Record type 80: RACF processing record
RACF® writes record type
80 for the following detected events:
- Unauthorized attempts to enter the system. For example,
during RACF processing of a
RACROUTE REQUEST=VERIFY macro instruction, RACF found that a RACF-defined user either (1) has supplied
an invalid password, OIDCARD, or group name, (2) is not authorized
access to the terminal, or (3) had insufficient security label authority.
RACF always writes this violation record when it detects the unauthorized attempt; this violation record supplements the information that RACF sends to the security console in RACF message ICH408I.
- Authorized attempts to enter the system. RACF provides a RACROUTE REQUEST=VERIFY option to log successful signons and signoffs including ENVIR=CREATE or ENVIR=DELETE signons and signoffs. For the LOG keyword on the RACROUTE REQUEST=VERIFY macros, LOG=ALL or LOG=ASIS may be specified to control the generation of log records for RACROUTE REQUEST=VERIFY. The value of the LOG keyword is passed to both the RACROUTE REQUEST=VERIFY preprocessing and postprocessing installation exits. Both exits are invoked before the generation of a log record, and the LOG keyword value can be changed for both exits.
- Authorized accesses or unauthorized attempts to access RACF-protected resources. During RACF processing of a RACROUTE REQUEST=AUTH
or REQUEST=DEFINE macro instruction, RACF found
that one of the following events occurred:
- The user was permitted access to a RACF-protected resource and allowed to perform the requested operation.
- The user did not have sufficient access or group authority to access a RACF-protected resource, or supplied invalid data while attempting to perform an operation on a RACF-protected resource.
In the first case, RACF writes the record if the ALL or SUCCESS logging option is set in the resource profile by the ADDSD, ALTDSD, RALTER, or RDEFINE command and the access type is within the scope of the valid access types. RACF also writes the record if logging has been unconditionally requested by a RACROUTE REQUEST=AUTH postprocessing exit routine.
In the second case, RACF writes the violation record if the ALL or FAILURES logging option is set in the resource profile by the ADDSD, ALTDSD, RALTER, or RDEFINE command, or if logging is unconditionally requested by a RACROUTE REQUEST=AUTH postprocessing exit routine. The violation record supplements the information that RACF sends to the security console in RACF message ICH408I.
Note that the FAILURES (READ) option is the default in cases where new resources are RACF-protected.
For the preceding events, a RACROUTE REQUEST=AUTH exit routine can modify the logging options by changing the LOG parameter on a RACROUTE REQUEST=AUTH macro instruction from ASIS to NOFAIL, NONE, or NOSTAT, or by unconditionally requesting or suppressing logging with the logging control field. For information about the LOG parameter of a RACROUTE REQUEST=AUTH macro instruction, see z/OS Security Server RACROUTE Macro Reference. For information about the logging options of the ADDSD, ALTDSD, ALTUSER, RALTER, RDEFINE, and SETROPTS commands, see z/OS Security Server RACF Command Language Reference.
- Authorized or unauthorized attempts to modify profiles on a RACF database. During RACF command processing, RACF found that a user with the
AUDITOR attribute specified that the following be logged:
- All detected changes to a RACF database by RACF commands or a RACROUTE REQUEST=DEFINE
- All RACF commands (except LISTDSD, LISTGRP, LISTUSER, RLIST, and SEARCH) issued by users with the SPECIAL attribute
- All violations detected by RACF commands (except LISTGRP, LISTUSER, RLIST, and SEARCH)
- Every RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE issued for the user and all RACF commands (except LISTGRP, LISTUSER, RLIST and SEARCH) issued by the user
In the first three cases, RACF writes records if a user with the AUDITOR attribute specified AUDIT, SAUDIT, and CMDVIOL, in that order, on the SETROPTS command. In the fourth case, RACF writes the records if a user with the AUDITOR attribute specified UAUDIT on the ALTUSER command.
You can use SMF records to:
- Track the total use of a sensitive resource (if the ALL option is set)
- Identify the resources that are repeated targets of detected unauthorized attempts to access them (if the ALL or FAILURES option is set)
- Identify the users who make detected unauthorized requests
- Track SPECIAL user activity
- Track activity of a particular user
In most cases, RACF writes one record for each event. (RACF can write two records for one operation on a resource for example, when a RACF-protected DASD data set is deleted with scratch.)
Format of SMF type 80 records
SMF type 80 records contain the following information:
- The record type
- Time stamp (time and date)
- Processor identification
- Event code and qualifier (explained in Table of event codes and event code qualifiers)
- User identification
- Group name
- A count of the relocate sections
- Authorities used to successfully execute commands or access resources
- Reasons for logging
- Command processing error flag
- Foreground user terminal ID
- Foreground user terminal level number
- Job log number (job name, entry time, and date)
- RACF version, release, and modification number
- Security label of user
The data in the relocate sections is explained in the following
tables:
The log record RACF creates is a standard SMF record with the type 80 format. Table 1 describes the format of the type 80 record.
| Offsets | |||||
|---|---|---|---|---|---|
| Dec. | Hex. | Name | Length | Format | Description |
| 0 | 0 | SMF80LEN | 2 | Binary | Record length. |
| 2 | 2 | SMF80SEG | 2 | Binary | Segment descriptor. |
| 4 | 4 | SMF80FLG | 1 | Binary | System indicator
Note: For MVS/, bits 3, 4, 5, and 6 are on.
|
| 5 | 5 | SMF80RTY | 1 | Binary | Record type: 80 (X'50'). |
| 6 | 6 | SMF80TME | 4 | Binary | Time of day, in hundredths of a second, that the record was moved to the SMF buffer. |
| 10 | A | SMF80DTE | 4 | packed | Date that the record was moved to the SMF buffer, in the form 0cyydddF (where F is the sign). |
| 14 | E | SMF80SID | 4 | EBCDIC | System identification (from the SID parameter). |
| 18 | 12 | SMF80DES | 2 | Binary | Descriptor flags
|
| 20 | 14 | SMF80EVT | 1 | Binary | Event code. |
| 21 | 15 | SMF80EVQ | 1 | Binary | Event code qualifier. |
| 22 | 16 | SMF80USR | 8 | EBCDIC | Identifier of the user associated with this event (jobname is used if the user is not defined to RACF). |
| 30 | 1E | SMF80GRP | 8 | EBCDIC | Group to which the user was connected (stepname is used if the user is not defined to RACF). |
| 38 | 26 | SMF80REL | 2 | Binary | Offset to the first relocate section from SMF80FLG. |
| 40 | 28 | SMF80CNT | 2 | Binary | Count of the number of relocate sections. |
| 42 | 2A | SMF80ATH | 1 | Binary | Authorities used for processing commands or accessing
resources. (See Note 1.)
|
| 43 | 2B | SMF80REA | 1 | Binary | Reason for logging. These flags indicate the reason RACF produced the SMF record. (See
Note 2.)
|
| 44 | 2C | SMF80TLV | 1 | Binary | Terminal level number of foreground user (zero if not available). |
| 45 | 2D | SMF80ERR | 1 | Binary | Command processing error flag. (See Note 3.)
|
| 46 | 2E | SMF80TRM | 8 | EBCDIC | Terminal ID of foreground user (zero if not available). |
 54 |
36 |
SMF80JBN |
8 |
EBCDIC |
Job name. For RACROUTE REQUEST=VERIFY and REQUEST=DEFINE
records for batch jobs, this field can be zero if the job name is
not available at the time of the RACROUTE REQUEST=VERIFY or REQUEST=DEFINE. |
| 62 | 3E | SMF80RST | 4 | Binary | Time, in hundredths of a second, that the reader recognized the JOB statement for this job. For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be zero. |
| 66 | 42 | SMF80RSD | 4 | packed | Date the reader recognized the JOB statement for this job, in the form 0cyydddF (where F is the sign). For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be zero. |
| 70 | 46 | SMF80UID | 8 | EBCDIC | User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be zero. |
| 78 | 4E | SMF80VER | 1 | Binary | Version indicator (8 = Version 1, Release 8 or later). As of RACF 1.8.1, SMF80VRM is used instead. |
| 79 | 4F | SMF80RE2 | 1 | Binary | Additional reasons for logging
|
| 80 | 50 | SMF80VRM | 4 | EBCDIC | FMID for RACF
|
| 84 | 54 | SMF80SEC | 8 | EBCDIC | Security label of the user. |
| 92 | 5C | SMF80RL2 | 2 | Binary | Offset to extended-length relocate sections from SMF80FLG. |
| 94 | 5E | SMF80CT2 | 2 | Binary | Count of extended-length relocate sections. |
| 96 | 60 | SMF80AU2 | 1 | Binary | Authority used continued
|
| 97 | 61 | SMF80RSV | 1 | Binary | Reserved for IBM's use |
| Relocate section: See Table of relocate section variable data. | |||||
| 0 | 0 | SMF80DTP | 1 | Binary | Data type |
| 1 | 1 | SMF80DLN | 1 | Binary | Length of data that follows |
| 2 | 2 | SMF80DTA | 1-255 | mixed | Data |
| Extended-length relocate section: See Table of extended-length relocate section variable data. | |||||
| 0 | 0 | SMF80TP2 | 2 | Binary | Data type |
| 2 | 2 | SMF80DL2 | 2 | Binary | Length of data that follows |
| 4 | 4 | SMF80DA2 | variable | EBCDIC | Data |
Notes:
|
|||||
Table of event codes and event code qualifiers
This table describes the SMF80EVT (event code) and SMF80EVQ (event code qualifier) fields.
The event code qualifier is 0 if the recorded event is not a violation or a warning. There are exceptions for event code 1 (Job initiation/TSO logon/logoff); event qualifier codes 8, 12, 13 and 32 are not violations or warnings.
For event codes 8 through 25, an event code qualifier of 1 indicates
one of the following:
- The command user is not RACF-defined.
- The command user is not authorized to change the requested profiles on the RACF database.
- The command user does not have sufficient authority for any of the operands on the command.
For event codes 8 through 25, an event code qualifier of 2 indicates that the command user does not have sufficient authority to specify some of the operands, but RACF performed the processing for the operands for which the user has sufficient authority.
Event code qualifiers of 3 and 4 apply to the ADDSD, ALTDSD, and DELDSD commands. They indicate whether the retrieval of the data set affected by the security label change was successful (3) or not (4).
For detailed descriptions of the SMF event code qualifiers, see Event code qualifier descriptions.
| Event 1( 1): JOB INITIATION / TSO LOGON/LOGOFF (detected by RACINIT request) | ||
|---|---|---|
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP/ SMF80DA2 Values) |
| 0( 0) | Successful Initiation | 1, 17, 20, 46, 47, 49, 53, 55, 331, 332, 374,
386, 392, 393, 394, 395, 424, 425, 443 |
| 1( 1) | Password not valid | |
| 2( 2) | Group not valid | |
| 3( 3) | OIDCARD not valid | |
| 4( 4) | Terminal/console not valid | |
| 5( 5) | Application not valid | |
| 6( 6) | Revoked user attempting access | |
| 7( 7) | User ID automatically revoked because of excessive password and password phrase attempts. | |
| 8( 8) | Successful termination | |
| 9( 9) | Undefined user ID | |
| 10( A) | Insufficient security label authority | |
| 11( B) | Not authorized to security label | |
| 12( C) | Successful RACINIT initiation | |
| 13( D) | Successful RACINIT delete | |
| 14( E) | System now requires more authority | |
| 15( F) | Remote job entry - job not authorized | |
| 16(10) | SURROGAT class is inactive | |
| 17(11) | Submitter is not authorized by user | |
| 18(12) | Submitter not authorized to security label | |
| 19(13) | User is not authorized to job | |
| 20(14) | WARNING - Insufficient security label authority | |
| 21(15) | WARNING - security label missing from user, job, or profile | |
| 22(16) | WARNING - not authorized to security label | |
| 23(17) | Security labels not compatible | |
| 24(18) | WARNING - security labels not compatible | |
| 25(19) | Current® PASSWORD has expired | |
| 26(1A) | Invalid new PASSWORD | |
| 27(1B) | Verification failed by installation | |
| 28(1C) | Group access has been revoked | |
| 29(1D) | OIDCARD is required | |
| 30(1E) | Network job entry - job not authorized | |
| 31(1F) | Warning - unknown user from trusted node propagated | |
| 32(20) | Successful initiation using PassTicket | |
| 33(21) | Attempted replay of PassTicket | |
| 34(22) | Client security label not equivalent to server's | |
| 35(23) | User automatically revoked because of inactivity | |
| 36(24) | Password phrase is not valid | |
| 37(25) | New password phrase is not valid | |
| 38(26) | Current password phrase has expired | |
| 39(27) | No RACF user ID found for distributed identity | |
| 40(28) |
Successful Multifactor Authentication (MFA) |
|
| 41(29) |
Failed Multifactor Authentication (MFA) |
|
| 42(2A) |
Failed authentication because no multifactor
decision could be made for a MFA user who has the NOPWFALLBACK option. |
|
| Event 2( 2): RESOURCE ACCESS (detected by RACROUTE REQUEST=AUTH, RACROUTE REQUEST=FASTAUTH and DIRAUTH function) | ||
|---|---|---|
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP/SMF80DA2 Values) |
| 0( 0) | Successful access | 1, 3, 4, 5, 15, 16, 17, 20, 33, 38, 46, 48, 49, 50, 51, 53, 54, 55, 64, 65, 66, 331, 332, 386, 390 (see Notes® 1 and 2), 392, 393, 394, 395, 396 (see Note 3), 424, 425 |
| 1( 1) | Insufficient authority | |
| 2( 2) | Profile not found - RACFIND specified on macro | |
| 3( 3) | Access permitted because of warning | |
| 4( 4) | Failed because of PROTECTALL | |
| 5( 5) | WARNING issued because of PROTECTALL | |
| 6( 6) | Insufficient CATEGORY/SECLEVEL | |
| 7( 7) | Insufficient security label authority | |
| 8( 8) | WARNING - security label missing from job, user, or profile | |
| 9( 9) | WARNING - insufficient security label authority | |
| 10( A) | WARNING - Data set not cataloged | |
| 11( B) | Data set not cataloged | |
| 12( C) | Profile not found - required for authority checking | |
| 13( D) | WARNING - insufficient CATEGORY/SECLEVEL | |
| 14( E) | WARNING - Non-MAIN execution environment detected while in ENHANCED PGMSECURITY mode. Conditional access or use of EXECUTE-controlled program temporarily allowed. | |
| 15( F) | Conditional access or use of EXECUTE-controlled program allowed through BASIC mode program while in ENHANCED PGMSECURITY mode. | |
Notes:
|
||
| Event 3( 3): ADDVOL/CHGVOL (detected by RACROUTE REQUEST=DEFINE TYPE=ADDVOL or CHGVOL) | ||
|---|---|---|
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP/ SMF80DA2 Values) |
| 0( 0) | Successful processing of new volume | 1, 4, 5, 15, 16, 17, 33, 38, 44, 46, 49, 53, 51, 55, 331, 332, 386 (see Note), 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (DATASET only) | |
| 2( 2) | Insufficient security label authority | |
| 3( 3) | Less specific profile exists with different security label | |
Note: The SMF80DTP value of 16
appears only when the RACROUTE REQUEST=AUTH received an old volume
(OLDVOL) as input. The value of 33 appears when a generic profile
is used.
|
||
| Event 4( 4): RENAME RESOURCE (detected by RACROUTE REQUEST=DEFINE with TYPE=DEFINE and NEWNAME specified) | ||
|---|---|---|
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP/ SMF80DA2 Values) |
| 0( 0) | Successful rename | 1, 2, 5, 15, 17, 33, 38, 44, 46, 49, 51, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Group not valid | |
| 2( 2) | User not in group | |
| 3( 3) | Insufficient authority | |
| 4( 4) | Resource name already defined | |
| 5( 5) | User not defined to RACF | |
| 6( 6) | Resource not protected | |
| 7( 7) | WARNING - resource not protected | |
| 8( 8) | User in second qualifier is not RACF-defined | |
| 9( 9) | Less specific profile exists with different security label | |
| 10( A) | Insufficient security label authority | |
| 11( B) | Resource not protected by security label | |
| 12( C) | New name not protected by security label | |
| 13( D) | New security label must dominate old security label | |
| 14( E) | Insufficient security label authority | |
| 15( F) | WARNING - resource not protected by security label | |
| 16(10) | WARNING - new name not protected by security label | |
| 17(11) | WARNING - new security label must dominate old security label | |
Note: In cases where the RACROUTE
REQUEST=DEFINE is used to rename a resource (SMF80EVT=4), the data
type 33 relocate section can hold a resource name that is either the
old name or the new name, or it can hold the generic profile that
protects the old or the new name.
|
||
| Event 5( 5): DELETE RESOURCE (detected by RACROUTE REQUEST=DEFINE, TYPE=DELETE or DELETE) | ||
|---|---|---|
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP/ SMF80DA2 Values) |
| 0( 0) | Successful scratch | 1, 5, 15, 17, 33, 38, 44, 46, 49, 51, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Resource not found | |
| 2( 2) | Invalid volume identification (DATASET only) |
| Event 6( 6): DELETE 1 VOLUME OF MULTIVOLUME RESOURCE (detected by RACROUTE REQUEST=DEFINE, TYPE=DELETE) | ||
|---|---|---|
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP/ SMF80DA2 Values) |
| 0( 0) | Successful deletion | 1, 5, 8, 15, 17, 38, 44, 46, 49, 51, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| Event 7( 7): DEFINE RESOURCE (detected by RACROUTE REQUEST=DEFINE, TYPE=DEFINE) | ||
|---|---|---|
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP/ SMF80DA2 Values) |
| 0( 0) | Successful definition | 1, 5, 15, 17, 18, 19, 33, 38, 44, 46, 49, 51, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Group undefined | |
| 2( 2) | User not in group | |
| 3( 3) | Insufficient authority | |
| 4( 4) | Resource name already defined | |
| 5( 5) | User not defined to RACF | |
| 6( 6) | Resource not protected | |
| 7( 7) | WARNING - resource not protected | |
| 8( 8) | WARNING - security label missing from job, user, or profile | |
| 9( 9) | WARNING - insufficient security label authority | |
| 10( A) | User in second qualifier is not RACF-defined | |
| 11( B) | Insufficient security label authority | |
| 12( C) | Less specific profile exists with a different security label |
| EVENT dec(hex) | Command | Code qualifier dec(hex) | Description | Relocate type sections (possible SMF80DTP/ SMF80DA2 values) |
|---|---|---|---|---|
| 8( 8) | ADDSD | 0( 0) | No violations detected | 6, 7, 10, 13, 33, 38, 40, 44, 49, 50, 51, 53, 55, 62, 63, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a security label change | |||
| 4( 4) | Error during retrieval of data set names affected by a security label change | |||
| 9( 9) | ADDGROUP | 0( 0) | No violations detected | 6, 7, 37, 38, 44, 49, 53, 55, 63, 301, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 10( A) | ADDUSER | 0( 0) | No violations detected | 6, 7, 8, 28, 37, 38, 40, 44, 49, 53, 55, 301, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 11( B) | ALTDSD | 0( 0) | No violations detected | 6, 7, 10, 11, 33, 38, 40, 41, 44, 49, 50, 51, 53, 55, 62, 63, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a security label change | |||
| 4( 4) | Error during retrieval of data set names affected by a security label change | |||
| 12( C) | ALTGROUP | 0( 0) | No violations detected | 6, 7, 37, 38, 44, 49, 53, 55, 301, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 13( D) | ALTUSER | 0( 0) | No violations detected | 6, 7, 8, 28, 37, 38,
40, 41, 44, 49, 53, 55, 301, 331, 332, 386, 392, 393, 394, 395, 424,
425, 440, 441, 442 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 14( E) | CONNECT | 0( 0) | No violations detected | 6, 38, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 15( F) | DELDSD | 0( 0) | No violations detected | 6, 38, 49, 50, 51, 53, 55, 62, 63, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a security label change | |||
| 4( 4) | Error during retrieval of data set names affected by a security label change | |||
| 16(10) | DELGROUP | 0( 0) | No violations detected | 6, 38, 44, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 17(11) | DELUSER | 0( 0) | No violations detected | 6, 38, 44, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 18(12) | PASSWORD | 0( 0) | No violations detected | 6, 38, 49, 53, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to the RACF database) | |||
| 19(13) | PERMIT | 0( 0) | No violation detected | 6, 9, 12, 13, 14, 17, 26, 38, 39, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Insufficient authority (partial update to RACF database) | |||
| 20(14) | RALTER | 0( 0) | No violations detected | 6, 7, 9, 10, 11, 17, 24, 25, 29, 33, 38, 40, 41, 44, 49, 50, 51, 53, 55, 301, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 21(15) | RDEFINE | 0( 0) | No violations detected | 6, 7, 9, 13, 17, 24, 29, 33, 38, 40, 44, 49, 50, 51, 53, 55, 301, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 22(16) | RDELETE | 0( 0) | No violations detected | 6, 9, 17, 38, 44, 49, 50, 51, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 23(17) | REMOVE | 0( 0) | No violations detected | 6, 17, 38, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 24(18) | SETROPTS | 0( 0) | No violations detected | 6, 21, 22, 23, 27, 32, 34, 35, 36, 42, 43, 44, 45, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 25(19) | RVARY | 0( 0) | No violations detected | 6, 27, 30, 31, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 26(1A) | APPC SESSION ESTABLISHMENT | 0( 0) | Partner verification was successful | 1, 17, 33, 38, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Session established without verification | |||
| 2( 2) | Local LU key will expire in <= 5 days | |||
| 3( 3) | Partner LU access has been revoked | |||
| 4( 4) | Partner LU key does not match this LU key | |||
| 5( 5) | Session terminated for security reason | |||
| 6( 6) | Required SESSION KEY not defined | |||
| 7( 7) | Possible security attack by partner LU | |||
| 8( 8) | SESSION KEY not defined for partner LU | |||
| 9( 9) | SESSION KEY not defined for this LU | |||
| 10( A) | SNA security-related protocol error | |||
| 11( B) | Profile change during verification | |||
| 12( C) | Expired SESSION KEY | |||
| 27(1B) | GENERAL | 0( 0) | General purpose auditing | 17, 46, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 28(1C) | DIRECTORY SEARCH | 0( 0) | Access allowed | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265 266, 267, 268, 269, 270, 291, 295, 297, 298, 299, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to search directory | |||
| 2( 2) | Security label failure | |||
| 29(1D) | CHECK ACCESS TO DIRECTORY | 0( 0) | Access allowed | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264 265, 266, 267, 268, 269, 270, 297, 298, 299, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Caller does not have requested access authority | |||
| 2( 2) | Security label failure | |||
| 30(1E) | CHECK ACCESS TO FILE | 0( 0) | Access allowed | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 298, 299, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Caller does not have requested access authority | |||
| 2( 2) | Security label failure | |||
| 31(1F) | CHAUDIT | 0( 0) | File's audit options changed | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 292, 293, 294, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Caller does not have authority to change user audit options of specified file | |||
| 2( 2) | Caller does not have authority to change auditor audit options | |||
| 3( 3) | Security label failure | |||
| 32(20) | CHDIR | 0( 0) | Current working directory changed | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| * | Failures logged as directory search event types | |||
| 33(21) | CHMOD | 0( 0) | File's mode changed | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 263, 264, 265, 266, 289, 290, 296, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Caller does not have authority to change mode of specified file | |||
| 2( 2) | Security label failure | |||
| 34(22) | CHOWN | 0( 0) | File's owner or group owner changed | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 280, 281, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Caller does not have authority to change owner or group owner of specified file | |||
| 2( 2) | Security label failure | |||
| 35(23) | CLEAR SETID BITS FOR FILE | 0( 0) | S_ISUID, S_ISGID, and S_ISVTX bits changed to zero (write) | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 289, 290, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| No failure cases | ||||
| 36(24) | EXEC WITH SETUID/SETGID | 0( 0) | Successful change of z/OS UNIX user identifiers (UIDs) and z/OS UNIX group identifiers (GIDs). | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 272, 273, 274, 275, 276, 277, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| No failure cases. Access to program file is audited by an internal open | ||||
| 37(25) | GETPSENT | 0( 0) | Access allowed | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 282, 283, 284, 288, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to access specified process | |||
| 38(26) | INITIALIZE z/OS UNIX PROCESS (DUB) | 0( 0) | z/OS UNIX process successfully initiated | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | User not defined as a z/OS UNIX user (no user profile or no OMVS segment) | |||
| 2( 2) | User incompletely defined as a z/OS UNIX user (no z/OS UNIX user identifier (UID) in user profile) | |||
| 3( 3) | User's current group has no z/OS UNIX group identifier (GID). | |||
| 39(27) | z/OS UNIX PROCESS COMPLETION (UNDUB) | 0( 0) | Process completed | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| No failure cases | ||||
| 40(28) | KILL | 0( 0) | Access allowed | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 282, 283, 284, 288, 300, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to access specified process | |||
| 2( 2) | Security label failure | |||
| 41(29) | LINK | 0( 0) | New link created | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 270, 299, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| * | Failures logged as directory search or check access event types | |||
| 42(2A) | MKDIR | 0( 0) | Directory successfully created | 17, 49, 50, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 289, 290, 294, 296, 307, 308, 309, 310, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| * | Failures logged as directory search or check access event types | |||
| 43(2B) | MKNOD | 0( 0) | Node successfully created | 17, 49, 50, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 289, 290, 294, 296, 307, 308, 309, 310, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| * | Failures logged as directory search or check access event types | |||
| 44(2C) | MOUNT FILE SYSTEM | 0( 0) | Successful mount | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 295, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| * | Failures logged as ck_priv event type | |||
| 45(2D) | OPEN (NEW FILE) | 0( 0) | File successfully created | 17, 49, 50, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 289, 290, 294, 296, 307, 308, 309, 310, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| * | Failures logged as directory search or check access event types | |||
| 46(2E) | PTRACE | 0( 0) | Access allowed | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 282, 283, 284, 285, 286, 287, 288, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to access specified process | |||
| 2( 2) | Security label failure | |||
| 47(2F) | RENAME | 0( 0) | Rename successful | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 270, 271, 278, 279, 294, 299, 302, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| * | Failures logged as directory search or check access event types | |||
| 48(30) | RMDIR | 0( 0) | Successful rmdir | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| * | Failures logged as directory search or check access event types | |||
| 49(31) | SETEGID | 0( 0) | Successful change of effective z/OS UNIX group identifier (GID). | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 275, 276, 277, 281, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to setegid | |||
| 50(32) | SETEUID | 0( 0) | Successful change of effective z/OS UNIX user identifier (UID). | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 272, 273, 274, 280, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to seteuid | |||
| 51(33) | SETGID | 0( 0) | Successful change of z/OS UNIX group identifiers (GIDs). | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 275, 276, 277, 281, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to setgid | |||
| 52(34) | SETUID | 0( 0) | Successful change of z/OS UNIX user identifiers (UIDs). | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 272, 273, 274, 280, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to setuid | |||
| 53(35) | SYMLINK | 0( 0) | Successful symlink | 17, 49, 50, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 297, 307, 308, 309, 310, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| * | Failures logged as directory search or check access event types | |||
| 54(36) | UNLINK | 0( 0) | Successful unlink | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 302, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| * | Failures logged as directory search or check access event types | |||
| 55(37) | UNMOUNT THE SYSTEM | 0( 0) | Successful unmount | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 295, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| * | Failures logged as ck_priv event type | |||
| 56(38) | CHECK FILE OWNER | 0( 0) | User is the owner | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | User is not the owner | |||
| 2( 2) | Security label failure | |||
| 57(39) | CK_PRIV | 0( 0) | User is authorized | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | User is not authorized to use requested function | |||
| 58(3A) | OPEN SLAVE TTY | 0( 0) | Access allowed | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 282, 283, 284, 288, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to access specified process | |||
| 59(3B) | RACLINK | 0( 0) | Access allowed | 6, 49, 53, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority | |||
| 2( 2) | Keyword violation detected | |||
| 3( 3) | Association already defined | |||
| 4( 4) | Association already approved | |||
| 5( 5) | Association does not match | |||
| 6( 6) | Association does not exist | |||
| 7( 7) | Password not valid or user ID is revoked | |||
| 60(3C) | CHECK IPC ACCESS | 0( 0) | Access allowed | 17, 49, 51, 56, 256, 257, 258, 259, 260, 261, 262, 265, 266, 267, 268, 269, 303, 304, 305, 306, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Caller does not have proper access authority | |||
| 2( 2) | Security label failure | |||
| 61(3D) | IPCGET (MAKE ISP) | 0( 0) | Successful creation of ISP | 17, 49, 51, 56, 256, 257, 258, 259, 260, 261, 262, 265, 266, 269, 303, 304, 305, 306, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Security label failure | |||
| 62(3E) | R_IPC control | 0( 0) | Access allowed | 17, 49, 51, 56, 256, 257, 258, 259, 260, 261, 262, 265, 266, 280, 281, 289, 290, 291, 296, 303, 304, 305, 306, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Caller does not have proper authority. | |||
| 2( 2) | Security label failure | |||
| 63(3F) | SETGROUP | 0( 0) | Access allowed | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to access specified process | |||
| 64(40) | CHECK OWNER, TWO FILES | 0( 0) | User is the owner | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 271, 278, 279, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | User is not the owner | |||
| 2( 2) | Security label failure | |||
| 65(41) | R_AUDIT | 0( 0) | Successful r_audit | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| No failure case | ||||
| 66(42) | RACDCERT | 0( 0) | No violation detected | 6, 49, 53, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 336, 337, 338, 339, 386, 392, 393, 394, 395, 398, 399, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 67(43) | INITACEE | 0( 0) | Successful certificate registration | 49, 53, 318, 319, 331, 332 374, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Successful certificate deregistration | |||
| 2( 2) | Not authorized to register the certificate | |||
| 3( 3) | Not authorized to unregister the certificate | |||
| 4( 4) | No user ID found for the certificate | |||
| 5( 5) | The certificate is not trusted | |||
| 6( 6) | Successful CERTAUTH certificate registration | |||
| 7( 7) | Insufficient authority to register the CERTAUTH certificate | |||
| 8( 8) | Client security label not equivalent to server's | |||
| 9( 9) | A SITE or CERTAUTH certificate was used to authenticate a user | |||
| 10(A) | No RACF user ID found for distributed identity | |||
| 68(44) | GRANT OF INITIAL KERBEROS TICKET (reserved for use by Network Authentication Service) | 0( 0) | Success | 333, 334, 335 |
| 1( 1) | Failure | |||
| 69(45) | R_PKIServ GENCERT | 0( 0) | Successful GENCERT request | 46, 49, 53, 318, 319, 331, 332, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 357, 358, 359, 373, 375, 376, 377, 378, 386, 388, 391, 392, 393, 394, 395, 422, 424, 425, 426, 427, 428 |
| 1( 1) | Insufficient authority for GENCERT | |||
| 2( 2) | Successful REQCERT request | |||
| 3( 3) | Insufficient authority for REQCERT | |||
| 4( 4) | Successful GENRENEW request | |||
| 5( 5) | Insufficient authority for GENRENEW | |||
| 6( 6) | Successful REQRENEW request | |||
| 7( 7) | Insufficient authority for REQNRENEW | |||
| 8( 8) | Successful PREREGISTER request | |||
| 9( 9) | Insufficient authority for PREREGISTER | |||
| 70(46) | R_PKIServ EXPORT | 0( 0) | Successful EXPORT request | 46, 49, 53, 331, 332, 343, 344, 351, 359, 386, 391, 392, 393, 394, 395, 421, 424, 425 |
| 1( 1) | Insufficient authority for EXPORT | |||
| 2( 2) | Incorrect pass phrase specified for EXPORT | |||
| 71(47) | POLICY DIRECTOR ACCESS CONTROL DECISION (reserved for use by Policy Director Authorization Services) | 0( 0) | Authorized | 352, 353, 354, 355, 356, 372 |
| 1( 1) | Not authorized but permitted because of warning mode | |||
| 2( 2) | Not authorized because of insufficient traverse authority but permitted because of warning mode | |||
| 3( 3) | Not authorized because of time-of-day check but permitted because of warning mode | |||
| 4( 4) | Not authorized | |||
| 5( 5) | Not authorized because of insufficient traverse authority | |||
| 6( 6) | Not authorized because of time-of-day check | |||
| 72(48) | R_PKIServ QUERY, DETAILS, or VERIFY | 0( 0) | Successful admin QUERY or DETAILS request | 20, 46, 49, 53, 318, 319, 331, 332,
340, 341, 342, 346, 351, 358, 360, 361, 362, 363, 373, 375, 386, 391,
392, 393, 394, 395, 421, 422, 424, 425, 426, 429, 433,
434 |
| 1( 1) | Insufficient authority for admin QUERY or DETAILS | |||
| 2( 2) | Successful VERIFY request | |||
| 3( 3) | Insufficient authority for VERIFY | |||
| 4( 4) | Incorrect VERIFY certificate, no record found for this certificate | |||
| 73(49) | R_PKIServ UPDATEREQ | 0( 0) | Successful admin UPDATEREQ request | 46, 49, 53, 331, 332, 340, 341, 342, 346, 347, 348, 349, 350, 351, 357, 364, 365, 375, 376, 377, 378, 386, 388, 391, 392, 393, 394, 395, 424, 425, 427, 428 |
| 1( 1) | Insufficient authority for admin UPDATEREQ | |||
| 74(4A) | R_PKIServ UPDATECERT or REVOKE | 0( 0) | Successful admin UPDATECERT request | 48, 49, 53, 318, 331, 332,364, 365, 366, 386, 391, 392, 393, 394, 395, 423, 424, 425 |
| 1( 1) | Insufficient authority for admin UPDATECERT | |||
| 2( 2) | Successful REVOKE request | |||
| 3( 3) | Insufficient authority for REVOKE | |||
| 75(4B) | Change file ACL | 0( 0) | ACL successfully changed | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 307, 308, 309, 310, 315, 316, 317, 331, 332, 367, 368, 369, 370, 371, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority to change ACL | |||
| 2( 2) | Security label failure | |||
| 76(4C) | Remove file ACL | 0( 0) | Entire ACL removed | 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 307, 308, 309, 310, 315, 316, 317, 331, 332, 367, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority to remove ACL | |||
| 2( 2) | Security label failure | |||
| 77(4D) | Set file security label (R_setfsecl) | 0( 0) | Security label change successful | 17, 49, 50, 51, 53, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to change security label | |||
| 78(4E) | Set write-down privilege (R_writepriv) | 0( 0) | Requested function successful | 49, 53, 331, 332, 386, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Not authorized to IRR.WRITEDOWN.BYUSER | |||
| 79(4F) | CRL publication | 0( 0) | See z/OS Cryptographic Services PKI Services Guide and Reference. | |
| 80(50) | RPKIRESP | 0( 0) | Successful RESPOND request | 46, 49, 53, 331, 332, 386, 389, 391, 392, 393, 394, 395, 424, 425 |
| 1( 1) | Insufficient authority for RESPOND | |||
| 81(51) | PassTicket evaluation | 0( 0) | Success | 20, 48, 49, 53 |
| 1( 1) | Failure | |||
| 82(52) | PassTicket generation | 0( 0) | Success | 20, 48, 49, 53 |
| 1( 1) | Failure | |||
| 83(53) | RPKISCEP | 0( 0) | Successful AutoApprove PKCSReq request | 46, 49, 53, 318, 319, 331, 332, 340, 341, 342, 346, 347, 348, 349, 350, 351, 357, 358, 359, 373, 375, 386, 388, 391, 392, 393, 394, 395, 424, 425, 427, 428 |
| 1( 1) | Successful AdminApprove PKCSReq request | |||
| 2( 2) | Successful GetCertInitial request | |||
| 3( 3) | Rejected PKCSReq or GetCertInitial request | |||
| 4( 4) | Incorrect SCEP transaction ID specified for GetCertInitial | |||
| 5( 5) | Insufficient authority for SCEPREQ | |||
| 84(54) |
RDATAUPD |
0( 0) |
Successful NewRing |
49, 53, 318, 319, 320, 331, 332,
343, 344, 346, 386, 392, 393, 394, 395, 400®,
401, 402, 403, 404, 405, 406, 407, 424, 425, 435, 436, 437, 438 |
| 1( 1) | Not authorized to call NewRing | |||
| 2( 2) | Successful DataPut | |||
| 3( 3) | Not authorized to call DataPut | |||
| 4( 4) | Successful DataRemove | |||
| 5( 5) | Not authorized to call DataRemove | |||
| 6( 6) | Successful DelRing | |||
| 7( 7) | Not authorized to call DelRing | |||
| 85(55) | PKIAURNW | 0( 0) | Successful autoRenew | 318, 319, 341, 342, 346, 358, 363, 373, 391, 408 |
| 86(56) | R_PgmSignVer | 0( 0) | Successful signature verification | 1, 15, 46, 49, 53, 66, 331, 332, 386, 392, 393, 394, 395, 409, 410, 411, 412, 413, 414, 424, 425 |
| 1( 1) | Signature appears valid but root CA certificate not trusted | |||
| 2( 2) | Module signature failed verification | |||
| 3( 3) | Module certificate chain incorrect | |||
| 4( 4) | Signature required but module not signed | |||
| 5( 5) | Signature required but signature has been removed | |||
| 6( 6) | Program verification module not loaded. Program verification was not available when attempt was made to load this program. | |||
| 7( 7) | The algorithmic self-test failed while verifying the program verification module. | |||
| 87(57) | RACMAP | 0( 0) | No violation detected | 6, 49, 53, 331, 332, 386, 392, 393, 394, 395, 415, 416, 424, 425 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 88(58) | AUTOPROF | 0( 0) | Successful profile modification | 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 317, 331, 332, 386, 392, 393, 394, 395, 417, 418, 419, 420, 424, 425 |
| 89(59) | RPKIQREC | 0( 0) | Successful user QRECOVER request | 20, 46, 49, 53, 318, 319, 331, 332, 341, 342, 346, 358, 386, 391, 392, 393, 394, 395, 421, 424, 425 |
| 1( 1) | Insufficient authority for user QRECOVER |
Table of relocate section variable data
This table describes the variable data elements of the relocate section.
| Data type (SMF80DTP) dec(hex) | Data length (SMF80DLN) | Format | Description (SMF80DTA) |
|---|---|---|---|
| 1( 1) | 1-255 | EBCDIC | Resource name or old resource name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE) |
| 2( 2) | 1-255 | EBCDIC | New data set name (RACROUTE REQUEST=DEFINE) |
| 3( 3) | 1 | Binary | Access requested (see Note 1) |
| 4( 4) | 1 | Binary | Access allowed (see Note 2) |
| 5( 5) | 1 | Binary | Data set level number (00-99) |
| 6( 6) | 1-255 | mixed | RACF command-related data (see Table of data type 6 command-related data) |
| 7( 7) | 1-255 | EBCDIC | DATA installation-defined data (ADDUSER, ALTUSER, RALTER, RDEFINE, ADDGROUP, ALTGROUP, ADDSD, ALTDSD) |
| 8( 8) | 1-20 | EBCDIC | NAME user-name (ADDUSER, ALTUSER) |
| 9( 9) | 1-255 | EBCDIC | Resource name (PERMIT, RALTER, RDEFINE, RDELETE) |
| 10( A) | 7 | EBCDIC | Volume serial (ALTDSD ADDVOL, RALTER ADDVOL, ADDSD VOLUME). When set on, bit 0 of the first byte indicates that the volume was not processed. Bytes 2-7 contain the volume serial number. |
| 11( B) | 7 | EBCDIC | Volume serial (ALTDSD DELVOL, RALTER DELVOL). When set on, bit 0 of the first byte indicates that the volume was not processed. Bytes 2-7 contain the volume serial. |
| 12( C) | 9-243 | 1 to 27 ID names (PERMIT), each 9 bytes long | |
| Binary | Byte 1: Processing flags:
|
||
| EBCDIC | Bytes 2-9: ID name | ||
| 13( D) | 1-255 | EBCDIC | FROM resource name (PERMIT, ADDSD, RDEFINE) |
| 14( E) | 12 | EBCDIC | VOLUME volume serial (6 bytes) followed by FVOLUME volume serial (6 bytes) (PERMIT) |
| 15( F) | 6 | EBCDIC | VOLSER volume serial (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE) (Note that when RACROUTE REQUEST=AUTH receives a DATASET profile as input, the volume serial logged is the first volume serial contained in the profiles list of volume serials.) |
| 16(10) | 6 | EBCDIC | OLDVOL volume serial (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE) (Note that when RACROUTE REQUEST=AUTH receives a DATASET profile as input, the volume serial logged is the first volume serial contained in the profiles list of volume serials.) |
| 17(11) | 1-8 | EBCDIC | Class name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE, RDEFINE, RALTER, RDELETE, PERMIT, or VMXEVENT auditing). For z/OS UNIX, class controlling auditing for the request. |
| 18(12) | 1-255 | EBCDIC | MENTITY model resource name (RACROUTE REQUEST=DEFINE) |
| 19(13) | 6 | EBCDIC | Volume serial of model resource (RACROUTE REQUEST=DEFINE) |
| 20(14) | 8 | EBCDIC | Application name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE processed) |
| 21(15) | 10 | Current class options (set by SETROPTS or RACF initialization) | |
| binary | Byte 1:
|
||
| EBCDIC | Bytes 2-9: Class name Byte 10:
|
||
| 22(16) | 8 | EBCDIC | Class name from STATISTICS/NOSTATISTICS keyword (SETROPTS) |
| 23(17) | 8 | EBCDIC | Class name from AUDIT/NOAUDIT keyword (SETROPTS) |
| 24(18) | 2-247 | EBCDIC | Resource name from ADDMEM keyword (RDEFINE, RALTER) Byte
1:
Bytes 2-247: Resource name |
| 25(19) | 2-247 | EBCDIC | Resource name from DELMEM keyword (RALTER). Bit 0 of the first byte, when set on, indicates that the resource name was not processed. Bytes 2-247 contain the resource name. |
| 26(1A) | 8 | EBCDIC | Class name from FCLASS keyword (PERMIT) |
| 27(1B) | 8 | EBCDIC | Class name from CLASSACT/NOCLASSACT keyword (SETROPTS, RVARY) |
| 28(1C) | 9 | mixed | Class name from CLAUTH/NOCLAUTH keyword (ADDUSER, ALTUSER). Bit 1 of the first byte, when set on, indicates that the class was ignored because the command user did not have sufficient authority to perform the operation. Bytes 2-9 contain the class name. |
| 29(1D) | 1-255 | EBCDIC | Application data (RDEFINE, RALTER) |
| 30(1E) | 12-55 | mixed | RACF database status
(RVARY, RACF initialization) Byte 1:
Bytes 2-4: Unit name Bytes 5-10 Volume Byte 11: Sequence number Byte 12: 1-44 character data set name |
| 31(1F) | 1-44 | EBCDIC | Data set name from DATASET operand (RVARY) |
| 32(20) | 89 | mixed |
|
| 33(21) | 2-255 | mixed | Byte 1: Processing Flags
Bytes 2-254: Generic resource name or name of generic profile used Note: This relocate section does not appear in the
record when a generic profile was not used, for example when a user
is granted access to his own JES spool files without using a profile,
even though one exists.
|
| 34(22) | 8 | EBCDIC | Class name from GENERIC/NOGENERIC (SETROPTS) |
| 35(23) | 8 | EBCDIC | Class name from GENCMD/NOGENCMD (SETROPTS) |
| 36(24) | 8 | EBCDIC | Class name from GLOBAL/NOGLOBAL (SETROPTS) |
| 37(25) | 1-44 | EBCDIC | Model name |
| 38(26) | 8 | EBCDIC | User ID or group name that owns the profile (RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE and all the RACF commands that produce log records, except SETROPTS and RVARY). During DEFINE operations, this field contains the owner that the profile is defined with; in all other operations, it contains the current owner. Thus, for owner changes, it contains the old owner. |
| 39(27) | 4-255 | Variable number of entity names (PERMIT), each 4 to 42 bytes long | |
| binary | Bytes 1-2: Processing flags:
Byte 3: Entity length |
||
| EBCDIC | Bytes 4-end: Entity name | ||
| 40(28) | 2-45 | Category name (ADDSD, ALTDSD, ADDUSER, ALTUSER, RDEFINE, RALTER commands and RACROUTE REQUEST=DEFINE) to be added to the profile, and organized as follows: | |
| binary | Byte 1 (at offset 0): Processing flags:
|
||
| EBCDIC | Bytes 2-end (at offset 1): Category name added | ||
| 41(29) | 2-45 | Category name (ALTDSD, ALTUSER, and RALTER commands) to be deleted from the profile and organized as follows: | |
| binary | Byte 1 (at offset 0): Processing flags:
|
||
| EBCDIC | Bytes 2-end (at offset 1): Category name deleted | ||
| 42(2A) | 8 | EBCDIC | Class name from SETROPTS RACLIST/NORACLIST |
| 43(2B) | 8 | EBCDIC | Class name from SETROPTS GENLIST/NOGENLIST |
| 44(2C) | 1-255 | mixed | Any segment data, except BASE Byte 1:
|
| 44(2C) | 1-255 | mixed | Directed command information
|
| 44(2C) | 1-255 | mixed | Directed application update information
|
| 45(2D) | 9 | Class and logging options from SETROPTS LOGOPTIONS | |
| EBCDIC | Bytes 1-8: Class name | ||
| mixed | Byte 9:
|
||
| 46(2E) | 1-255 | EBCDIC | Variable length string of data specified on LOGSTR= keyword on RACROUTE macro |
| 47(2F) | 8 | EBCDIC | JOBNAME that user is not authorized to submit for a JESJOBS job |
| 48(30) | 8 | EBCDIC | User ID to whom data is directed (RECVR= keyword on RACROUTE macro) |
| 49(31) | 1-20 | EBCDIC | User name from ACEE |
| 50(32) | 8 | EBCDIC | Security label name (ADDSD, ALTDSD, ALTUSER, RDEFINE, and RALTER commands, and the R_setfsecl, makeFSP and makeISP callable services) to be added to the profile or security packet, or the user security label for RACROUTE REQUEST=DIRAUTH |
| 51(33) | 8 | EBCDIC | Security label name (RACROUTE REQUEST=AUTH and DIRAUTH, ck_access, ck_IPC_access, R_IPC_ctl, R_chmod, R_chown, R_audit, R_setfacl, ck_file_owner, ck_owner_two_files, ck_process_owner, R_ptrace or VMXEVENT auditing) of the resource, or security label name (ALTDSD, ALTUSER, RALTER commands and the R_setfsecl callable service) to be deleted from the profile or security packet. |
| 53(35) | 80 | mixed | User security token, see "RUTKN" in z/OS Security Server RACF Data Areas. |
| 54(36) | 80 | mixed | Resource security token (RACROUTE REQUEST=AUTH) see "RUTKN" in z/OS Security Server RACF Data Areas. |
| 55(37) | 8 | Binary | Key to link audit records together |
| 62(3E) | 1-44 | EBCDIC | Data set name affected by a security label change (used by SMF type 83 records) |
| 63(3F) | 4 | EBCDIC | Link value to connect data sets affected by a security label change with the RACF command that caused the change |
| 64(40) | 4 | EBCDIC | Link value to connect client and server audit records. A link
value can appear for a client or server without a corresponding link
value if:
|
| 65(41) | 1 | Binary | Flags that indicate ACEE type:
|
| 66(42) | 44 | EBCDIC | Partitioned data set name |
Notes:
The access flags for other RACROUTE REQUEST types are:
|
|||
Table of extended-length relocate section variable data
This table describes the variable data elements of the extended-length relocate section.
| Data type (SMF80TP2) dec(hex) | Data length (SMF80DL2) | Format | Audited by event code | Description (SMF80DA2) |
|---|---|---|---|---|
| 256(100) | 2 | Binary | All | Audit function code, indicating the calling service. Refer to the description of IRRPAFC in z/OS Security Server RACF Data Areas. |
| 257(101) | 4 | Binary | All | Old real z/OS UNIX user identifier (UID) |
| 258(102) | 4 | Binary | All | Old effective z/OS UNIX user identifier (UID) |
| 259(103) | 4 | Binary | All | Old saved z/OS UNIX user identifier (UID) |
| 260(104) | 4 | Binary | All | Old real z/OS UNIX group identifier (GID) |
| 261(105) | 4 | Binary | All | Old effective z/OS UNIX group identifier (GID) |
| 262(106) | 4 | Binary | All | Old saved z/OS UNIX group identifier (GID) |
| 263(107) | 1-1023 | EBCDIC | 28,29,30,31,32, 33,34,35,41,42, 43,44,45,47,48, 53,54,55,56,64 | Requested path name (see also data type 299) Note: For events
47 (rename) and 41 (link), this is the old path name.
|
| 264(108) | 16 | Binary | 28,29,30,31,32, 33,34,35,41,42, 43,44,45,47,48, 53,54,55,56,64 | File identifier |
| 265(109) | 4 | Binary | 28,29,30,31,32, 33,34,35,41,42, 43,44,45,47,48, 53,54,55,56,64 | File owner z/OS UNIX user identifier (UID) |
| 265(109) | 4 | Binary | 60,61,62 | IPC key owner z/OS UNIX user identifier (UID) |
| 266(10A) | 4 | Binary | 28,29,30,31,32, 33,34,35,41,42, 43,44,45,47,48, 53,54,55,56,64 | File owner z/OS UNIX group identifier (GID) |
| 266(10A) | 4 | Binary | 60,61,62 | IPC key owner z/OS UNIX group identifier (GID) |
| 267(10B) | 1 | Binary | 28,29,30 | Requested access
Multiple bits may be set. |
| 267(10B) | 1 | Binary | 60 | IPC requested access
|
| 268(10C) | 1 | Binary | 28, 29, 30, 60 | Access type (bits used to make access check)
The access type value could be 0 if a mandatory access check has failed. |
| 269(10D) | 1 | Binary | 28,29,30 | Access allowed
Multiple bits can be set. |
| 269(10D) | 1 | Binary | 60 | IPC access allowed
Multiple bits can be set. |
| 270(10E) | 1-1023 | EBCDIC | 28,29,30,41,47 | Second requested path name (see also data type 299) Note: For
events 47 (rename) and 41 (link), this is the new path name.
|
| 271(10F) | 16 | Binary | 47,64 | Second file identifier |
| 272(110) | 4 | Binary | 36,50,52 | New real z/OS UNIX user identifier (UID) |
| 273(111) | 4 | Binary | 36,50,52 | New effective z/OS UNIX user identifier (UID) |
| 274(112) | 4 | Binary | 36,50,52 | New saved z/OS UNIX user identifier (UID) |
| 275(113) | 4 | Binary | 36,49,51 | New real z/OS UNIX group identifier (GID) |
| 276(114) | 4 | Binary | 36,49,51 | New effective z/OS UNIX group identifier (GID) |
| 277(115) | 4 | Binary | 36,49,51 | New saved z/OS UNIX group identifier (GID) |
| 278(116) | 4 | Binary | 47 | Owner z/OS UNIX user identifier (UID) of deleted file |
| 278(116) | 4 | Binary | 64 | Second file owner z/OS UNIX user identifier (UID) |
| 279(117) | 4 | Binary | 47 | Owner z/OS UNIX group identifier (GID) of deleted file |
| 279(117) | 4 | Binary | 64 | Second file owner z/OS UNIX group identifier (GID) |
| 280(118) | 4 | Binary | 34,50,52 | z/OS UNIX user identifier (UID) input parameter |
| 280(118) | 4 | Binary | 62 | IPC owner z/OS UNIX user identifier (UID) input parameter |
| 281(119) | 4 | Binary | 34,49,51 | z/OS UNIX group identifier (GID) input parameter |
| 281(119) | 4 | Binary | 62 | IPC owner z/OS UNIX group identifier (GID) input parameter |
| 282(11A) | 4 | Binary | 37,40,46,58 | Target real z/OS UNIX user identifier (UID) |
| 283(11B) | 4 | Binary | 37,40,46,58 | Target effective z/OS UNIX user identifier (UID) |
| 284(11C) | 4 | Binary | 37,40,46,58 | Target saved z/OS UNIX user identifier (UID) |
| 285(11D) | 4 | Binary | 46 | Target real z/OS UNIX group identifier (GID) |
| 286(11E) | 4 | Binary | 46 | Target effective z/OS UNIX group identifier (GID) |
| 287(11F) | 4 | Binary | 46 | Target saved z/OS UNIX group identifier (GID) |
| 288(120) | 4 | Binary | 37,40,46,58 | Target PID |
| 289(121) | 4 | Binary | 33,35 | Old mode
|
| 289(121) | 4 | Binary | 62 | IPC old mode
|
| 290(122) | 4 | Binary | 33,35,42,43,45 | New mode
|
| 290(122) | 4 | Binary | 62 | IPC new mode
|
| 291(123) | 2 | Binary | 28 | Service that was being processed. Used when data type 256 indicates that the calling service was lookup (path name resolution). |
| 291(123) | 2 | Binary | 62 | Service that was being processed. Used when data type 256 indicates that the calling service was to remove an ID, set, or setmqb. |
| 292(124) | 4 | Binary | 31 | Requested audit options
In each byte, the following flags are defined:
|
| 293(125) | 8 | Binary | 31 | Old audit options (user and auditor)
In each byte, the following flags are defined:
|
| 294(126) | 8 | Binary | 31 | New audit options (user and auditor)
In each byte, the following flags are defined:
|
| 295(127) | 1-44 | EBCDIC | 28,44,55 | Data set name for mounted file system |
| 296(128) | 4 | Binary | 33,42,43,45 | Requested file mode
|
| 296(128) | 4 | Binary | 61,62 | IPC requested ISP mode.
|
| 297(129) | 1-1023 | EBCDIC | 28,29,53 | Content of symlink |
| 298(12A) | 1-256 | EBCDIC | 28,29,30 | File name being checked |
| 299(12B) | 1 | Binary | 28,29,30, 41,47 | Flag indicating whether the requested path name is the old
(or only) path name or the new path name. This field is X'01' except
for ck_access events where authority to a new name is being checked.
The second path name contains the new name specified.
|
| 300(12C) | 4 | Binary | 40 | Kill signal code |
| 301(12D) | variable | EBCDIC | 9,10,12,13 | Command segment data Bytes 1-2
Bytes 3-10: Name of segment (main keyword) Byte 11: Length of subkeyword; 0 if byte 1 bit 1 is set Variable length: The subkeyword specified; null if byte 1 bit 1 is set 2 bytes: Length of data Variable length: The data as entered on the command |
| 302(12E) | 1 | Binary | 47,54 | Last link deleted flag
|
| 303(12F) | 4 | Binary | 60,61,62 | IPC key |
| 304(130) | 4 | Binary | 60,61,62 | IPC ID |
| 305(131) | 4 | Binary | 60,61,62 | IPC key creator z/OS UNIX user identifier (UID) |
| 306(132) | 4 | Binary | 60,61,62 | IPC key creator z/OS UNIX group identifier (GID) |
| 307(133) | 8 | EBCDIC | 28,29,30,31,33, 34,41,42,43,45, 47,48,53,54,56 | Filepool name |
| 308(134) | 8 | EBCDIC | 28,29,30,31,33, 34,41,42,43,45, 47,48,53,54,56 | Filespace name |
| 309(135) | 4 | Binary | 28,29,30,31,33, 34,41,42,43,45, 47,48,53,54,56 | Inode (file serial number) |
| 310(136) | 4 | Binary | 28,29,30,31,33, 34,41,42,43,45, 47,48,53,54,56 | SCID (file serial number) |
| 311(137) | 8 | EBCDIC | 47 | Second filepool name |
| 312(138) | 8 | EBCDIC | 47 | Second filespace name |
| 313(139) | 4 | Binary | 47 | Second Inode (file serial number) |
| 314(13A) | 4 | Binary | 47 | Second SCID (file serial number) |
| 315(13B) | 4 | EBCDIC | 28,29,30,31,32, 33,34,41,44,47, 48,54,55,56,57, 63,64 | Link value to connect client and server audit records. A link
value may appear for a client or server without a corresponding link
value if:
|
| 316(13C) | 1 | Binary | 28,29,30,31,32, 33,34,41,44,47,48,54, 55,56,57,63,64 | Flags that indicate ACEE type:
|
| 317(13D) | 1 | Binary | 28,29,30,31,32, 33,34,35,36,37, 38,39,40,41,42, 43,44,45,46,47, 48,49,50,51,52, 53,54,55,56,57, 58,60,61,62,63, 64,65 |
|
| 318(13E) | 1-255 | EBCDIC | 66, 67, 69, 72, 74, 79, 83, 85, 89 | Certificate or CRL serial number |
| 319(13F) | 1-255 | EBCDIC | 66, 67, 69, 72, 74, 79, 83, 85, 89 | Certificate or CRL issuer's distinguished name |
| 320(140) | 1-237 | Char | 66 | Ring name |
| 321(141) | 1-64 | Char | 66 | C from SUBJECTSDN |
| 322(142) | 1-64 | Char | 66 | SP from SUBJECTSDN |
| 323(143) | 1-64 | Char | 66 | L from SUBJECTSDN |
| 324(144) | 1-64 | Char | 66 | O from SUBJECTSDN |
| 325(145) | 1-64 | Char | 66 | OU from SUBJECTSDN |
| 326(146) | 1-64 | Char | 66 | T from SUBJECTSDN |
| 327(147) | 1-64 | Char | 66 | CN from SUBJECTSDN |
| 328(148) | 1-255 | EBCDIC | 66 | SDNFILTER filter name |
| 329(149) | 1-255 | EBCDIC | 66 | IDNFILTER filter name |
| 330(14A) | 1-255 | EBCDIC | 66 | CRITERIA or NEWCRITERIA value |
| 331(14B) | 1-255 | EBCDIC | ALL events except 68 | Subject's distinguished name |
| 332(14C) | 1-255 | EBCDIC | ALL events except 68 | Issuer's distinguished name |
| 333(14D) | 1-240 | EBCDIC | 68 | Kerberos principal name (reserved for use by Network Authentication Service) |
| 334(14E) | 7-22 | EBCDIC | 68 | Kerberos login request source (reserved for use by Network Authentication Service) |
| 335(14F) | 1-10 | EBCDIC | 68 | Kerberos KDC status code (reserved for use by Network Authentication Service) |
| 336(150) | 1-255 | EBCDIC | 66 | ALTNAME IP address |
| 337(151) | 1-255 | EBCDIC | 66 | ALTNAME email |
| 338(152) | 1-255 | EBCDIC | 66 | ALTNAME Domain |
| 339(153) | 1-255 | EBCDIC | 66 | ALTNAME URI |
| 340(154) | 1 | Binary | 69, 83 | IRRSPX00 flags byte 1 – KeyUsage flag combinations:
|
| 341(155) | 10 | EBCDIC | 69, 83, 85, 89 | Requested NotBefore field in the format yyyy/mm/dd |
| 342(156) | 10 | EBCDIC | 69, 83, 85, 89 | Requested NotAfter field in the format yyyy/mm/dd |
| 343(157) | 8 | EBCDIC | 69, 70 | IRRSPX00 target user ID |
| 344(158) | 1-32 | EBCDIC | 69, 70 | IRRSPX00 target label |
| 345(159) | 1-45 | EBCDIC | 69 | IRRSPX00 SignWith field |
| 346(15A) | 1-255 | EBCDIC | 69, 83, 85, 89 | Requested Subject's DN |
| 347(15B) | 1-64 | EBCDIC | 69, 83 | Requested AltlPAddr field |
| 348(15C) | 1-255 | EBCDIC | 69, 83 | Requested AltURI field |
| 349(15D) | 1-100 | EBCDIC | 69, 83 | Requested AltEmail field |
| 350(15E) | 1-100 | EBCDIC | 69, 83 | Requested AltDomain field |
| 351(15F) | 1-56 | EBCDIC | 69, 70, 83 | IRRSPX00 CertId |
| 352(160) | 1-4096 | EBCDIC | 71 | Policy Director protected object (reserved for use by Policy Director Authorization Services) |
| 353(161) | 1-1024 | EBCDIC | 71 | Requested Policy Director permissions (reserved for use by Policy Director Authorization Services) |
| 354(162) | 8 | EBCDIC | 71 | Policy Director principal user ID (reserved for use by Policy Director Authorization Services) |
| 355(163) | 36 | EBCDIC | 71 | Principal ID string in the format nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn where n is any hexadecimal digit (reserved for use by Policy Director Authorization Services) |
| 356(164) | 4 | Binary | 71 | Policy Director quality of protection value (reserved for use by Policy Director Authorization Services) |
| 357(165) | 1024 | EBCDIC | 69, 70, 73, 83 | HostIDMappings extension data |
| 358(166) | 32 | EBCDIC | 70, 83, 85, 89 | Certificate requester's name |
| 359(167) | 1 | Binary | 69, 70, 83 | IRRSPX00 flags byte 2
|
| 360(168) | 32 | EBCDIC | 72 | Certificate or certificate request status:
|
| 361(169) | 10 | EBCDIC | 72 | Creation date in the format yyyy/mm/dd |
| 362(16A) | 10 | EBCDIC | 72 | Last modified in the format yyyy/mm/dd |
| 363(16B) | 1–255 | EBCDIC | 72, 85 | Certificate serial number for previously issued certificate |
| 364(16C) | 4 | Binary | 73, 74 | Action taken on certificate or certificate request |
| 365(16D) | 1–64 | EBCDIC | 74 | Action comment |
| 366(16E) | 4 | Binary | 74 | Certificate revocation reason |
| 367(16F) | 1 | Binary | 75, 76 | ACL type
|
| 368(170) | 1 | Unsigned | 75 | Effective ACL entry operation type
|
| 369(171) | 5 | Binary | 75 | ACL entry identifier. This consists of a 1–byte
type code followed by the 4–byte hexadecimal UID or GID value.
|
| 370(172) | 1 | Binary | 75 | Old ACL entry bits for modify and delete operations. |
| 371(173) | 1 | Binary | 75 | New ACL entry bits for add and modify operations. |
| 372(174) | 1 | Binary | 71 | Policy Director credential type flag reserved for use by Policy Director Authorization Services
|
| 373(175) | 1–64 | EBCDIC | 69, 72, 83, 85 | Email address for notification purposes |
| 374(176) | 8 | EBCDIC | 1, 67 | Server's security label |
| 375(177) | 1-255 | EBCDIC | 69, 72, 73, 83 | Extended keyUsage |
| 376(178) | 1-32 | EBCDIC | 69, 73 | Certificate policies |
| 377(179) | 1-1024 | EBCDIC | 69, 73 | Authority information access |
| 378(17A) | 1-255 | EBCDIC | 69, 73 | Critical extensions |
| 379(17B) | 1-255 | EBCDIC | 79 | CRL's issuing distribution point DN |
| 380(17C) | 10 | EBCDIC | 79 | CRL's date of issue |
| 381(17D) | 8 | EBCDIC | 79 | CRL's time of issue |
| 382(17E) | 10 | EBCDIC | 79 | CRL's expiration date |
| 383(17F) | 8 | EBCDIC | 79 | CRL's expiration time |
| 384(180) | 10 | EBCDIC | 79 | CRL's date of publish |
| 385(181) | 8 | EBCDIC | 79 | CRL's time of publish |
| 386(182) | 1–64 | EBCDIC | All, except 68, 71, 79, and 85 | SERVAUTH port of entry name (profile name protecting the SERVAUTH name if resource name is unavailable) |
| 387(183) | 1–1024 | EBCDIC | 79 | CRL's issuing distribution point URI |
| 388(184) | 1–1024 | EBCDIC | 69, 73, 83 | Requested ALTNAME OtherName |
| 389(185) | 1–1024 | EBCDIC | 80 | Response from OCSP responder containing a list
of triplets:
|
| 390(186) | 8 | EBCDIC | 2 | Primary (client) user ID for this nested ACEE. |
| 391(187) | 8 | EBCDIC | 69, 70, 72, 73, 74, 80, 83, 85, 89 | Domain name of the target PKI Services certificate authority. |
| 392(188) | 1-510 | EBCDIC | All, except 68, 71, 79, 81, 82, and 85 | Authenticated user name. |
| 393(189) | 1-255 | EBCDIC | All, except 68, 71, 79, 81, 82, and 85 | Authenticated user registry name. |
| 394(18A) | 1-128 | EBCDIC | All, except 68, 71, 79, 81, 82, and 85 | Authenticated user host name. |
| 395(18B) | 1-16 | EBCDIC | All, except 68, 71, 79, 81, 82, and 85 | Authenticated user authentication mechanism object identifier (OID). |
| 396(18C) | 3-244 | EBCDIC | 2 | Access criteria. Note: When this relocate is
used, the data appears in the form of criteria-name=criteria-value.
|
| 398(18E) | 1-64 | EBCDIC | 66 | PKDS label. |
| 399(18F) | 1-32 | EBCDIC | 66 | Token name. |
| 400(190) | 8 | EBCDIC | 84 | Ring owner. |
| 401(191) | 1 | Binary | 84 | Reuse attribute flag for NewRing. |
| 402(192) | 1 | Binary | 84 | Trust attribute flag for DataPut. |
| 403(193) | 1 | Binary | 84 | HighTrust attribute flag for DataPut. |
| 404(194) | 1 | Binary | 84 | Delete attribute flag for DataRemove. |
| 405(195) | 8 | EBCDIC | 84 | Certificate usage: ‘SITE’, ‘CERTAUTH’ or ‘PERSONAL’. |
| 406(196) | 1 | Binary | 84 | Default flag. X'01' means default certificate. |
| 407(197) | 1 | Binary | 84 | Private key specified. X'01' means that private key is specified. |
| 408(198) | 256 | EBCDIC | 85 | AutoRenew Exit path name. |
| 409(199) | 1-255 | EBCDIC | 86 | Root signing certificate subject's distinguished name |
| 410(19A) | 1-255 | EBCDIC | 86 | Program signer (end entity) certificate subject's distinguished name |
| 411(19B) | 1 | Binary | 86 | R_PgmSignVer flags byte
|
| 412(19C) | 8 | EBCDIC | 86 | Time module was signed |
| 413(19D) | 10 | EBCDIC | 86 | Date module was signed |
| 414(19E) | 10 | EBCDIC | 86 | Date when module certificate chain expires |
| 415(19F) | 1-246 | EBCDIC | 87 | Value of the user ID filter from the USERDIDFILTER keyword on MAP |
| 416(1A0) | 1-255 | EBCDIC | 87 | Value of the registry name from the REGISTRY keyword of RACMAP |
| 417(1A1) | 1-20 | EBCDIC | 88 | Service or process name for automatically updated profile |
| 418(1A2) | 1-8 | EBCDIC | 88 | Class for automatically updated profile |
| 419(1A3) | 1-255 | EBCDIC | 88 | Automatically updated profile name |
| 420(1A4) | 1-4000 | EBCDIC | 88 | Automatically updated profile data |
| 421(1A5) | 40 | EBCDIC | 70, 72, 89 | Key ID |
| 422(1A6) | 4 | EBCDIC | 69 | Key size |
| 423(1A7) | 32 | EBCDIC | 74 | Requester email |
| 424(1A8) | 1-246 | UTF-8 | All, except 68, 71, 79, 81, 82, and 85 | Authenticated distributed-identity user name |
| 425(1A9) | 1-246 | UTF-8 | All, except 68, 71, 79, 81, 82, and 85 | Authenticated distributed-identity registry name |
| 426(1AA) | 10 | EBCDIC | 69 | Key algorithm |
| 427(1AB) | 1024 | EBCDIC | 69, 73, 83 | Customized extension |
| 428(1AC) | 32 | EBCDIC | 69, 73, 83 | Record link |
| 429(1AD) | 32 | EBCDIC | 72 | Signing Algorithm |
| 430(1AE) |
|
|
|
Reserved |
| 431(1AF) |
|
|
|
Reserved |
| 432(1B0) |
|
|
|
Reserved |
| 433(1B1) |
2 |
Unsigned |
72 |
Number of approvals required for the request |
| 434(1B2) |
2 |
Unsigned |
72 |
Count of approvals performed |
| 435(1B3) |
1 |
Binary |
84 |
Notrust attribute flag for DataPut and DataAlter |
| 436(1B4) |
1 |
Binary |
84 |
Delete attribute flag for DataRemove, even if
the certificate is connected to rings |
| 437(1B5) |
1 |
Binary |
84 |
Delete attribute flag for DataRemove, even if
the certificate is used for GENREQ |
| 438(1B6) |
32 |
EBCDIC |
84 |
Source certificate label |
| 440(1B8) |
8 |
binary |
13 |
Byte 1: MFA subkeyword specified flags
Byte 2: MFA subkeyword specified flags
|
| 441(1B9) |
variable |
EBCDIC |
13 |
Multifactor authentication factor name |
| 442(1BA) |
variable |
EBCDIC |
13 |
MFA tag entry from the TAGS/DELTAGS keyword. When TAGS is specified, the entry value is the tag name and value separated by a colon (":"). When DELTAGS is specified, the entry value is the tag name only. |
| 443(1BB) |
variable |
mixed |
1 |
Byte 1: Authentication information:
Byte 2: Authenticator(s) used:
|
| 444 (1BC) |
variable |
EBCDIC |
13 |
MFA policy name entry from the ADDPOLICY/DELPOLICY keyword. |
Table of data type 6 command-related data
This table describes the RACF command-related data that is associated with data type 6.
- ADDGROUP
- ADDSD
- ADDUSER
- ALTDSD
- ALTGROUP
- ALTUSER
- CONNECT
- DELDSD
- DELGROUP
- DELUSER
- PASSWORD
- PERMIT
- RACDCERT
- RACLINK
- RACMAP
- RALTER
- RDEFINE
- RDELETE
- REMOVE
- RVARY
- SETROPTS
The actual format and content of the data depends upon the command being logged. Command-related data does not appear in the SMF record if the command user is not RACF-defined. Some of the commands also omit the command-related data if the user is not authorized for the requested profile on the RACF database.
The table is arranged by event code. In each description, the keyword flags contain one flag for each possible keyword that you can specify (explicitly or by default) on the command. The ‘flags for keywords specified’ field indicates whether the keyword was specified or defaulted.
The ‘flags for keywords ignored because of insufficient authority’ indicates whether the keyword was ignored because the user did not have sufficient authority to use the keyword. The event code qualifier (SMF80EVQ), described in Table 1, is set to 1 if the command user does not have sufficient authority for any of the keywords that are specified or taken as defaults. The event code qualifier is set to 2 if the command user does not have sufficient authority for some (but not all) of the keywords that are specified or taken as defaults. In the latter case, the command continues processing the authorized operands.
The ‘flags for keywords ignored due to error conditions’ field indicates individual keywords that were not processed for reasons other than insufficient authority. Not all commands (event codes 8-25) have these flags. The keyword errors are not terminating errors (like the errors that are indicated in SMF80ERR) and the command continues processing other specified operands. If a terminating error, these flags do not necessarily indicate what processing was done or not done. Any keyword errors occurring before the terminating error are indicated, but the keywords, that are not processed because of a terminating error, are not indicated. The bits in SMF80ERR indicate whether RACF already made changes to the RACF database before the terminating error and if it backed out the changes successfully.
Other fields in the command-related data field indicate the subfields that are specified (or defaulted) for keywords. The fields are flags for subfields that are keywords (such as SUCCESS subfield of AUDIT); they are data for subfields such as owner name or group name.
For example, if the owner of the profile for USERA issues the command:
ALTUSER USERA ADSP GRPACC SPECIAL OWNER(USERB)and USERB, the requested new owner is not RACF-defined, then the command-related data
would appear in the log record as:
012C0000 00040000 00080000 00E4E2C5
D9C14040 40000000 00000000 00000000
00000000 000000E4 E2C5D9C2 40404000
00000000The first word indicates the keywords that are specified. The second word indicates that the user does not have sufficient authority to use the SPECIAL keyword. The third word indicates that there was an error processing the OWNER keyword. Offset X'0D' is the name of the user profile that is being altered. Offset X'27' is the name of the owner that is specified on the command. RACF processed the ADSP and GRPACC keywords.
Note: If you use SMF records to reconstruct a RACF database, passwords and OIDCARDs are not
contained in the records and require special handling, and statistics
updates are not recorded.
| Event code dec(hex) | Command | Data length | Format | Description |
|---|---|---|---|---|
| 8( 8) | ADDSD | 2 | Binary | Flags for keywords specified:
|
| 2 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 44 | EBCDIC | Data set name | ||
| 8 | EBCDIC | Type (UNIT keyword) | ||
| 1 | Binary | Flags for UACC keyword: Note: If this is a non-DFP data set, RACF ignores bit 4 when checking
access to data sets.
|
||
| 8 | EBCDIC | User ID or group name (OWNER keyword) | ||
| 1 | Binary | Flags for AUDIT keyword: (only one set at a time)
|
||
| 1 | Binary | nn (LEVEL keyword) | ||
| 8( 8) (Cont.) | ADDSD (Cont.) | 1 | Binary | Flags for RACF processing:
|
| 8 | EBCDIC | User to be notified when this profile denies access | ||
| 2 | Binary | Flags for keywords specified:
|
||
| 2 | Binary | Flags for keywords ignored. Same format as flags for keywords specified. | ||
| 1 | EBCDIC | Reserved for IBM's use | ||
| 2 | Binary | File sequence number | ||
| 2 | Binary | Retention period | ||
| 8 | EBCDIC | FROM class name | ||
| 44 | EBCDIC | FROM resource name | ||
| 8 | EBCDIC | FROM volume serial | ||
| 44 | EBCDIC | SECLEVEL name | ||
| 8 | EBCDIC | SECLABEL | ||
| 9( 9) | ADDGROUP | 1 | Binary | Flags for keywords specified:
|
| 1 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 8 | EBCDIC | Group name | ||
| 8 | EBCDIC | Superior group name (SUPGROUP keyword) | ||
| 8 | EBCDIC | User ID or group name (OWNER keyword) | ||
| 10( A) | ADDUSER | * The data for event code 10 is identical to the data for event code 13, with these exceptions. | ||
| 4 | Binary | Flags for keywords specified:
|
||
| 4 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 4 | Binary | Flags for keywords ignored because of error conditions | ||
| 1 | Binary | Flags for other violations:
|
||
| 8 | EBCDIC | User ID | ||
| 8 | EBCDIC | Group name (DFLTGRP keyword) | ||
| 8 | EBCDIC | *Group name (GROUP keyword) | ||
| 10( A) (Cont.) | ADDUSER (Cont.) | 1 | Binary | Flags for AUTHORITY keyword:
|
| 1 | Binary | Flags for UACC keyword:
|
||
| 8 | EBCDIC | User ID or group name (OWNER keyword) | ||
| 2 | Binary | Flags for classes specified (CLAUTH keyword)
|
||
| 2 | Binary | Flags for classes ignored because of insufficient authority: Same format as flags for classes specified. Note: if all classes specified are ignored because of insufficient authority, then the ‘flags for keywords ignored because of insufficient authority’ field indicates that CLAUTH was ignored. | ||
| 2 | Binary | Flags for additional keywords specified:
|
||
| 10( A) (Cont.) | ADDUSER (Cont.) | 2 | Binary | Flags for additional keywords ignored (authorization):
|
| 2 | Binary | Flags for additional keywords ignored because of processing
error:
|
||
| 3 | packed | Logon time (packed); if time is not specified, this field contains binary zeros; if TIME(ANYTIME) is specified, this field contains X'F0F0F0'. | ||
| 3 | packed | Logoff time (packed); if time is not specified, this field contains binary zeros; if TIME(ANYTIME) is specified, this field contains X'F0F0F0'. | ||
| 1 | Binary | Logon day
|
||
| 4 | EBCDIC | REVOKE date | ||
| 4 | EBCDIC | RESUME date | ||
| 44 | EBCDIC | SECLEVEL name | ||
| 8 | EBCDIC | SECLABEL name | ||
| 11( B) | ALTDSD | 2 | Binary | Flags for keywords specified:
|
| 2 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified, except that Byte 1, Bit 2 is reserved for IBM's use. | ||
| 2 | Binary | Flags for keywords ignored because of error conditions: Same format as flags for keywords specified, except that Byte 1, Bit 2 is reserved for IBM's use. | ||
| 44 | EBCDIC | Data set name | ||
| 8 | EBCDIC | User ID or group name (OWNER keyword) | ||
| 1 | Binary | Flags for UACC keyword: Note: If this is a non-DFP data set, RACF ignores bit 4 when checking
access to the data set.
|
||
| 1 | Binary | Flags for AUDIT keyword:
|
||
| 1 | Binary | nn (LEVEL keyword) | ||
| 1 | Binary | Flags for GLOBALAUDIT keyword: Same format as flags for AUDIT keyword. | ||
| 6 | EBCDIC | Volume serial ID (VOLUME keyword) | ||
| 11( B) (Cont.) | ALTDSD (Cont.) | 8 | EBCDIC | Unit information |
| 1 | Binary | Flags for RACF processing:
|
||
| 2 | Binary | Additional keywords specified:
|
||
| 2 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 2 | Binary | Flags for keywords ignored because of a processing error: Same format as flags for keywords specified. | ||
| 2 | Binary | Retention period | ||
| 8 | EBCDIC | User to be notified when access denied. | ||
| 44 | EBCDIC | SECLEVEL name | ||
| 8 | EBCDIC | SECLABEL name | ||
| 12( C) | ALTGROUP | 1 | Binary | Flags for keywords specified:
|
| 1 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keyword's specified. | ||
| 1 | Binary | Flags for other violations:
|
||
| 8 | EBCDIC | Group name | ||
| 8 | EBCDIC | Superior group name (SUPGROUP keyword) | ||
| 8 | EBCDIC | User ID or group name (OWNER keyword) | ||
| 1 | Binary | Flags for keywords ignored because of error conditions: Same format as flags for keywords specified. | ||
| 13( D) | ALTUSER | * The data for event code 13 is identical to the data for event code 10, with these exceptions. | ||
| 4 | Binary | Flags for keywords specified:
|
||
| 4 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 4 | Binary | Flags for keywords ignored because of error conditions: Same format as flags for keywords specified. | ||
| 1 | Binary | Flags for other violations:
|
||
| 13( D) (Cont.) | ALTUSER (Cont.) | 8 | EBCDIC | User ID |
| 8 | EBCDIC | Group name (DFLTGRP keyword) | ||
| 8 | EBCDIC | *Group name (GROUP keyword) | ||
| 1 | Binary | Flags for AUTHORITY keyword:
|
||
| 1 | Binary | Flags for UACC keyword:
|
||
| 8 | EBCDIC | User ID (OWNER keyword) | ||
| 2 | Binary | Flags for classes specified (CLAUTH keywords)
|
||
| 2 | Binary | Flags for classes ignored because of insufficient authority:
Same format as flags for classes specified. Note that if all classes specified are ignored because of insufficient authority, then the ‘flags for keywords ignored because of insufficient authority’ field indicates that CLAUTH or NOCLAUTH was ignored. |
||
| 2 | Binary | Flags for additional keywords specified:
|
||
| 13( D) (Cont.) | ALTUSER (Cont.) | 2 | Binary | Flags for additional keywords specified:
|
| 2 | Binary | Flags for additional keywords ignored (authorization):
|
||
| 2 | Binary | Flags for additional keywords ignored because of processing
error:
|
||
| 3 | packed | Logon time (packed); if time is not specified, this field contains binary zeros; if TIME(ANYTIME) is specified, this field contains X'F0F0F0'. | ||
| 3 | packed | Logoff time (packed); if time is not specified, this field contains binary zeros; if TIME(ANYTIME) is specified, this field contains X'F0F0F0'. | ||
| 13( D) (Cont.) | ALTUSER (Cont.) | 1 | Binary | Days the user cannot log on
|
| 4 | EBCDIC | REVOKE date | ||
| 4 | EBCDIC | RESUME date | ||
| 44 | EBCDIC | SECLEVEL name | ||
| 8 | EBCDIC | SECLABEL name | ||
| |
|
4 |
Binary |
Flags for additional keywords specified:
|
| 4 |
Binary |
Flags for additional keywords ignored (authorization):
|
||
| 4 |
Binary |
Flags for additional keywords ignored because
of processing error:
|
||
| 14( E) | CONNECT | 2 | Binary | Flags for keywords specified:
|
| 2 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 8 | EBCDIC | User ID | ||
| 8 | EBCDIC | Group name (GROUP keyword) | ||
| 1 | Binary | Flags for UACC keyword:
|
||
| 1 | Binary | Flags for AUTHORITY keyword:
|
||
| 1 | Binary | Flags for additional keywords specified
|
||
| 1 | Binary | Flags for additional keywords ignored because of insufficient authority. Same format as flags for additional keywords specified. | ||
| 8 | EBCDIC | User ID or group name (OWNER keyword) | ||
| 14( E) (Cont.) | CONNECT (Cont.) | 4 | packed | REVOKE date, packed |
| 4 | packed | RESUME date, packed | ||
| 15( F) | DELDSD | 1 | Binary | Flags for keywords specified or taken as defaults:
|
| 1 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 44 | EBCDIC | Data set name | ||
| 6 | EBCDIC | Volume serial ID (VOLUME keyword) | ||
| 1 | Binary | Flags for RACF processing:
|
||
| 16(10) | DELGROUP | 8 | EBCDIC | Group name |
| 17(11) | DELUSER | 8 | EBCDIC | User ID |
| 18(12) | PASSWORD | 1 | Binary | Flags for keywords specified:
|
| 1 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 1 | Binary | Flags for keywords ignored because of error conditions: Same format as flags for keywords specified. | ||
| 4 | Binary | Change-interval (INTERVAL keyword) Note: If the NOINTERVAL
keyword is specified, the change-interval changes to X'FF'.
|
||
| 8 | EBCDIC | User ID (USER keyword) | ||
| 19(13) | PERMIT | 2 | Binary | Flags for keywords specified or taken as defaults:
|
| 2 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified, except that bits are not set for RESET(STANDARD) or RESET(WHEN). | ||
| 2 | Binary | Flags for keywords ignored because of error conditions: Same format as flags for keywords specified, except that bits are not set for RESET(STANDARD) or RESET(WHEN). | ||
| 2 | Binary | Flags for CLASS keyword, and for the RESET keyword:
|
||
| 19(13) (Cont.) | PERMIT (Cont.) | 1 | Binary | Flags for ACCESS keyword: Note: If this is a non-DFP data set, RACF ignores bit 4 when checking
access to the data set.
|
| 2 | Binary | Flags for FCLASS keyword: Same format as flags for CLASS keyword. |
||
| 20(14) | RALTER | * The data for event code 20 is identical to the data for event code 21, with these exceptions. | ||
| 2 | Binary | Flags for keywords specified:
|
||
| 2 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 2 | Binary | Flags for class name:
|
||
| 8 | EBCDIC | User ID or group name (OWNER keyword) | ||
| 1 | Binary | Flags for UACC keyword:
|
||
| 1 | Binary | nn (LEVEL keyword) | ||
| 20(14) (Cont.) | RALTER (Cont.) | 1 | Binary | Flags for AUDIT keyword:
|
| 1 | Binary | *Flags for GLOBALAUDIT keyword: Same format as flags for AUDIT keyword. | ||
| 2 | Binary | Flags for keywords specified:
|
||
| 2 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 8 | EBCDIC | User ID to be notified when profile denies access | ||
| 44 | EBCDIC | FROM resource name | ||
| 6 | EBCDIC | FROM volume volser | ||
| 20(14) (Cont.) | RALTER (Cont.) | 8 | EBCDIC | FROM class name |
| 1 | Binary | LOGON days:
|
||
| 3 | packed | Logon time, packed. If no subkeyword, then binary zeros. | ||
| 3 | packed | Logoff time, packed. If no subkeyword, then binary zeros. | ||
| 3 | packed | TIMEZONE value:
|
||
| 44 | EBCDIC | SECLEVEL name | ||
| 8 | EBCDIC | SECLABEL name | ||
| 21(15) | RDEFINE | * The data for event code 21 is identical to the data for event code 20, with these exceptions. | ||
| 2 | Binary | Flags for keywords specified:
|
||
| 2 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 2 | Binary | Flags for class name:
|
||
| 8 | EBCDIC | User ID or group name (OWNER keyword) | ||
| 21(15) (Cont.) | RDEFINE (Cont.) | 1 | Binary | Flags for UACC keyword:
|
| 1 | Binary | nn (LEVEL keyword) | ||
| 1 | Binary | Flags for AUDIT keyword:
|
||
| 1 | Binary | *Reserved for IBM's use | ||
| 2 | Binary | Flags for keywords specified:
|
||
| 2 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 8 | EBCDIC | User ID to be notified when profile denies access | ||
| 44 | EBCDIC | FROM resource name | ||
| 21(15) (Cont.) | RDEFINE (Cont.) | 6 | EBCDIC | FROM volume volser |
| 8 | EBCDIC | FROM class name | ||
| 1 | Binary | LOGON days:
|
||
| 3 | packed | Logon time, packed. If no subkeyword, then binary zeros. | ||
| 3 | packed | Logoff time, packed. If no subkeyword, then binary zeros. | ||
| 3 | packed | TIMEZONE value:
|
||
| 44 | EBCDIC | SECLEVEL name | ||
| 8 | EBCDIC | SECLABEL name | ||
| 22(16) | RDELETE | 2 | Binary | Flags for class name:
|
| 23(17) | REMOVE | 1 | Binary | Flags for keywords specified:
|
| 1 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 8 | EBCDIC | User ID (to be removed) | ||
| 8 | EBCDIC | Group name (GROUP keyword) | ||
| 8 | EBCDIC | User ID or group name (OWNER keyword) | ||
| 24(18) | SETROPTS | 3 | Binary | Flags for keywords specified:
|
| 3 | Binary | Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 1 | Binary | Flags for STATISTICS or NOSTATISTICS keyword:
|
||
| 1 | Binary | Flags for keywords ignored:
|
||
| 24(18) (Cont.) | SETROPTS (Cont.) | 1 | Binary | Flags for AUDIT or NOAUDIT keyword:
|
| 1 | Binary | Flags for keywords specified:
|
||
| 1 | Binary | Change-interval (INTERVAL keyword) | ||
| 1 | Binary | Flags for TERMINAL keyword:
|
||
| 1 | Binary | Flags for current statistics options after SETROPTS has executed:
|
||
| 1 | Binary | Flags for current audit options after SETROPTS has executed:
|
||
| 1 | Binary | Reserved for IBM's use | ||
| 24(18) (Cont.) | SETROPTS (Cont.) | 2 | Binary | Flags for miscellaneous options after SETROPTS has executed:
|
| 1 | Binary | Maximum password interval | ||
| 1 | Binary | Password history generation value | ||
| 1 | Binary | Password revoke value | ||
| 1 | Binary | Password warning level | ||
| 80 | Binary EBCDIC | Password syntax rules (eight rules). Each rule has the following
basic format:
|
||
| 1 | Binary | User ID inactive interval | ||
| 24(18) (Cont.) | SETROPTS (Cont.) | 3 | Binary | Flags for keywords specified:
|
| 3 | Binary | Flags for keywords specified but ignored because of insufficient authority: Same format as flags for keywords specified. | ||
| 8 | EBCDIC | Single-level data set name prefix | ||
| 3 | Binary | Flags for keywords specified:
|
||
| 24(18) (Cont.) | SETROPTS (Cont.) | 3 | Binary | Flags for keywords specified but ignored because of insufficient authority: Same format as flags for keywords specified. |
| 1 | Binary | Erase on scratch security level | ||
| 2 | Binary | Retention period | ||
| 1 | Binary | Flags for miscellaneous options after SETROPTS processing:
|
||
| 5 | Binary | Flags for keywords specified:
|
||
| 24(18) (Cont.) | SETROPTS (Cont.) | 4 | Binary | Flags for keywords specified but ignored because of insufficient authority: Same format as flags for keywords specified. |
| 1 | Binary | SECLEVEL audit value (auditing occurs for all resources having at least this value | ||
| 2 | Binary | SESSIONINTERVAL interval | ||
| 1 | Binary | Log options for data set
|
||
| 2 | Binary | Current SETROPTS
options for multilevel security
|
||
| 8 | EBCDIC | User ID for JES NJEUSERID | ||
| 8 | EBCDIC | User ID for JES UNDEFINEDUSER | ||
| 1 | Binary | Password MINCHANGE interval value | ||
| 1 | EBCDIC | Reserved for IBM's use | ||
| 4 | Binary | Flags for keywords specified
|
||
| 24(18) (Cont.) | SETROPTS (Cont.) |
|
||
| 4 | Binary | Flags for keywords specified but ignored because of insufficient authority: same format as flags for keywords specified. | ||
| 3 | EBCDIC | Primary language default | ||
| 3 | EBCDIC | Secondary language default | ||
| 1 | Binary | Flags for asterisk (*) specified
|
||
| 1 | Binary | KERBLVL setting | ||
| 1 | Binary | Current multilevel
security options
|
||
| 1 | Binary | Current minimum password change interval (MINCHANGE) | ||
| 1 | Binary | Current options
|
||
| 1 |
Binary |
Password algorithm in effect
|
||
| 75 |
EBCDIC |
Reserved for IBM's
use |
||
| 25(19) | RVARY | 1 | Binary | Flags for keywords specified:
|
| 1 | Binary | Flags for other violations:
|
||
| 1 | Binary | Flags for other keywords specified:
|
||
| 59(3B) | RACLINK | 20 | EBCDIC | Phase identifier (1 of 3 values: LOCAL ISSUANCE, TARGET PROCESSING, or TARGET RESPONSE) |
| 2 | Binary | Flags for keywords specified:
|
||
| 2 | Binary | Reserved for IBM's use | ||
| 8 | EBCDIC | Issuing node | ||
| 8 | EBCDIC | Issuing user ID | ||
| 8 | EBCDIC | Source user ID for association (from ID keyword) | ||
| 8 | EBCDIC | Target node name | ||
| 8 | EBCDIC | Target user ID | ||
| 8 | EBCDIC | Target authorization ID (ID under whose authority the association was established) | ||
| 4 | EBCDIC | Originating system's SMF ID from where LOCAL ISSUANCE occurred | ||
| 4 | Binary | Original time stamp (local time) from when LOCAL ISSUANCE occurred | ||
| 4 | Packed | Original date when LOCAL ISSUANCE occurred Note: The preceding
3 fields contain the LOCAL ISSUANCE information for all 3 phases.
|
||
| 1 | Binary | Status flags:
Note: When the event code qualifier is 0, and the status
flags indicate that no password was supplied and that the association
is established, an authorization user ID was used from the association
list. If the status flags indicate that no password was supplied and
the association is pending, no user ID in the authorization list had
the appropriate authority or no association list exists.
|
||
| 66(42) | RACDCERT | 4 | Binary | Flags for keywords specified:
|
| 8 | EBCDIC | User ID (from ID keyword on RACDCERT) | ||
| 44 | EBCDIC | Data set name | ||
| 32 | EBCDIC | Label name | ||
| 8 | EBCDIC | User ID (from ID sub-keyword) | ||
| 32 | EBCDIC | WITHLABEL | ||
| 4 | Binary | SIZE | ||
| 10 | EBCDIC | NOTBEFORE(date) in the format yyyy/mm/dd | ||
| 8 | EBCDIC | NOTBEFORE(time) in the format hh:mm:ss | ||
| 10 | EBCDIC | NOTAFTER(date) in the format yyyy/mm/dd | ||
| 8 | EBCDIC | NOTAFTER(time) in the format hh:mm:ss | ||
| 1 | Binary | FORMAT
|
||
| 66(42) (Cont.) | RACDCERT (Cont.) | 4 | Binary | More flags for keywords specified:
|
| 4 | Binary | SEQNUM | ||
| 87(57) | RACMAP | 4 | Binary | Flags for keywords specified:
|
| 8 | EBCDIC | User ID | ||
| 32 | EBCDIC | Label name | ||