Controlling auditing of update access to Db2 objects

You can use SAF to control whether ZDT/Db2 writes audit log records for ZDT/Db2 functions that update, or have the potential to update, Db2® objects. Examples of such functions are:
  • The ZDT/Db2 editor operating in edit mode (but not view or browse)
  • ZDT/Db2 Copy, for the target Db2 object
  • ZDT/Db2 Import, for the target Db2 object
  • ZDT/Db2 Data Create

Table 2 shows the SAF XFACILIT class resource names used to control ZDT/Db2 audit logging.

Example 1

You could write the following RACF® rules:

RDEL XFACILIT FILEM.AUDIT.DSNA.UPDATE.OBJ.DSN8910.EMP1

RDEF XFACILIT FILEM.AUDIT.DSNA.UPDATE.OBJ.DSN8910.EMP +
     OWNER(XXXXXXXX) UACC(READ)2

PE FILEM.AUDIT.DSNA.UPDATE.OBJ.DSN8910.EMP +
     CLASS(XFACILIT) ID(MAINT1) ACC(NONE)3
Explanation:
  1. Delete any existing XFACILIT rule
  2. Define the XFACILIT rule for Db2 system DSNA and UPDATE access to Db2 object (OBJ) DSN8910.EMP. UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).
  3. A specific rule for logonid MAINT1 to prevent audit log records being written.

Example 2

You could write the following RACF rules:

RDEL XFACILIT FILEM.AUDIT.DSNA.UPDATE.REMOBJ.TEXAS.DSN8910.EMP1

RDEF XFACILIT FILEM.AUDIT.DSNA.UPDATE.REMOBJ.TEXAS.DSN8910.EMP +
     OWNER(XXXXXXXX) UACC(READ)2

PE FILEM.AUDIT.DSNA.UPDATE.REMOBJ.TEXAS.DSN8910.EMP +
     CLASS(XFACILIT) ID(SERVIC1) ACC(NONE)3
PE FILEM.AUDIT.DSNA.UPDATE.REMOBJ.TEXAS.DSN8910.EMP +
     CLASS(XFACILIT) ID(SERVIC2) ACC(NONE)3
Explanation:
  1. Delete any existing XFACILIT rule
  2. Define the XFACILIT rule for Db2 system DSNA and UPDATE access to remote Db2 object (REMOBJ) TEXAS.DSN8910.EMP. UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).
  3. Specific rules for logonids SERVIC1, SERVIC2 to prevent audit log records being written.