Take a look at a great reference document with examples on policy definition for the S-TAP on DB2 z/OS:
Matching: guardium X
I will be the first to admit that when I first heard of 'data level security' I had no idea what it meant. It's one of those terms that could mean almost anything, depending on what context you first heard it. So, let's get over the term and focus on what the capability is. Simply put, it enables you to create automatic filtering of audit data based on who the viewer is and their association with the particular audited database (hence the term data-level...). The beauty of this is that you can create one report definition, such as a report that shows database activity, and when the Oracle DBA sees it he or she would only see Oracle information, and when the DB2 DBA he or she would only see activity for the DB2 database. Furthermore, you can overlay your organizational structure so that the DBA manager could see the audit data for all the databases. This is quite a simplification, but I think trying to explain it in words is hard. You really need a visual and an example.
For this reason, I urge you to go read this developerWorks article that one of my colleagues and I coauthored. It has nice pictures and walks you through a scenario that includes not just DBA roles, but auditor roles as well. Check it out.