How can I use Compliance Event Manager to track Security Administration logonid changes?

Document ID : KB000013072
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How can I use Compliance Event Manager to track Security Administration logonid changes?

 

Answer:

The ACCOUNTADMIN event can be used to track logonid changes with the Alert, Warehouse or Logger components.

A Policy Statement for the Account Administration event can be created. Test Conditions can be used against the following fields:

 Account Userid
 Command
 Date
 DATE_UTC
 ESM
 Jobname
 Operation
 Source
 SYSID
 SYSPLEX
 Time
 Userid

The fields that are returned are as follow.

Account Userid
Category
Command
Date
DATE_UTC
ESM
Event
Jobname
Length
Operation
Policy UUID
Record Length
Source
SYSID
SYSPLEX
Time
Userid
Version

For Example:

Security administrator logonid SEC0001 change user USER001 logonid to add the non=cancel privilege.

Command issued:

LOGONID SEC0001(with SECURITY Privilege) logs on to TSO

ACF
CHANGE USER001 non-cncl

Compliance Event Manager Account Administration Event fields returned:

Account Userid: USER001
Category: ACCOUNTADMIN
Command: change USER001 non-cncl
Date: 06-Feb-2017
DATE_UTC: Monday
ESM : ACF2
Event: ACCOUNTADMIN
Jobname: SEC0001
Length: 169
Operation: CHANGE
Policy UUID: 588499fe-6183-41d1-ba9a-fd9e8daeb112
Record Length: 169
Source: A99KO888
SYSID: SYS8
SYSPLEX: MINIPLEX
Time: 14:53:38
Userid: SEC0001
Version: 1