Determines when an audit record is written to the System Management
Facility (SMF). On each authorization call, RACF or an equivalent SAF-based
product, can write an audit record to SMF with the result of the authorization
check.
WebSphere Application
Server for z/OS uses the SAF RACROUTE AUTH and RACROUTE FASTAUTH operations
and passes the LOG option that is specified in the security configuration.
The options are DEFAULT, ASIS, NOFAIL, and NONE.
The following options are available:
- DEFAULT
When
multiple role constraints are specified, such as a user must be in one of
a set of roles, all of the roles except for the last role is checked with
the NOFAIL option. If the authorization is granted in one of the roles before
the last role, WebSphere Application Server writes an authorization success
record. If the authorization is not successful in these roles, the last role
is checked with the ASIS log option. If the user is authorized to the last
role, a success record might be written. If the user is not authorized, a
failure record might be written.
- ASIS
- Specifies that the audit events are recorded in the manner that is specified
in the profile that protects the resource or in the matter that is specified
by the SETROPTS options.
- NOFAIL
- Specifies that failures are not recorded. Authorization failure messages
are not issued, but successful authorization audit records might be written.
- NONE
- Specifies that neither successes or failures are recorded.
Only one authorization failed record is written for a failed J2EE authorization
check even if several SAF authorization calls are made. For more information
on the LOG options for SAF RACROUTE AUTH and RACROUTE FASTAUTH, see the RACF
or equivalent SAF-based product documentation.