Resource Access Control Facility (RACF)
The IBM® QRadar® RACF® Custom Properties Content Extension adds new custom properties for RACF.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
IBM Security QRadar RACF Custom Properties Content Extension V1.0.1
The following table shows the custom properties in IBM Security QRadar RACF Custom Properties Content Extension V1.0.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Access Intent | Yes | 1 | intent=([^\t]+) |
IBM Security QRadar RACF Custom Properties Content Extension V1.0.0
The following table shows the custom properties in IBM Security QRadar RACF Custom Properties Content Extension V1.0.0.
| Name | Regex |
|---|---|
| Authenticator | authenticator=([^\t]+) |
| Access allowed | allow=([^\t]+) |
| Access intent | intent=([^\t]+) |
| Application name | appl=([^\t]+) |
| Command | cmd=([^\t]+) |
| Data set name | dsn=([^\t]+) |
| Descriptor | desc=([^\t]+) |
| Event summary | sum=([^\t]+) |
| Identity context name | ICTXname=([^\t]+) |
| Identity context registry | ICTXreg=([^\t]+) |
| Job name | job=[^\t]{29}([^\t]{8}) |
| Log string | logstr=([^\t]+) |
| Person name | name=([^\t]+) |
| Physical DASD box serial | box=([^\t]+) |
| Port of entry | poe=([^\t]+) |
| Private / owned data set | own=([^\t]+) |
| RACF authority | auth=([^\t]+) |
| RACF profile | prof=([^\t]+) |
| Resource sensitivity | sens=([^\t]+) |
| SAF class | class=([^\t]+) |
| SAF resource name | res=([^\t]+) |
| SNA terminal name | terminal=([^\t]+) |
| Sensitive groups | usrGroups=([^\t]+ |
| Sensitive user privileges | usrPriv=([^\t]+) |
| Submitted by | submitby=([^\t]+) |
| System SMF id | job=([^\t]{4}) |
| System / job | job=([^\t]+) |
| UNIX path name | path=([^\t]+) |
| UNIX access origin | used=([^\t]+) |
| UNIX function | function=([^\t]+) |
| Volume serial | vol=([^\t]+) |