Jsev, thanks for this.
"Object operations and auditing" - I have looked at that section, but hasn't really helped me. (but good for future ref)
"*USRPRF object isn't mentioned in regards to submitting batch jobs" - No, but nor was a *JOBQ, but I am getting ZC entries for that. I was expecting that somewhere the *USRPRF would be "read" at the start of a job. Apparently not logged.
"That doesn't cause the profiles to be audited" - understand and agree. Sorry I was a little too abbreviated. I meant I had both CHGUSRAUD to *ALL, and also CHGOBJAUD to *ALL for both *USRPRF objects. (leave no stone unturned)
"command auditing for the profiles" - That's going to create a lot of extra QAUDJRN entries that I really don't want, but thanks for the suggestion.
I'm thinking my best option is to put an "exit point" on the SBMJOB *CMD via
ADDEXITPGM EXITPNT(QIBM_QCA_CHG_COMMAND) FORMAT(CHGC0100) PGMNBR(1) PGM(MYLIB/MYPGM) PGMDTA(*JOB 10 SBMJOB) (or similar) and check there to see if the job is being submitted to run under a different USRPRF.
Will also look at the Job Notification QIBM_QWT_JOBNOTIFY exit point as well to see what that gives. (Though I suspect this will give a lot more invocations as it will include interactive and other jobs as well)
I've also just discovered that if you
CHGOBJAUD OBJ(SBMJOB) OBJTYPE(*CMD) OBJAUD(*ALL)
Then instead of a ZR entry in QAUDJRN, you get a CD which includes the command string executed. This is just as useful as the ADDEXITPGM option.
post edited by rclark4i - 2017/07/27 00:51:09