SMF 80 data

System Management Facilities (SMF) record type 80 data is produced during Resource Access Control Facility (RACF®) processing.

SMF 80 data generation

To enable the generation of SMF record type 80 data, you must include the SMF 80 record type in the single SMF log stream that the Z Common Data Provider System Data Engine processes. RACF must also be installed, active, and configured to protect resources.

For information about the subset of SMF record type 80 data that the System Data Engine collects, see SMF type 80-related records that the System Data Engine creates.

SMF also records information that is gathered by RACF auditing. By using various RACF options, you can regulate the granularity of SMF record type 80 data that is collected. In the IBM® Documentation, see the following information from the z/OS® documentation:
Before you enable RACF log options, consider the impact in your environment. For example, enabling RACF log options can result in the following consequences:
  • An increase in the amount of disk space that is used for logging
  • An increase in the network activity that is required to transmit SMF data

Data stream definition for SMF 80 data

For prerequisite requirements for defining SMF data streams, see Copying configuration files to the working directory.

Table 1 indicates the configuration values to use in defining this data stream in the Z Common Data Provider Configuration Tool.

Table 1. Data stream definition for SMF 80 data
Type of node in the policy Required configuration value
Data Stream One or more of the following values:
  • SMF80_COMMAND
  • SMF80_LOGON
  • SMF80_OMVS_RES_1
  • SMF80_OMVS_RES_2
  • SMF80_OMVS_SEC_1
  • SMF80_OMVS_SEC_2
  • SMF80_OPERATION
  • SMF80_RESOURCE
To select this data stream in the Configuration Tool: In the Select data stream window, click IBM Z Operational Log and Data Analytics > Security > RACF, and select the check box for the respective data stream.
Filter Transform Not required
Subscriber See Subscriber configuration.
Important: When you use the Generic Kafka subscriber protocol, you must select the CSV format. Key-Value format is not supported for this data stream definition.

Annotated fields for SMF 80 data

In the following table, the column that is titled Corresponding SMF field indicates the name of the SMF field that corresponds to the field name in the annotation.

Table 2. Annotated fields for SMF 80 data
Field Description Corresponding SMF field
AccessAllow Access authority allowed SMF80DTA
AccessReq Access authority requested SMF80DTA
AccessType Setting that is used in granting access. The following values are possible:
  • None
  • Owner
  • Group
  • Other
SMF80DA2
Application Application name that is specified on the RACROUTE request SMF80DTA
AuditDesc Descriptive name of the operation that is audited SMF80DA2
AuditName Name of the operation that is audited SMF80DA2
Auditor AUDITOR attribute (Y/N) SMF80ATH
AuditorExec Auditor execute/search audit options SMF80DA2
AuditorRead Auditor read access audit options SMF80DA2
AuditorUserExec User execute/search audit options SMF80DA2
AuditorUserRead User read access audit options SMF80DA2
AuditorUserWrite User write access audit options SMF80DA2
AuditorWrite Auditor write access audit options SMF80DA2
AuthorityFlags Flags that indicate the authority checks that are made for the user who requested the action SMF80ATH
CHOWNGroupID z/OS UNIX group identifier (GID) input parameter SMF80DA2
CHOWNUserID z/OS UNIX user identifier (UID) input parameter SMF80DA2
Class The class entries that are supplied by IBM in the class descriptor table (ICHRRCDX) SMF80DTA
Command A string that is derived by using the SMF80EVT and SMF80EVQ values SMF80EVT, SMF80EVQ
EffectiveGroup User's effective GID setting SMF80DA2
EffectiveUser User's effective UID setting SMF80DA2
Event Short description of the event code and qualifier SMF80EVT, SMF80EVQ
EventCode Event code SMF80EVT
EventDate Date that the event occurred SMF80DTE
EventDesc Verbose description of the event code and qualifier SMF80EVT
EventQual Event code qualifier SMF80EVQ
Failed Event code qualifier is nonzero, which indicates a failed request (Y/N) SMF80EVQ
Filename File name of the file that is being checked SMF80DA2
FileOwnerGroup File owner's GID SMF80DA2
FileOwnerUser File owner's UID SMF80DA2
Generic Generic profile used (Y/N) SMF80DTP
GroupExec Group permissions bit: execute SMF80DA2
GroupRead Group permissions bit: read SMF80DA2
GroupWrite Group permissions bit: write SMF80DA2
ISGID Requested file mode: S_ISGID bit SMF80DA2
ISUID Requested file mode: S_ISUID bit SMF80DA2
ISVTX Requested file mode: S_ISVTX bit SMF80DA2
OtherExec Other permissions bit: execute SMF80DA2
OtherRead Other permissions bit: read SMF80DA2
OtherWrite Other permissions bit: write SMF80DA2
OwnerExec Owner permissions bit: execute SMF80DA2
OwnerRead Owner permissions bit: read SMF80DA2
OwnerWrite Owner permissions bit: write SMF80DA2
Pathname Full path name of the file that is being checked SMF80DA2
ProfileName Name of the Resource Access Control Facility (RACF) profile that is used to access the resource SMF80DTA
RealGroup User's real GID setting SMF80DA2
RealUser User's real UID setting SMF80DA2
RecordType Internal record type. The following values are possible:
  • SMF80_COMMAND
  • SMF80_LOGON
  • SMF80_OMVS_RES_1
  • SMF80_OMVS_RES_2
  • SMF80_OMVS_SEC_1
  • SMF80_OMVS_SEC_2
  • SMF80_OPERATION
  • SMF80_RESOURCE
Set by the data provider
ResourceName Resource name SMF80DTA
SavedGroup User's saved GID setting SMF80DA2
SavedUser User's saved UID setting SMF80DA2
Special SPECIAL attribute (Y/N) SMF80ATH
SuperUser z/OS UNIX superuser (Y/N) SMF80AU2
SystemID The MVS™ system ID, which is also the SMF system ID SMF80SID
TermID Terminal ID of the foreground user (zero if not available) SMF80TRM
UserID Identifier of the user that is associated with this event. The value of JobName is used if the user is not defined to RACF. SMF80USR