Examples for setting audit controls for Db2

The RACF access control module attempts to produce an audit record after checking the list of profiles.

Example 1

In this example, user ROGERM wants to use the SQL SELECT statement to retrieve information from table ICH in database DSNDB04 on the Db2 subsystem named DSN. The table qualifier is LOVES. (Refer to RACF authorization checking reference for the summary of table checking for the privilege.)

  • Does ROGERM own the table?

    Because ROGERM does not own the table, the table name qualifier passed from Db2 does not match the user ID. In this case, RACF does not check a profile, so no audit record is written.

  • Does ROGERM have SELECT authority?

    RACF checks DSN.LOVES.ICH.SELECT in classes MDSNTB and GDSNTB. ROGERM does not have the required SELECT authority. If ROGERM doesn't meet any of the other requirements, this is the first failing resource.

  • Does ROGERM have database administrator authority?

    RACF checks DSN.DSNDB04.DBADM in class DSNADM. ROGERM does not have this authority.

  • Does ROGERM have system administrator authority?

    RACF checks DSN.SYSADM in class DSNADM. ROGERM does not have this authority.

Because ROGERM has none of the required authorities, RACF produces SMF records relating to the first failure it encountered. Although ROGERM didn't own the table, no profiles were checked and failures were not audited. Therefore, the first failing resource is DSN.LOVES.ICH.SELECT. RACF produces an audit record for this resource and identifies it in message DSN408I. The data is contained in the log string information and can be used in a report.

Example 2

In this example, user ROGERM issues a START DATABASE(DSNDB04) request for Db2 subsystem DSN. (Refer to RACF authorization checking reference for the summary of database checking for the privilege.)

  • Does ROGERM have STARTDB authority?

    RACF checks DSN.DSNDB04.STARTDB in classes MDSNDB and GDSNDB. ROGERM does not have the required STARTDB authority. If ROGERM doesn't meet any of the other requirements, this is the first failing resource.

  • Does ROGERM have database maintenance authority?

    RACF checks DSN.DSNDB04.DBMAINT in class DSNADM. ROGERM does not have the required DBMAINT authority.

  • Does ROGERM have database control authority?

    RACF checks DSN.DSNDB04.DBCTRL in class DSNADM. ROGERM does not have the required DBCTRL authority.

  • Does ROGERM have database administrator authority?

    RACF checks DSN.DSNDB04.DBADM in class DSNADM. ROGERM does not have the required DBADM authority.

  • Does ROGERM have system control authority?

    RACF checks DSN.SYSCTRL in class DSNADM. ROGERM does not have this authority.

  • Does ROGERM have system administrator authority?

    RACF checks DSN.SYSADM in class DSNADM. ROGERM does not have this authority.

Because ROGERM has none of the sufficient authorities, RACF produces SMF records relating to the failure. The failure record is written for resource DSN.DSNDB04.STARTDB, which was the first failing resource. The log string information can help you to determine what ROGERM wanted to do. It includes the object type, object name, and privilege, which you can use in a report.