Logging of RACF Commands and RACROUTE REQUEST=DEFINE Requests

If you have the AUDITOR attribute, you can specify the classes for which RACF logs all detected accesses to the RACF database through RACF commands and RACROUTE REQUEST=DEFINE requests. You can specify this option with the AUDIT operand on the SETROPTS command; it becomes effective immediately. The following example specifies that you want RACF to log RACF commands and RACROUTE REQUEST=DEFINE requests for users, groups, data sets, and the VMMDISK and TERMINAL general resource classes. 
SETROPTS  AUDIT(USER  GROUP  DATASET  VMMDISK  TERMINAL)
If you specify AUDIT(*), RACF logs RACF command and RACROUTE REQUEST=DEFINE request activity for all classes.
If you want to log any change in RACF protection for IMS, enter: 
SETROPTS AUDIT(IMS)

The following table shows the commands that are audited when SETROPTS AUDIT is active for the specified class. The RACROUTE request refers to a RACROUTE REQUEST=DEFINE request.

  USER   GROUP   DATASET Classes in the CDT   DIRECTRY   FILE
ADDUSER ADDGROUP ADDSD PERMIT ADDDIR ADDFILE
ALTUSER ALTGROUP ALTDSD RACROUTE1 ALTDIR ALTFILE
CONNECT CONNECT DELDSD RALTER DELDIR DELFILE
DELUSER DELGROUP PERMIT RDEFINE PERMDIR PERMFILE
           
PASSWORD REMOVE RACROUTE1 RDELETE RACROUTE1 RACROUTE1
REMOVE          
Note: SETROPTS AUDIT(USER) includes all successful password and password phrase changes.

If you have the AUDITOR attribute, you can also specify the NOAUDIT operand on the SETROPTS command, and identify the class or classes for which you do not want RACF to log RACF command and RACROUTE REQUEST=DEFINE requests. If you specify NOAUDIT(*), RACF does not log RACF command and RACROUTE REQUEST=DEFINE requests for any class.

NOAUDIT(*) is in effect at RACF initialization.

Note: If you have the AUDITOR attribute, you can specify with the UAUDIT operand on the ALTUSER command that you want RACF to log all RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE requests issued for the user and all RACF commands (except LISTGRP and LISTUSER) issued by the user.
1 RACROUTE refers to a RACROUTE REQUEST=DEFINE request.