How can I use Compliance Event Manager to track Security Administration logonid changes?
search cancel

How can I use Compliance Event Manager to track Security Administration logonid changes?

book

Article ID: 13072

calendar_today

Updated On:

Products

Compliance Event Manager

Issue/Introduction



How can I use Compliance Event Manager to track Security Administration logonid changes?

 

Environment

Release:
Component: CEVM

Resolution

The ACCOUNTADMIN event can be used to track logonid changes with the Alert, Warehouse or Logger components.

A Policy Statement for the Account Administration event can be created. Test Conditions can be used against the following fields:

 Account Userid
 Command
 Date
 DATE_UTC
 ESM
 Jobname
 Operation
 Source
 SYSID
 SYSPLEX
 Time
 Userid

The fields that are returned are as follow.

Account Userid
Category
Command
Date
DATE_UTC
ESM
Event
Jobname
Length
Operation
Policy UUID
Record Length
Source
SYSID
SYSPLEX
Time
Userid
Version

For Example:

Security administrator logonid SEC0001 change user USER001 logonid to add the non=cancel privilege.

Command issued:

LOGONID SEC0001(with SECURITY Privilege) logs on to TSO

ACF
CHANGE USER001 non-cncl

Compliance Event Manager Account Administration Event fields returned:

Account Userid: USER001
Category: ACCOUNTADMIN
Command: change USER001 non-cncl
Date: 06-Feb-2017
DATE_UTC: Monday
ESM : ACF2
Event: ACCOUNTADMIN
Jobname: SEC0001
Length: 169
Operation: CHANGE
Policy UUID: 588499fe-6183-41d1-ba9a-fd9e8daeb112
Record Length: 169
Source: A99KO888
SYSID: SYS8
SYSPLEX: MINIPLEX
Time: 14:53:38
Userid: SEC0001
Version: 1

 

Powered by Wolken Software