Alternatives for controlling Z Data Tools Base auditing

Z Data Tools auditing is an optional facility. There is no requirement to implement it and Z Data Tools works if Z Data Tools auditing is not implemented. You should consider:

If your site requires a record of a user's read access to data sets, an external security product such as RACF® can be configured to log access by some or all users, and may be a better alternative.

Z Data Tools audit of read access to data sets does not write audit log records for every record processed, rather the name of the data set and how many records were processed are written to the audit log.

Z Data Tools audit of changes to data sets typically writes two log records, a before and after image of the record that was changed. If you intend to log update changes to data sets that are subject to heavy update activity you need to consider the performance impact of writing many audit log records, also the size of any audit log data sets that may be produced.

You have two choices with respect to auditing of Z Data Tools audit activities:

HFM0POPT controlled auditing
The facilities available with HFM0POPT controlled auditing are that you can specify auditing to the user's audit log data set, to the user's audit log data set with automatic (mandatory) printing of the audit log at the completion of the session, or to SMF. This auditing only applies to changes made by means of the Z Data Tools editor.
SAF-rule controlled auditing
This relies on various SAF FACILITY and XFACILIT resource rules which you define with an external security product, such as RACF (or equivalent product).
These points summarize the facilities available with SAF-rule controlled auditing:
  • Auditing can be (optionally) specified for all Z Data Tools functions.
  • Different auditing requirements can be specified for different TSO user IDs.
  • Different auditing requirements can be specified for access to different resources.
  • You can provide Z Data Tools users with a "Create audit trail" option for the Z Data Tools edit functions. This is also SAF-rule controlled. The presence of the "Create audit trail" option does not guarantee that the user can switch off auditing, since this depends on the level of access the user has to the appropriate SAF resource names. When a user has access to the "Create audit trail" option, they can always turn on auditing, even if the relevant SAF resource rules do not require auditing.
  • You can specify auditing to the user's audit log data set, to the user's audit log data set with automatic (mandatory) printing of the audit log at the completion of the session, or to SMF. Dual logging (to the user's audit log data set and to SMF) can also be specified.
Some other points to consider are:
  • Auditing to the user's audit log data set can result in large numbers of audit log data sets. This may have disk space implications. You may need to consider implementing automatic purging or archiving of audit log data sets.
  • Auditing to SMF (only) requires additional set-up, but provides a more reliable and secure environment for capturing audit information than audit logging to the user's audit log data set.
  • If you implement SAF-rule controlled auditing you need to decide how Z Data Tools auditing will be enabled. This is described in more detail in Customizing the Z Data Tools audit facility for Base component. There are two alternatives: one requires an enabling SAF rule and the presence of a member in SYS1.PARMLIB, the other requires an enabling SAF rule but has no requirement for a member in SYS1.PARMLIB. The use of a member in SYS1.PARMLIB provides additional facilities compared with the alternative that does not require the use of SYS1.PARMLIB. The additional facilities are documented in Z Data Tools options specified in PARMLIB members.

When you have determined the appropriate type of auditing for your installation, follow the instructions in Customizing the Z Data Tools audit facility for Base component.