Audit classes

When you start the trace, you choose the events to audit by specifying one or more audit classes.

Begin program-specific programming interface information.

The trace records are limited to 5000 bytes; the descriptions that contain long SQL statements might be truncated. The following table describes the available classes and the events that they include.

Table 1. Audit classes and the events that they trace
Audit class Events that are traced
1 Access attempts that DB2® denies because of inadequate authorization. This class is the default.
2 Explicit GRANT and REVOKE statements and their results. This class does not trace implicit grants and revokes.
3 Start of changeTraces CREATE, DROP, and ALTER operations against an audited table or a table that is enabled with multilevel security with row-level granularity. For example, it traces the updates to a table created with the AUDIT CHANGES or AUDIT ALL clause. It also traces the deletion of a table as the result of a DROP TABLESPACE or DROP DATABASE statement.End of change
4 Changes to audited tables. Only the first attempt to change a table, within a unit of recovery, is recorded. (If the agent or the transaction issues more than one COMMIT statement, the number of audit records increases accordingly.) The changed data is not recorded; only the attempt to make a change is recorded. If the change is not successful and is rolled back, the audit record remains; it is not deleted. This class includes access by the LOAD utility. Accesses to a dependent table that are caused by attempted deletions from a parent table are also audited. The audit record is written even if the delete rule is RESTRICT, which prevents the deletion from the parent table. The audit record is also written when the rule is CASCADE or SET NULL, which can result in deletions that cascade to the dependent table.
5 All read accesses to tables that are identified with the AUDIT ALL clause. As in class 4, only the first access within a DB2 unit of recovery is recorded. References to a parent table are also audited.
6 The bind of static and dynamic SQL statements of the following types:
  • INSERT, UPDATE, DELETE, CREATE VIEW, and LOCK TABLE statements for audited tables. Except for the values of host variables, the audit record contains the entire SQL statement.
  • SELECT statements on tables that are identified with the AUDIT ALL clause. Except for the values of host variables, the audit record contains the entire SQL statement.
7 Assignment or change of an authorization ID because of the following reasons:
  • Changes through an exit routine (default or user-written)
  • Changes through a SET CURRENT SQLID statement
  • An outbound or inbound authorization ID translation
  • An ID that is being mapped to a RACF® ID from a Kerberos security ticket
8 The start of a utility job, and the end of each phase of the utility
9 Various types of records that are written to IFCID 0146 by the IFI WRITE function
10 CREATE and ALTER TRUSTED CONTEXT statements, establish trusted connection information and switch user information
Start of change11End of change Start of changeAudit the use of any administrative authority and the successful execution of any authorization IDEnd of change
End program-specific programming interface information.