How FM/CICS determines whether audit log records should be written

The determination of whether audit records are to be written for a particular FM/CICS function and a given TSO logonid follows this three step process:

  1. Step 1.
    • If auditing is being controlled by means of parmlib, the FMNAUDIT specification of the FMN3PARM member is used as follows.

      The FMAUDIT specification setting in the FMN3PARM member (in SYS1.PARMLIB or any other library in the logical parmlib concatenation) is the "main" switch for SAF-rule controlled auditing. Note that there are facilities available to specify different settings in the FMN3PARM member for different TSO logonids. See FM/CICS options specified in FMN3PARM for more information. For any given TSO logonid, there are two possibilities:

      SAF_CTRL=NO
      SAF-rule controlled auditing is not in effect. Auditing is determined by the settings in the FMN3POPT module, see Customizing the File Manager audit facility for CICS component.
      SAF_CTRL=YES
      SAF-rule controlled auditing is in effect. Processing continues to Step 2.
    • If auditing is being controlled using the method which does not access the parmlib concatenation, the TSO logonid has READ access to the DAF FACILITY rule FILEM.SAFAUDIT.CICS for processing to continue to Step 2.
  2. Step 2.

    Does the user have access to write audit records?

    This is determined by the user's access to rules 1 and 2 in FM/CICS auditing FACILITY class resource names; the various outcomes are summarized in Determination of a user's ability to write audit log records.
    Table 1. Determination of a user's ability to write audit log records

    This table has six columns, except for the last row, "Note:", which spans all six columns.

    TODSN access1 TOSMF access2 OPTION access3 Can write audit records? Demand logging? "Create audit trail" option4
    NONE NONE ANY No No Not visible
    READ NONE NONE Yes, data set only No Not visible
    READ NONE READ Yes, data set only No Visible
    UPDATE NONE NONE Yes, data set only Yes Not visible
    UPDATE NONE READ Yes, data set only Yes Visible
    NONE READ NONE Yes, SMF only No Not visible
    NONE READ READ Yes, SMF only No Visible
    READ READ NONE Yes, to data set and SMF No Not visible
    READ READ READ Yes, to data set and SMF No Visible
    UPDATE READ NONE Yes, to data set and SMF Yes Not visible
    UPDATE READ READ Yes, to data set and SMF Yes Visible

    If the user does not have the ability to write audit log records, then no check of SAF resource names in Step 3 occurs.

    A user's access to write audit log records at Step 2 only indicates that auditing might occur. The final decision depends on the user's level of access to the XFACILIT resource name (or names) that apply to the particular FM/CICS function.

  3. Step 3.

    Does the user have access to write audit records for the current function and data set?

    The XFACILIT resource names used by FM/CICS to determine whether audit records should be written depend on the FM/CICS function being executed and the data set being accessed.

    FM/CICS function codes that can be audited using SAF shows the function codes which are supported.

    Table 2. FM/CICS function codes that can be audited using SAF
    Function code Online option Description
    CSL Delete prefix command Delete queue
    CTB Browse prefix command Browse temporary storage queue
    CTE 2 Edit temporary storage queue
    CTV 1 View temporary storage queue
    CTP 3.2 Print temporary queue
    CDB Browse prefix command Browse transient data queue
    CDE 2 Edit transient data queue
    CDV 1 View transient data queue
    CDP 3.2 Print transient data queue
    CFB Browse prefix command Browse file
    CFE 2 Edit file
    CFV 1 View file
    CFP 3.2 Print file
1 Refers to the level of access the user has to SAF FACILITY rule 1 in FM/CICS auditing FACILITY class resource names.
2 Refers to the level of access the user has to SAF FACILITY rule 2 in FM/CICS auditing FACILITY class resource names.
3 Refers to the level of access the user has to SAF FACILITY rule 3 in FM/CICS auditing FACILITY class resource names.
4 The visibility of the "Create audit trail" option does not influence whether a user can write audit log records, although the user must have access to write audit log records (to either a data set or SMF), for the option to be visible.