FM/Db2 が監査ログ・レコードを書き込む場所の制御
SAF を使用して、FM/Db2 が監査ログ・レコードを SMF、ユーザーの監査ログ・データ・セット、またはその両方に書き込むかどうかを制御できます。
FM/Db2 監査 FACILITY クラス・リソース名 に、ロギングおよびユーザーの監査ログ・データ・セットに対する FM/Db2 の制御に使用する SAF FACILITY クラス・リソース名を示します。
例 1
- Db2® システム DSNA に関して、すべての FM/Db2 ユーザーのユーザー・データ・セットへの監査ロギングを使用不可にします。
- Db2® システム DSNA に関して、ログオン ID PROD による SMF への FM/Db2 監査ロギングを使用可能にします。
以下の RACF® 規則を作成できます。
RDEL FACILITY FILEM.AUDIT2.DSNA.TOSMF1
RDEL FACILITY FILEM.AUDIT2.DSNA.TODSN1
RDEF FACILITY FILEM.AUDIT2.DSNA.TOSMF UACC(NONE) OWNER(XXXXXXX)2
RDEF FACILITY FILEM.AUDIT2.DSNA.TODSN UACC(NONE) OWNER(XXXXXXX)3
PE FILEM.AUDIT2.DSNA.TOSMF ACC(READ) ID(PROD) CLASS(FACILITY)4例 2
- Db2® システム DSNB に関して、すべての FM/Db2 ユーザーのユーザー・データ・セットへの監査ロギングを使用可能にします。
- ユーザー PROD1、PROD2、PROD3 の要求ロギングを使用可能にします
- Db2® システム DSNB に関して、すべての FM/Db2 ユーザーの SMF への監査ロギングを使用不可にします。
以下の RACF® 規則を作成できます。
RDEL FACILITY FILEM.AUDIT2.DSNB.TOSMF 1
RDEL FACILITY FILEM.AUDIT2.DSNB.TODSN 1
RDEF FACILITY FILEM.AUDIT2.DSNB.TOSMF UACC(NONE) OWNER(XXXXXXX)5
RDEF FACILITY FILEM.AUDIT2.DSNB.TODSN UACC(READ) OWNER(XXXXXXX)6
PE FILEM.AUDIT2.DSNB.TODSN ACC(UPDATE) ID(PROD1) CLASS(FACILITY)7
PE FILEM.AUDIT2.DSNB.TODSN ACC(UPDATE) ID(PROD2) CLASS(FACILITY)7
PE FILEM.AUDIT2.DSNB.TODSN ACC(UPDATE) ID(PROD3) CLASS(FACILITY)7例 3
- Db2® システム DSND に関して、すべての FM/Db2 ユーザーの監査ロギングを完全に使用不可にします。
- Db2® システム DSNP のすべての FM/Db2 ユーザーに対して、重複ロギングを使用可能にします。
以下の RACF® 規則を作成できます。
RDEL FACILITY FILEM.AUDIT2.DSND.TOSMF 1
RDEL FACILITY FILEM.AUDIT2.DSND.TODSN 1
RDEL FACILITY FILEM.AUDIT2.DSNP.TOSMF 1
RDEL FACILITY FILEM.AUDIT2.DSNP.TODSN 1
RDEF FACILITY FILEM.AUDIT2.DSND.TOSMF UACC(NONE) OWNER(XXXXXXX)8
RDEF FACILITY FILEM.AUDIT2.DSND.TODSN UACC(NONE) OWNER(XXXXXXX)9
RDEF FACILITY FILEM.AUDIT2.DSNP.TOSMF UACC(READ) OWNER(XXXXXXX)10
RDEF FACILITY FILEM.AUDIT2.DSNP.TODSN UACC(READ) OWNER(XXXXXXX)111 Delete any existing facility rule
2 Define the facility rule for Db2® system DSNA and audit logging to SMF (TOSMF suffix). UACC(NONE) is used so that any user, for which there is no specific rule, has no access.
3 Define the facility rule for Db2® system DSNA and audit logging to the user's audit log data set (TODSN suffix). UACC(NONE) is used so that any user, for which there is no specific rule, has no access.
4 Allow logonid PROD to write audit log records (ACC(READ)), to SMF.
5 Define the facility rule for Db2® system DSNB and audit logging to SMF (TOSMF suffix). UACC(NONE) is used so that any user, for which there is no specific rule, has no access.
6 Define the facility rule for Db2® system DSNB and audit logging to the user's audit log data set (TODSN suffix). UACC(READ) is used so that any user, for which there is no specific rule, has read access, and can therefore write audit log records.
7 Allow logonids PROD1, PROD2, PROD3 to write audit log records with automatic printing of the audit report ("Demand logging") (ACC(UPDATE)), to SMF.
8 Define the facility rule for Db2® system DSND and audit logging to SMF (TOSMF suffix). UACC(NONE) is used so that any user, for which there is no specific rule, has no access.
9 Define the facility rule for Db2® system DSND and audit logging to the user's audit log data set (TODSN suffix). UACC(NONE) is used so that any user, for which there is no specific rule, has no access.
10 Define the facility rule for Db2® system DSNP and audit logging to SMF (TOSMF suffix). UACC(READ) is used so that any user, for which there is no specific rule, has access (and can therefore write audit records to SMF).
11 Define the facility rule for Db2® system DSNP and audit logging to the user's audit log data set (TODSN suffix). UACC(READ) is used so that any user, for which there is no specific rule, has access (and can therefore write audit records to the user's audit log data set).