Controlling auditing of update access to Db2® objects

You can use SAF to control whether FM/Db2 writes audit log records for FM/Db2 functions that update, or have the potential to update, Db2® objects. Examples of such functions are:
  • The FM/Db2 editor operating in edit mode (but not view or browse)
  • FM/Db2 Copy, for the target Db2® object
  • FM/Db2 Import, for the target Db2® object
  • FM/Db2 Data Create
FM/Db2 auditing XFACILIT class resource names shows the SAF XFACILIT class resource names used to control FM/Db2 audit logging.

Example 1

  • Enable audit logging for update access to DSN8910.EMP in Db2® system DSNA, for all users except TSO logonid MAINT1.

You could write the following RACF® rules:

RDEL XFACILIT FILEM.AUDIT.DSNA.UPDATE.OBJ.DSN8910.EMP1

RDEF XFACILIT FILEM.AUDIT.DSNA.UPDATE.OBJ.DSN8910.EMP +
     OWNER(XXXXXXXX) UACC(READ)2

PE FILEM.AUDIT.DSNA.UPDATE.OBJ.DSN8910.EMP +
     CLASS(XFACILIT) ID(MAINT1) ACC(NONE)3

Example 2

  • Enable audit logging for update access to remote object DSN8910.EMP. This object is accessed from Db2® system DSNA. The location of the remote Db2® system is TEXAS. Audit logging is to be performed for all users except SERVIC1, SERVIC2.

You could write the following RACF® rules:

RDEL XFACILIT FILEM.AUDIT.DSNA.UPDATE.REMOBJ.TEXAS.DSN8910.EMP1

RDEF XFACILIT FILEM.AUDIT.DSNA.UPDATE.REMOBJ.TEXAS.DSN8910.EMP +
     OWNER(XXXXXXXX) UACC(READ)4

PE FILEM.AUDIT.DSNA.UPDATE.REMOBJ.TEXAS.DSN8910.EMP +
     CLASS(XFACILIT) ID(SERVIC1) ACC(NONE)5
PE FILEM.AUDIT.DSNA.UPDATE.REMOBJ.TEXAS.DSN8910.EMP +
     CLASS(XFACILIT) ID(SERVIC2) ACC(NONE)5
1 Delete any existing XFACILIT rule
2 Define the XFACILIT rule for Db2® system DSNA and UPDATE access to Db2® object (OBJ) DSN8910.EMP. UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).
3 A specific rule for logonid MAINT1 to prevent audit log records being written.
4 Define the XFACILIT rule for Db2® system DSNA and UPDATE access to remote Db2® object (REMOBJ) TEXAS.DSN8910.EMP. UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).
5 Specific rules for logonids SERVIC1, SERVIC2 to prevent audit log records being written.