Change Object Auditing (CHGOBJAUD)

The Change Object Auditing (CHGOBJAUD) command allows users with *AUDIT special authority to set up or change auditing on an object. Users with *AUDIT special authority can turn auditing on or off for an object regardless of whether they have authority to the object. The system value QAUDCTL controls turning auditing on and off. The auditing attribute of an object can be displayed with the Display Object Description (DSPOBJD) command.

Parameters

Keyword Description Choices Notes
OBJ Object Qualified object name Required, Positional 1
Qualifier 1: Object Generic name, name, *ALL
Qualifier 2: Library Name, *LIBL, *USRLIBL, *CURLIB, *ALL, *ALLUSR, *ALLAVL, *ALLUSRAVL
OBJTYPE Object type *ALL, *ALRTBL, *AUTHLR, *AUTL, *BNDDIR, *CFGL, *CHTFMT, *CLD, *CLS, *CMD, *CNNL, *COSD, *CRG, *CRQD, *CSI, *CSPMAP, *CSPTBL, *CTLD, *DEVD, *DSTMF, *DTAARA, *DTADCT, *DTAQ, *EDTD, *EXITRG, *FCT, *FILE, *FNTRSC, *FNTTBL, *FORMDF, *FTR, *GSS, *IGCDCT, *IGCTBL, *IGCSRT, *IMGCLG, *IPXD, *JOBD, *JOBQ, *JOBSCD, *JRN, *JRNRCV, *LIB, *LIND, *LOCALE, *M36, *M36CFG, *MEDDFN, *MENU, *MGTCOL, *MODD, *MODULE, *MSGF, *MSGQ, *NODGRP, *NODL, *NTBD, *NWID, *NWSCFG, *NWSD, *OUTQ, *OVL, *PAGDFN, *PAGSEG, *PDFMAP, *PDG, *PGM, *PNLGRP, *PRDAVL, *PRDDFN, *PRDLOD, *PSFCFG, *QMFORM, *QMQRY, *QRYDFN, *RCT, *S36, *SBSD, *SCHIDX, *SPADCT, *SQLPKG, *SQLUDT, *SQLXSR, *SRVPGM, *SSND, *SVRSTG, *TBL, *TIMZON, *USRIDX, *USRPRF, *USRQ, *USRSPC, *VLDL, *WSCST Required, Positional 2
ASPDEV ASP device Name, *, *SYSBAS Optional
OBJAUD Object auditing value *NONE, *USRPRF, *CHANGE, *ALL Required, Positional 3

Object (OBJ)

Specifies the objects for which auditing values are to be changed.

This is a required parameter.

Qualifier 1: Object

*ALL
All objects that have the specified object type are changed.
generic-name
Specify the generic name of the objects for which auditing values are to be changed.

A generic name is a character string of one or more characters followed by an asterisk (*); for example ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name.

name
Specify the name of the object for which auditing values are to be changed. When multiple libraries are searched, multiple objects can be changed only if *ALL, *ALLUSR, *ALLAVL, or *ALLUSRAVL is specified for the library qualifier.

Qualifier 2: Library

*LIBL
All libraries in the library list for the current thread are searched until the first match is found.
*CURLIB
The current library for the thread is searched. If no library is specified as the current library for the thread, the QGPL library is searched. If the ASP device (ASPDEV) parameter is specified when this value is used, ASPDEV(*) is the only valid value.
*USRLIBL
If a current library entry exists in the library list for the current thread, the current library and the libraries in the user portion of the library list are searched. If there is no current library entry, only the libraries in the user portion of the library list are searched. If the ASP device (ASPDEV) parameter is specified when this value is used, ASPDEV(*) is the only valid value.
*ALL
All the libraries in the auxiliary storage pools (ASPs) specified for the ASP device (ASPDEV) parameter are searched.
*ALLUSR
All user libraries in the auxiliary storage pools (ASPs) defined by the ASP device (ASPDEV) parameter are searched.

User libraries are all libraries with names that do not begin with the letter Q except for the following: 

#CGULIB     #DSULIB     #SEULIB
#COBLIB     #RPGLIB
#DFULIB     #SDALIB

Although the following libraries with names that begin with the letter Q are provided by IBM, they typically contain user data that changes frequently. Therefore, these libraries are also considered user libraries: 

QDSNX       QRCLxxxxx   QUSRDIRDB   QUSRVI
QGPL        QSRVAGT     QUSRIJS     QUSRVxRxMx
QGPL38      QSYS2       QUSRINFSKR
QMGTC       QSYS2xxxxx  QUSRNOTES
QMGTC2      QS36F       QUSROND
QMPGDATA    QUSER38     QUSRPOSGS
QMQMDATA    QUSRADSM    QUSRPOSSA
QMQMPROC    QUSRBRM     QUSRPYMSVR
QPFRDATA    QUSRDIRCF   QUSRRDARS
QRCL        QUSRDIRCL   QUSRSYS

  1. 'xxxxx' is the number of a primary auxiliary storage pool (ASP).
  2. A different library name, in the format QUSRVxRxMx, can be created by the user for each previous release supported by IBM to contain any user commands to be compiled in a CL program for the previous release. For the QUSRVxRxMx user library, VxRxMx is the version, release, and modification level of a previous release that IBM continues to support.
*ALLAVL
All libraries in all available ASPs are searched.
*ALLUSRAVL
All user libraries in all available ASPs are searched. Refer to *ALLUSR for a definition of user libraries.
name
Specify the name of the library to be searched.

Object type (OBJTYPE)

Specifies the object type of the objects to be changed. For more information, refer to the OBJTYPE parameter description in "Commonly used parameters: Expanded descriptions" in CL topic collection in the Programming category in the IBM i Information Center at http://www.ibm.com/systems/i/infocenter/.

This is a required parameter.

*ALL
All object types are changed that have the specified object name.
object-type
Specify the object type of the objects for which auditing values are to be changed.

ASP device (ASPDEV)

Specifies the auxiliary storage pool (ASP) device name where the library that contains the object (OBJ parameter) is located. If the object's library resides in an ASP that is not part of the library name space associated with the job, this parameter must be specified to ensure the correct object is used as the target of this command's operation.

*
The ASPs that are currently part of the job's library name space will be searched to locate the object. This includes the system ASP (ASP number 1), all defined basic user ASPs (ASP numbers 2-32), and, if the job has an ASP group, all independent ASPs in the ASP group.
*SYSBAS
The system ASP and all basic user ASPs will be searched to locate the object. No independent ASPs will be searched, even if the job has an ASP group.
name
Specify the device name of the independent ASP to be searched to locate the object. The independent ASP must have been activated (by varying on the ASP device) and have a status of AVAILABLE. The system ASP and basic user ASPs will not be searched.

Object auditing value (OBJAUD)

Specifies the object auditing value to associate with the object.

This is a required parameter.

*NONE
Using or changing this object does not cause an audit entry to be sent to the security journal.
*USRPRF
The user profile of the user accessing this object is used to determine if an audit record is be sent for this access. The OBJAUD keyword of the CHGUSRAUD command is used to turn auditing on for a specific user.
*CHANGE
All change accesses to this object by all users are logged.
*ALL
All change or read accesses to this object by all users are logged.

Examples 

CHGOBJAUD   OBJ(PAYROLL/PAYFILE)  OBJTYPE(*FILE)
            OBJAUD(*CHANGE)

This command changes the object auditing value of the PAYFILE object in the PAYROLL library that has an object type *FILE. The auditing value of the PAYFILE file is changed so that changes to the file by any user is logged to the auditing journal QAUDJRN in QSYS.

Error messages

*ESCAPE Messages

CPF2208
Object &1 in library &3 type *&2 not found.
CPF22B0
Not authorized to change the auditing value.
CPF22CB
Auditing value not changed for some objects.
CPF22FE
Audit value may not have been changed for object &1 in &3 type *&2.
CPF9801
Object &2 in library &3 not found.
CPF9803
Cannot allocate object &2 in library &3.
CPF980B
Object &1 in library &2 not available.
CPF9810
Library &1 not found.
CPF9814
Device &1 not found.
CPF9873
ASP status is preventing access to object.
CPF98A1
Cannot find object to match specified name.