Safeguard Audit Service Manual (G06.24+, H06.03+)

Producing SAFEART Reports

Safeguard Audit Service Manual—520480-014

6-13

Using Parentheses in SET WHERE Commands

To change the order of evaluating a complex expression, you can group multiple

comparison statements within parentheses. The statements within parentheses are

evaluated before the other comparison statements. The following example shows how

the grouping of items in parentheses affects the meaning of a SET WHERE command.

This SET WHERE command selects audit records for all logon attempts by user 4,25

and user 6,15:

<=SET WHERE Operation=VerifyUser AND &

<=&(SubjectUserNumber=4,25 OR SubjectUserNumber=6,15)

If you do not group the user IDs in parentheses the OR clause is treated as an

independent selection criterion. For example, this SET WHERE command selects audit

records for all logon attempts by user 4,25 and all audited events involving user 6,15:

<=SET WHERE Operation=VerifyUser AND &

<=&SubjectUserNumber=4,25 OR SubjectUserNumber=6,15

Using the NOT Operator

This example uses the NOT operator to exclude VerifyUser and Logoff operations:

<=SET WHERE NOT (Operation=VerifyUser OR Operation=Logoff)

The NOT operator applies to the result of the two comparison statements within the

parentheses. This command is equivalent to the preceding command:

<=SET WHERE NOT Operation=VerifyUser, Logoff

Special Before Prefix

Audited attempts to change most Safeguard records result in two secondary audit

records along with the primary record. One secondary record contains the image of the

Safeguard record before the attempted change, and the other secondary record

contains an image of the Safeguard record showing the attempted change. These

images appear in the text areas of each secondary record. The SecondaryRecordType

field indicates whether the record contains a before image of a Safeguard record. The

Outcome field in the primary record indicates whether the attempt was successful.

If the attempted change involves a Safeguard user or alias authentication record, two

additional records are generated. One represents the extension to the authentication

record before the attempted change. The other represents the extension showing any

attempted change. Consequently, attempted changes to a user or alias record result in

a total of four secondary records.

Normally, SAFEART does not include the before image in its search. However, if you

want to include the before image of a field in your search criteria, add the special

Before prefix to the preferred field name. Otherwise, SAFEART searches for the field in

its final state.