Controlling auditing of read access to Db2® objects
You can use SAF to control whether FM/Db2 writes audit log records for FM/Db2 functions that read data from Db2® objects. Examples of such functions are:
- The FM/Db2 editor operating in view or browse modes (but not edit mode)
- FM/Db2 print.
- FM/Db2 Copy, for the source Db2® object
- FM/Db2 Export
FM/Db2 auditing
XFACILIT class resource names
shows the SAF XFACILIT class resource names used to control
FM/Db2 audit logging.
Example 1
- Enable audit logging for read access to DSN8910.DEPT in Db2® system DSNC, for all users except TSO logonid MAIN1.
You could write the following RACF® rules:
RDEL XFACILIT FILEM.AUDIT.DSNC.READ.OBJ.DSN8910.DEPT1
RDEF XFACILIT FILEM.AUDIT.DSNC.READ.OBJ.DSN8910.DEPT +
OWNER(XXXXXXXX) UACC(READ)2
PE FILEM.AUDIT.DSNC.READ.OBJ.DSN8910.DEPT +
CLASS(XFACILIT) ID(MAIN1) ACC(NONE)3Example 2
- Enable audit logging for update access to remote object DSN8910.ACT. This object is accessed from Db2® system DSNP. The location of the remote Db2® system is MONTANA. Audit logging is to be performed for all users except DEV1.
You could write the following RACF® rules:
RDEL XFACILIT FILEM.AUDIT.DSNP.READ.REMOBJ.MONTANA.DSN8910.ACT1
RDEF XFACILIT FILEM.AUDIT.DSNP.READ.REMOBJ.MONTANA.DSN8910.ACT +
OWNER(XXXXXXXX) UACC(READ)4
PE FILEM.AUDIT.DSNP.READ.REMOBJ.MONTANA.DSN8910.ACT +
CLASS(XFACILIT) ID(DEV1) ACC(NONE)51 Delete any existing XFACILIT rule
2 Define the XFACILIT rule for Db2® system DSNC and READ access to Db2® object (OBJ) DSN8910.EMP. UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).
3 A specific rule for logonid MAIN1 to prevent audit log records being written.
4 Define the XFACILIT rule for Db2® system DSNP and READ access to remote Db2® object (REMOBJ) MONTANA.DSN8910.ACR. UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).
5 Specific rule for logonid DEV1 to prevent audit log records being written.