If you suspect a particular user of accessing confidential or sensitive data, you can configure the iSeries security auditing functions to send an audit record to system audit journal QAUDJRN whenever the user accesses an object. First, issue the CHGUSRAUD (Change User Auditing) command, specifying the user to be audited and either *ALL (to record any access of an object) or *CHANGE (to record only changes to an object) for the OBJAUD (Object auditing) parameter value.

Once you've set the auditing values for the user, you must also set the auditing values for sensitive files. To do so, use the CHGOBJAUD (Change Object Auditing) command. Specify the object to be audited and the value *USRPRF for the OBJAUD parameter.

This combination of commands tells the system to send audit entries to journal QAUDJRN when the individual you specified on the CHGUSRAUD command accesses the object specified on the CHGOBJAUD command. Basically, to audit access to an object, you must set the object’s auditing value to something other than *NONE. If the auditing value is *NONE, no accesses are audited, even if you’ve turned on user auditing for the user with CHGUSRAUD.

One additional requirement is that you have turned on the switch to audit object access. The system value QAUDCTL must contain the value *OBJAUD. The following command will create the QAUDJRN journal and a journal receiver, and turn on object auditing and will audit the security related events dictated in the QAUDLVL parameter, which mimics the QAUDLVL system value.

CHGSECAUD  QAUDCTL(*AUDLVL *OBJAUD *NOQTEMP)           +
           QAUDLVL(*AUTFAIL *SECURITY *SERVICE *SAVRST +
                   *DELETE *OBJMGT *CREATE *PGMFAIL)   +
           JRNRCV(audlib/AUDRCV0001)

If you are not sure if you are already auditing, you can use the command DSPSECAUD(Display Security Auditing).