A subject (USER) is a user of the DP system from which an action such as reading, writing or execution can be initiated. The subject is represented by a user ID.

An object is a passive element of a DP system; it contains or receives data and may be subjected to actions such as reading, writing or execution.
In SAT, objects are identified by an object name.
The following are examples of objects:

• files (FILE object name)

• jobs (JOB)

• libraries (PLAM)

• user IDs (USERID)

An event is the action of a subject with regard to an object. The result of an event may be “successfully executed (RESULT=SUCCESS)” or “not successfully executed (RESULT=FAILURE)”.
The following are examples of events:

• open a file

• start a job

• activate a subsystem

• export a catalog

An auditable event (EVENT) is an event from the list of events that can be logged with SAT. They are identified by a short name, three characters long, such as FMD for “modify file” in the FILE object.
Auditable events are reported to SAT by the system components, with the associated data.

A complete list of objects and auditable events relating to them is given in section “Table of object-related events”. A list of auditable events and the data associated with them is given in section “Tables of auditable information on object-related events (1)”.

A security-relevant event is an auditable event to which the selection rules described in section “Selection procedure” apply. Accordingly, an auditable event does not become relevant to security until the links between the audit attributes of the subject, the event and the object indicate the relevance to security.
Security-relevant events are stored by SAT in a SATLOG file, if appropriate after checking by system exit 110, and can be evaluated with SATUT.

Permanently security-relevant events are those events which are always of relevance to security when SECOS and SAT are used, with no possibility of change. A default setting is provided for the audit attributes for these events; this setting cannot be changed.
The following are permanently security-relevant events:

• actions by the security administrator and the SAT file manager (user ID SYSAUDIT and user IDs with the SECURITY-ADMINISTRATION or SAT-FILE-MANAGEMENT privilege) for the SAT, SAT-ALARM and SAT-FILTER objects

• actions with privileges (granting / withdrawing)

The permanently security-relevant events are identified separately in section “Table of object-related events”.

As regards all other auditable events, the security administrator determines whether they are security-relevant with the aid of the MODIFY-SAT-PRESELECTION command (preselection). The security administrator is able to assign the attribute “security-relevant” to an event, and also to withdraw it again.

Some events are considered to be security-relevant when using SECOS and SAT, in addition to the permanently security-relevant events. An audit attribute is defined for these events as a default setting; this can, however, be modified by the security administrator (MODIFY-SAT-PRESELECTION command).
These events and their associated default settings are listed in section “Table of object-related events”.

CONSLOG events

CONSLOG messages are saved in logging files of their own by the operating system. They cannot be evaluated with SAT for logging purposes.
It is possible to include CONSLOG logging files in the evaluation process with the aid of SATUT. To do that, the CONSLOG messages are converted into SATLOG records. The short name for the event type is always CLG for CONSLOG events. However, the contents of the audit record vary depending on which type of CONSLOG message has been converted into a SATLOG record (see "Tables of auditable information on object-related events (1)").