SAT logs selected security-related UTM events for UTM applications. When generating the application, you define the processing result (success, failure) and the criteria (eventspecific, TAC-specific, or user-specific) on which SAT logging is to be based. This section describes the UTM SAT administration commands you can use to administer SAT logging for your UTM application.
The UTM SAT administration commands are separate transaction codes. They must therefore be defined when generating the application. The UTM SAT administrator can only call the UTM SAT administration functions using dialog TACs. The names of the transaction codes are listed in the following table:
Transaction code | Administration functions |
KDCMSAT | Switch on and off SAT logging |
KDCISAT | Display information on SAT logging values |
In the UTM generation, you can define whether or not SAT logging is to be switched on automatically each time the application starts. If SAT logging is not switched on, you can nonetheless generate criteria for SAT logging, which can be switched on and off as required during operation.
The generated logging values can be changed using the administration command KDCMSAT. For event-driven logging, the changes apply only for the duration of the current application run. The changes are retained past the end of the application run for user and job-driven logging.
You can display the current values with the administration command KDCISAT.
UTM SAT administration commands are entered in line mode. Entries from output created with edit profiles and formatted entries will be rejected.
UTM SAT administration commands can only be called from UTM user IDs with UTM SAT administration authorization. UTM SAT administration authorization is assigned to a UTM user with USER ...,PERMIT=SATADM or PERMIT=(ADMIN,SATADM) when generating with KDCDEF. UTM administration alone (USER ..,PERMIT=ADMIN) does not imply UTM SAT administration.
To be able to enter UTM SAT administration commands, the following conditions must be fulfilled when generating with KDCDEF:
The administration program KDCSADM must be defined (PROGRAM statement). The sample program KDCSADM is supplied with openUTM.
The UTM SAT administration commands KDCMSAT and KDCISAT must be defined as transaction codes (TAC statement with PROGRAM=KDCSADM and SATADM=Y).
At least one user ID must be generated with UTM SAT administration authorization (USER statement with PERMIT=SATADM). Administration authorization can simultaneously be granted to several user IDs. UTM SAT administration authorization is linked to the user and not to a terminal, i.e. administration functions can be executed from any terminal. If administration functions are to be restricted to particular terminals, this is implemented with normal data access control functions (operands KSET= and LOCK=).
Example
The transaction codes for administration are defined with the TAC control statement, the administration program is defined with the PROGRAM control statement of the UTM tool KDCDEF:
PROGRAM KDCSADM,COMP=ILCS : TAC KDCMSAT ,PROGRAM=KDCSADM,SATADM=Y TAC KDCISAT ,PROGRAM=KDCSADM,SATADM=Y :
The operands PROGRAM=KDCSADM and SATADM=Y of the TAC statements can be omitted with the DEFAULT presetting:
DEFAULT TAC PROGRAM=KDCSADM,SATADM=Y
Notes
Every access to the TAC KDCMSAT (apart from KDCMSAT HELP) is logged, even if SAT logging is switched off.
UTM SAT administration using asynchronous jobs is not possible.