Controlling auditing of read access to Db2 objects

You can use SAF to control whether ZDT/Db2 writes audit log records for ZDT/Db2 functions that read data from Db2® objects. Examples of such functions are:

Table 2 shows the SAF XFACILIT class resource names used to control ZDT/Db2 audit logging.

Example 1

You could write the following RACF® rules:

RDEL XFACILIT FILEM.AUDIT.DSNC.READ.OBJ.DSN8910.DEPT1

RDEF XFACILIT FILEM.AUDIT.DSNC.READ.OBJ.DSN8910.DEPT +
     OWNER(XXXXXXXX) UACC(READ)2

PE FILEM.AUDIT.DSNC.READ.OBJ.DSN8910.DEPT +
     CLASS(XFACILIT) ID(MASTER1) ACC(NONE)3
Explanation:
  1. Delete any existing XFACILIT rule
  2. Define the XFACILIT rule for Db2 system DSNC and READ access to Db2 object (OBJ) DSN8910.EMP. UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).
  3. A specific rule for logonid MASTER1 to prevent audit log records being written.

Example 2

You could write the following RACF rules:

RDEL XFACILIT FILEM.AUDIT.DSNP.READ.REMOBJ.MONTANA.DSN8910.ACT1

RDEF XFACILIT FILEM.AUDIT.DSNP.READ.REMOBJ.MONTANA.DSN8910.ACT +
     OWNER(XXXXXXXX) UACC(READ)2

PE FILEM.AUDIT.DSNP.READ.REMOBJ.MONTANA.DSN8910.ACT +
     CLASS(XFACILIT) ID(DEV1) ACC(NONE)3
Explanation:
  1. Delete any existing XFACILIT rule
  2. Define the XFACILIT rule for Db2 system DSNP and READ access to remote Db2 object (REMOBJ) MONTANA.DSN8910.ACR. UACC(READ) allows all TSO user IDs to write audit log records (in the absence of any over-riding more specific rule).
  3. Specific rule for logonid DEV1 to prevent audit log records being written.