Thank you for the information. The tracelog should help with the userid as the permission of the user is verified prior to the message so you can determine who is doing the Subscribe all.
NOTE that the DE r12.0 includes the feature to disable the Subscribe All option.
From the tracelog;
20170606 17:35:22.731 [facade:request] [INFO] RMI TCP Connection(303)-10.132.150.32: OperationalFacade.verifyPermission() response: userToken=[UserToken[userId=SCHEDMASTER,tokenId=8244661251861220352]], StandardResponse[statusMessage=Permission verified., statuscompletioncode=SUCCESS, statusmessageid=0000, infomessages=(), payload=false]
20170606 17:35:27.292 [essential] [INFO] WSS_subscriber_appender_6: Adding subscriber CybWorkloadSubscriber[criteria=*,activeOnly=false,STOKEN=1000000009,session=10.132.150.32:51521->10.130.50.142:7500 (secondary, id=32)]...
New Features in DE r12.0
Improved Security Permissions for Administrators
The following new values are added to the commandname option in the APPLX permission:
- subscribeall
By default, the "subscribe all" access is enabled for OPERGRP and SCHEDGRP groups and for users with the APPLX.*.*.*.subscribe permission. You can now disable the Subscribe All option in the Monitor perspective and restrict a user or group from subscribing all Applications on a server by setting the following permission:
APPLX.*.*.*.subscribeall (Deny)