Auditing specific IDs or roles

As with other types of Db2 traces, you can start an audit trace for a particular plan name, a primary authorization ID, a role, or all of the above.

About this task

You might consider having audit traces on at all times for IDs with the SYSADM authority because they have complete access to every table. If you have a network of Db2 subsystems, you might need to trace multiple authorization IDs if the primary authorization IDs are translated several times. For embedded SQL, the audited ID is the primary authorization ID of the plan or package owner. For dynamic SQL, the audited ID is the primary authorization ID.

You can also start an audit trace for a particular role in a trusted context by using the ROLE and XROLE filters. For example, you can issue the following command to write accounting records for threads with a ROLE = abc:

Begin general-use programming interface information.
	-start trace(acctg) dest(smf) role(abc)
End general-use programming interface information.

You can also issue the following command to write accounting records for threads with a ROLE= abc:

Begin general-use programming interface information.
	-start trace(acctg) dest(smf) xrole(abc)
End general-use programming interface information.

In addition, you can use the asterisk (*) wildcard character (as in "abc*") or the underscore (_) wildcard character (as in "a_c") for more flexibility in audit tracing.