How can I use Compliance Event Manager to track Security Administration rule changes?

Document ID : KB000013074
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How can I use Compliance Event Manager to track Security Administration rule changes?

Answer:

The POLICYADMIN event can be used to track logonid changes with the Alert, Warehouse or Logger components.

A Policy Statement for the Policy Administration event can be created. Test Conditions can be used against the following fields:

 Account
 Command
 Date
 Day
 ESM
 Jobname
 Operation
 Policy Class
 Policy Entity
 SYSID
 SYSPLEX
 Source
 Time
 Userid 

The fields that are returned are as follow.

 Category
 Class
 Command
 Date
 DATE_UTC
 Entity
 ESM  
 Event
 Jobname
 Length
 Operation
 Policy Class
 Policy Entity
 Policy UUID
 Record Length
 Source
 SYSID
 SYSPLEX
 Time
 Userid
 Version 

For Example:

Security administrator logonid SEC0001 changes FACILITY resource Class rule BPX TYPE(FAC) to add a rule entry.

LOGONID SEC0001(with SECURITY Privilege) logs on to TSO

Command issued from  TSO:

ACF
SET RESOURCE(FAC)
reckey bpx add(delete.me.rule.entry UID(*) log)

Compliance Event Manager Policy Administration Event fields returned:

Category: POLICYADMIN
Class: RFAC
Command: reckey bpx add(delete.me.rule.entry UID(*) log)
Date: 06-Feb-2017
DATE_UTC: Monday
Entity: RFACBPX
ESM : ACF2
Event: POLICYADMIN
Jobname: SEC0001
Length: 212
Operation: INSERT
Policy Class: RFAC
Policy Entity: RFACBPX
Policy UUID: 588499fe-6183-41d1-ba9a-fd9e8daeb112
Record Length: 212
Source: A99KO888
SYSID: SYS8
SYSPLEX: MINIPLEX
Time: 20:38:04
Userid: SEC0001
Version: 1