With the SECADM authority, you can set up audit policies
and dynamically enable auditing of tables that do not have the AUDIT
clause specified.
Procedure
To audit the activities on table EMPLOYEE.SALARY without
having to specify the AUDIT clause:
- Obtain the SECADM authority if you do not have it.
Alternately, you can have the SECADM authority grant you the
required privileges to create an audit policy. A user with the SYSOPR
authority can activate the policy.
- Create audit policy TABADT1 by issuing the following INSERT
statement:
INSERT INTO SYSIBM.SYSAUDITPOLICIES(AUDITPOLICYNAME, OBJECTSCHEMA,
OBJECTNAME, OBJECTTYPE, EXECUTE)
VALUES('TABADT1','EMPLOYEE','SALARY','T','A');
Db2 checks
to make sure that you have the required privilege to issue the INSERT
statement. Upon successful verification, it inserts a row in SYSIBM.SYSAUDITPOLICIES
to include the new policy.
- Activate the audit policy by issuing the START
TRACE command:
-STA TRACE (AUDIT) DEST (GTF) AUDTPLCY(TABADT1);
Db2 checks
to make sure that you have the required privilege to run the START
TRACE command. Upon successful verification, it starts the
IFCID 0143, 0144, and 0145 trace records.
For example, if
a user issues the SELECT statement to select from the EMPLOYEE.SALARY
table, Db2 records
the query activity in the IFCID 0144 trace record.