The ROAUDIT attribute

A user who has the ROAUDIT attribute has the authority to list auditing information using the LISTDSD, RLIST, LISTUSER, LISTGRP, SETROPTS LIST, and SEARCH commands, as well as the IRRUT100 utility. Unlike users with the AUDITOR attribute, users with the ROAUDIT attribute are unable to specify logging options or to control logging to the SMF data set.

The user who has the ROAUDIT attribute can list all of the profile information that is available to the SPECIAL user, as well as information that is available to auditors. Note, however, that this extended listing authority does not give the auditor additional access to protected data or additional authority to change information in the RACF® database.

If the DSMON program (ICHDSM00) is not defined in the PROGRAM class (it is not a controlled program), a user must have either the AUDITOR or the ROAUDIT attribute to run the DSMON program. (If DSMON is a controlled program, the ROAUDIT attribute is not enough to run it. The user, or the user's group, must be in the access list of the DSMON profile, ICHDSM00, to run the DSMON program.)

You should assign the ROAUDIT attribute only to users who are responsible for auditing RACF security controls and functions, but who are not to be responsible for establishing those security controls or functions. For example, you might give the ROAUDIT attribute to a user account created for an external auditor to permit that person to audit the security controls and function without being able to alter those controls. To provide a check and balance on RACF security measures, you should give the ROAUDIT attribute to auditors or users other than those who have the SPECIAL or AUDITOR attribute.

The ROAUDIT attribute can be assigned only by a user (security or group administrator) who has the SPECIAL attribute.

For a list of the RACF commands that this attribute allows users to issue, see Table 1.