIT.BASE for processing to continue to Step 2.
- If auditing is being controlled by means of parmlib, the FMAUDIT specification of the FMN0PARM member is used as follows.
- Step 2.
Does the user have access to write audit records?
This is determined by the user's access to rules 1 and 2 in File Manager auditing FACILITY class resource names; the various outcomes are summarized in Determination of a user's ability to write audit log records.Table 1. Determination of a user's ability to write audit log records This table has six columns, except for the last row, "Note", which spans all six columns.
TODSN access1 TOSMF access2 OPTION access3 Can write audit records? Demand logging? "Create audit trail" option4 NONE NONE ANY No No Not visible READ NONE NONE Yes, data set only No Not visible READ NONE READ Yes, data set only No Visible UPDATE NONE NONE Yes, data set only Yes Not visible UPDATE NONE READ Yes, data set only Yes Visible NONE READ NONE Yes, SMF only No Not visible NONE READ READ Yes, SMF only No Visible READ READ NONE Yes, to data set and SMF No Not visible READ READ READ Yes, to data set and SMF No Visible UPDATE READ NONE Yes, to data set and SMF Yes Not visible UPDATE READ READ Yes, to data set and SMF Yes Visible If the user does not have the ability to write audit log records, then no check of SAF resource names in Step 3 occurs.
A user's access to write audit log records at Step 2 only indicates that auditing might occur. The final decision depends on the user's level of access to the XFACILIT resource name (or names) that apply to the particular File Manager function.
- Step 3.
Does the user have access to write audit records for the current function and data set?
The XFACILIT resource names that are used by File Manager to determine whether audit records should be written depend on the File Manager function being executed and the data set being accessed.
File Manager function codes that can be audited using SAF shows the function codes which are supported.
Table 2. File Manager function codes that can be audited using SAF Function code Online option Description DSB BROWSE prefix command Browse DSV 1 View DSE 2 Edit DSC 3.3 Copy DSG 3.1 Create DSP 3.2 Print DSM 3.11 Compare FCH 3.6 Find/Change DSCMP Batch compare DSEB Batch data set edit DSU Batch data set update These restrictions apply:
- When copying data sets and SAF XFACILIT rules have been supplied for both data sets and these rules are different, the most inclusive rule is applied. For example, if the SAF XFACILIT rule for the old data set specifies UPDATE logging, and the rule for the new data set specifies FUNCTION logging, UPDATE logging is applied.
- When comparing data sets and SAF XFACILIT rules have been supplied for both data sets and these rules are different, the most inclusive rule is applied. For example, if the SAF XFACILIT rule for the old data set specifies ALL logging, and the rule for the new data set specifies FUNCTION logging, ALL logging is applied.
- SAF XFACILIT rules do not check for data sets which are written to using the WRITE function in a REXX procedure. The SAF XFACILIT rule supplied for the function and data sets is applied to any records written using the WRITE function.
- If a data set can be copied using DFSORT, but SAF logging is required, DFSORT is not used. If PDS members can be copied using IEBCOPY, but SAF logging is required for one or more members, IEBCOPY is not used.
- If the "Use File Manager editor" option has not been selected, and a member is selected from a selection list to be browsed, edited, or viewed, and there is a SAF logging rule which affects this function and resource, the ISPF editor is not used. Instead, the File Manager function is invoked to ensure the requested logging is performed.