How FM/CICS determines whether audit log records should be written
The determination of whether audit records are to be written for a particular FM/CICS function and a given TSO logonid follows this three step process:
- Step 1.
- If auditing is being controlled by means of parmlib, the FMNAUDIT
specification of the FMN3PARM member is used as follows.
The FMAUDIT specification setting in the FMN3PARM member (in SYS1.PARMLIB or any other library in the logical parmlib concatenation) is the "main" switch for SAF-rule controlled auditing. Note that there are facilities available to specify different settings in the FMN3PARM member for different TSO logonids. See FM/CICS options specified in FMN3PARM for more information. For any given TSO logonid, there are two possibilities:
- SAF_CTRL=NO
- SAF-rule controlled auditing is not in effect. Auditing is determined by the settings in the FMN3POPT module, see Customizing the File Manager audit facility for CICS component.
- SAF_CTRL=YES
- SAF-rule controlled auditing is in effect. Processing continues to Step 2.
- If auditing is being controlled using the method which does not access the parmlib concatenation, the TSO logonid has READ access to the DAF FACILITY rule FILEM.SAFAUDIT.CICS for processing to continue to Step 2.
- If auditing is being controlled by means of parmlib, the FMNAUDIT
specification of the FMN3PARM member is used as follows.
- Step 2.
Does the user have access to write audit records?
This is determined by the user's access to rules 1 and 2 in FM/CICS auditing FACILITY class resource names; the various outcomes are summarized in Determination of a user's ability to write audit log records.Table 1. Determination of a user's ability to write audit log records This table has six columns, except for the last row, "Note:", which spans all six columns.
TODSN access1 TOSMF access2 OPTION access3 Can write audit records? Demand logging? "Create audit trail" option4 NONE NONE ANY No No Not visible READ NONE NONE Yes, data set only No Not visible READ NONE READ Yes, data set only No Visible UPDATE NONE NONE Yes, data set only Yes Not visible UPDATE NONE READ Yes, data set only Yes Visible NONE READ NONE Yes, SMF only No Not visible NONE READ READ Yes, SMF only No Visible READ READ NONE Yes, to data set and SMF No Not visible READ READ READ Yes, to data set and SMF No Visible UPDATE READ NONE Yes, to data set and SMF Yes Not visible UPDATE READ READ Yes, to data set and SMF Yes Visible If the user does not have the ability to write audit log records, then no check of SAF resource names in Step 3 occurs.
A user's access to write audit log records at Step 2 only indicates that auditing might occur. The final decision depends on the user's level of access to the XFACILIT resource name (or names) that apply to the particular FM/CICS function.
- Step 3.
Does the user have access to write audit records for the current function and data set?
The XFACILIT resource names used by FM/CICS to determine whether audit records should be written depend on the FM/CICS function being executed and the data set being accessed.
FM/CICS function codes that can be audited using SAF shows the function codes which are supported.
Table 2. FM/CICS function codes that can be audited using SAF Function code Online option Description CSL Delete prefix command Delete queue CTB Browse prefix command Browse temporary storage queue CTE 2 Edit temporary storage queue CTV 1 View temporary storage queue CTP 3.2 Print temporary queue CDB Browse prefix command Browse transient data queue CDE 2 Edit transient data queue CDV 1 View transient data queue CDP 3.2 Print transient data queue CFB Browse prefix command Browse file CFE 2 Edit file CFV 1 View file CFP 3.2 Print file