AUDIT_JOURNAL_AF table function

The AUDIT_JOURNAL_AF table function returns rows from the audit journal that contain information from the AF (Authority Failure) journal entries.

Every audit journal table function shares a common authorization requirement and a common set of parameters. These are described in AUDIT JOURNAL table function common information.

The result of the function is a table containing rows with the format shown in the following table. All the columns are nullable.

Table 1. AUDIT_JOURNAL_AF table function
Column Name	Data Type	Description
The first columns returned by this table function are from the common audit journal entry header. See Common columns returned from the audit journal entry header for the column definitions. After the common columns are the following columns that describe the entry specific data for the AF audit journal entry.
VIOLATION_TYPE	CHAR(1)	The type of authority violation. A Not authorized to object B Restricted instruction C Validation failure. See VALIDATION_ERROR_ACTION for additional details. D Use of unsupported interface, object domain failure E Hardware storage protection error, program constant space violation H Scan exit program action. See VALIDATION_ERROR_ACTION for additional details. I System Java™ inheritance not allowed J Submit job profile error K Special authority violation N Profile token not a regenerable token O Optical Object Authority Failure P Profile swap error R Hardware protection error S Default sign-on attempt T Not authorized to TCP/IP port U User permission request not valid V Profile token not valid for generating new profile token W Profile token not valid for swap X System violation. See OPERATION_VIOLATION_CODE for additional details. Y Not authorized to the current JUID field during a clear JUID operation. Z Not authorized to the current JUID field during a set JUID operation.
VIOLATION_TYPE_DETAIL	VARCHAR(200)	Descriptive text that corresponds to the violation type.
VALIDATION_ERROR_ACTION	CHAR(1)	Action taken after validation error detected, set when VIOLATION_TYPE is C or H. A The translation of the object was not attempted or it failed. The QALWOBJRST system value setting allowed the object to be restored. The user doing the restore did not have ALLOBJ special authority and the system security level is set to 10, 20, or 30. Therefore, all authorities to the object were retained. B The translation of the object was not attempted or it failed. The QALWOBJRST system value setting allowed the object to be restored. The user doing the restore did not have ALLOBJ special authority and the system security level is set to 40 or above. Therefore, all authorities to the object were revoked. C The translation of the object was successful. The translated copy was restored on the system. D The translation of the object was not attempted or it failed. The QALWOBJRST system value setting allowed the object to be restored. The user doing the restore had *ALLOBJ special authority. Therefore, all authorities to the object were retained. E System install time error detected. F The object was not restored because the signature is not IBM® i format. G Unsigned system or inherit state object found when checking system. H Unsigned user state object found when checking system. I Mismatch between object and its signature found when checking system. J IBM certificate not found when checking system. K Invalid signature format found when checking system. M Scan exit program modified the object that was scanned. X Scan exit program wanted object marked as having a scan failure. Contains the null value if VIOLATION_TYPE is not C or H.
VALIDATION_ERROR_ACTION_DETAIL	VARCHAR(200)	Descriptive text that corresponds to the violation error action. Contains the null value if VIOLATION_TYPE is not C or H.
OPERATION_VIOLATION_CODE	CHAR(3)	The type of operation violation that occurred, set when VIOLATION_TYPE is X. AAC Not authorized to use SST Advanced Analysis Command. HCA Service tool user profile not authorized to perform hardware configuration operation (QYHCHCOP). LIC LIC indicates that a Licensed Internal Code fix was not applied because of a signature violation. SFA Not authorized to activate the environment attribute for system file access. CMD An attempt was made to use a command that has been disabled by a system administrator. Contains the null value if the VIOLATION_TYPE is not X.
OBJECT_LIBRARY	VARCHAR(10)	The name of the library containing the object. When VIOLATION_TYPE is K, contains the name of the program's library or the command's library that detected the error. Contains the null value if there is no library name.
OBJECT_NAME	VARCHAR(10)	The name of the object. When VIOLATION_TYPE is K, contains the name of the command or program that detected the error. If the command has several alternative names, the command name in the audit record might not match the specific command name used but will be one of the equivalent alternatives. A special value of INSTR indicates that a machine instruction detected the error. When OBJECT_TYPE is LIC, contains a Licensed Internal Code replacement unit (RU) name. Contains the null value if there is no object name.
OBJECT_TYPE	VARCHAR(7)	The type of the object. When VIOLATION_TYPE is K, contains the object type of the command or program that detected the error. When VIOLATION_TYPE is G, contains the name of the *SRVPGM that contained the exit that detected the error. Contains the null value if there is no object type.
OBJECT_ASP_NAME	VARCHAR(10)	The name of the auxiliary storage pool (ASP) in which the object resides. A value of *SYSBAS indicates the system ASP and all basic user ASPs.
OBJECT_ASP_NUMBER	INTEGER	The number of the ASP device.
FIELD_NAME	VARCHAR(10)	The system name of the column. Contains the null value if the authority is not related to a column or the column name is not available.
TCPIP_PORT	INTEGER	The TCP/IP port the user is not authorized to use, when VIOLATION_TYPE is T. Contains the null value if VIOLATION_TYPE is not T.
API_NAME	VARCHAR(20)	The full API name of the API or exit point name that detected the error, when VIOLATION_TYPE is K. Contains the null value when the VIOLATION_TYPE is not K or if there is no API or exit point information.
PTF_NUMBER	CHAR(7)	The PTF number that failed to apply because of a signature violation when the VIOLATION_TYPE is X and OPERATION_VIOLATION_CODE is LIC. Contains the null value if VIOLATION_TYPE is not X with an OPERATION_VIOLATION_CODE of LIC.
AAC_NAME	VARCHAR(30)	The Advanced Analysis Command name, when the VIOLATION_TYPE is X and the OPERATION_VIOLATION_CODE is AAC. Contains the null value if VIOLATION_TYPE is not X with an OPERATION_VIOLATION_CODE of AAC.
USER_PROFILE_NAME	VARCHAR(10)	The name of the user that caused the authority failure. Contains the null value if the user name is not available.
WORKSTATION_NAME	VARCHAR(10)	The name of the workstation or workstation type. Contains the null value if the workstation name is not available.
PROGRAM_INSTRUCTION	INTEGER	The instruction number of the program. Contains the null value if the instruction number is not available.
PATH_NAME	VARGRAPHIC(5000) CCSID 1200	The path name of the object. Contains the null value if the object name is not available or the object is not in the "root" (/), QOpenSys, or user-defined file systems.
PATH_NAME_INDICATOR	VARCHAR(3)	Path name indicator. NO The PATH_NAME column does not contain an absolute path name for the object, instead it contains a relative path name. The RELATIVE_DIRECTORY_FILE_ID can be used to form an absolute path name with this relative path name. YES The PATH_NAME column contains complete absolute path name for the object. Contains the null value if the object is not in the "root" (/), QOpenSys, or user-defined file systems.
RELATIVE_DIRECTORY_FILE_ID	BINARY(16)	When PATH_NAME_INDICATOR is NO, contains the file ID of the directory that contains the object identified in the PATH_NAME column. Contains the null value when PATH_NAME_INDICATOR is YES, or if the file ID is not available or the object is not in the "root" (/), QOpenSys, or user-defined file systems.
IFS_OBJECT_NAME	VARGRAPHIC(512) CCSID 1200	The name of the object. Contains the null value if the object name is not available or the object is not in the "root" (/), QOpenSys, or user-defined file systems.
OBJECT_FILE_ID	BINARY(16)	The file ID of the object. Contains the null value if the object is not in the "root" (/), QOpenSys, or user-defined file systems.
PARENT_FILE_ID	BINARY(16)	The file ID of the parent directory. Contains the null value if the file ID is not available or the object is not in the "root" (/), QOpenSys, or user-defined file systems.
OFFICE_USER	VARCHAR(10)	The name of the office user. Contains the null value if there is no office user.
OFFICE_ON_BEHALF_OF_USER	VARCHAR(10)	User working on behalf of another user. Contains the null value if the user name is not available.
DLO_NAME	VARCHAR(12)	The name of the document library object. Contains the null value if there is no document library object.
FOLDER_PATH	VARCHAR(63)	The path of the folder. Contains the null value if there is no folder path.

Example

Find any authority failures for Integrated File System (IFS) objects in the past 24 hours.


SELECT * FROM TABLE(
  SYSTOOLS.AUDIT_JOURNAL_AF(
    STARTING_TIMESTAMP => CURRENT TIMESTAMP - 1 DAY
  )
) WHERE PATH_NAME IS NOT NULL;

Determine the number of 'Not authorized to object' authority failures for user BOB in the last week.


SELECT COUNT(*) FROM TABLE(
  SYSTOOLS.AUDIT_JOURNAL_AF(
    STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS,
    USER_NAME => 'BOB'
  )
) WHERE VIOLATION_TYPE = 'A';