Resource Access Control Facility (RACF)
The IBM Security QRadar RACF® Custom Properties Content Extension adds new custom properties for RACF.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar RACF Custom Properties Content Extension V1.0.1
The following table shows the custom properties in IBM Security QRadar RACF Custom Properties Content Extension V1.0.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Access Intent | Yes | 1 | intent=([^\t]+) |
IBM Security QRadar RACF Custom Properties Content Extension V1.0.0
The following table shows the custom properties in IBM Security QRadar RACF Custom Properties Content Extension V1.0.0.
| Name | Regex |
|---|---|
| Authenticator | authenticator=([^\t]+) |
| Access allowed | allow=([^\t]+) |
| Access intent | intent=([^\t]+) |
| Application name | appl=([^\t]+) |
| Command | cmd=([^\t]+) |
| Data set name | dsn=([^\t]+) |
| Descriptor | desc=([^\t]+) |
| Event summary | sum=([^\t]+) |
| Identity context name | ICTXname=([^\t]+) |
| Identity context registry | ICTXreg=([^\t]+) |
| Job name | job=[^\t]{29}([^\t]{8}) |
| Log string | logstr=([^\t]+) |
| Person name | name=([^\t]+) |
| Physical DASD box serial | box=([^\t]+) |
| Port of entry | poe=([^\t]+) |
| Private / owned data set | own=([^\t]+) |
| RACF authority | auth=([^\t]+) |
| RACF profile | prof=([^\t]+) |
| Resource sensitivity | sens=([^\t]+) |
| SAF class | class=([^\t]+) |
| SAF resource name | res=([^\t]+) |
| SNA terminal name | terminal=([^\t]+) |
| Sensitive groups | usrGroups=([^\t]+ |
| Sensitive user privileges | usrPriv=([^\t]+) |
| Submitted by | submitby=([^\t]+) |
| System SMF id | job=([^\t]{4}) |
| System / job | job=([^\t]+) |
| UNIX path name | path=([^\t]+) |
| UNIX access origin | used=([^\t]+) |
| UNIX function | function=([^\t]+) |
| Volume serial | vol=([^\t]+) |