SMF 80 data
System Management Facilities (SMF) record type 80 data is produced during Resource Access Control Facility (RACF®) processing.
SMF 80 data generation
To enable the generation of SMF record type 80 data, you must include the SMF 80 record type in the single SMF log stream that the Z Common Data Provider System Data Engine processes. RACF must also be installed, active, and configured to protect resources.
For information about the subset of SMF record type 80 data that the System Data Engine collects, see SMF type 80-related records that the System Data Engine creates.
- Information about the following options of the SETROPTS LOGOPTIONS command, through which you can control auditing:
- DIRSRCH
- DIRACC
- FSOBJ
- FSSEC
- Examples for setting audit controls by using SETROPTS
- An increase in the amount of disk space that is used for logging
- An increase in the network activity that is required to transmit SMF data
Data stream definition for SMF 80 data
For prerequisite requirements for defining SMF data streams, see Copying configuration files to the working directory.
Table 1 indicates the configuration values to use in defining this data stream in the Z Common Data Provider Configuration Tool.
Type of node in the policy | Required configuration value |
---|---|
Data Stream | One or more of the following values:
To select this data stream in the Configuration Tool: In the
Select data streamwindow, click , and select the check box for the respective data stream. |
Filter Transform | Not required |
Subscriber | See Subscriber configuration.
Important: When you use the Generic Kafka subscriber protocol, you must select the CSV format. Key-Value format is not supported for this data stream definition.
|
Annotated fields for SMF 80 data
In the following table, the column that is titled Corresponding SMF field
indicates the name of the SMF field that corresponds to the field name in the annotation.
Field | Description | Corresponding SMF field |
---|---|---|
AccessAllow |
Access authority allowed | SMF80DTA |
AccessReq |
Access authority requested | SMF80DTA |
AccessType |
Setting that is used in granting access. The following values are possible:
|
SMF80DA2 |
Application |
Application name that is specified on the RACROUTE request | SMF80DTA |
AuditDesc |
Descriptive name of the operation that is audited | SMF80DA2 |
AuditName |
Name of the operation that is audited | SMF80DA2 |
Auditor |
AUDITOR attribute (Y/N) | SMF80ATH |
AuditorExec |
Auditor execute/search audit options | SMF80DA2 |
AuditorRead |
Auditor read access audit options | SMF80DA2 |
AuditorUserExec |
User execute/search audit options | SMF80DA2 |
AuditorUserRead |
User read access audit options | SMF80DA2 |
AuditorUserWrite |
User write access audit options | SMF80DA2 |
AuditorWrite |
Auditor write access audit options | SMF80DA2 |
AuthorityFlags |
Flags that indicate the authority checks that are made for the user who requested the action | SMF80ATH |
CHOWNGroupID |
z/OS UNIX group identifier (GID) input parameter | SMF80DA2 |
CHOWNUserID |
z/OS UNIX user identifier (UID) input parameter | SMF80DA2 |
Class |
The class entries that are supplied by IBM in the class descriptor table (ICHRRCDX) | SMF80DTA |
Command |
A string that is derived by using the SMF80EVT and SMF80EVQ values | SMF80EVT, SMF80EVQ |
EffectiveGroup |
User's effective GID setting | SMF80DA2 |
EffectiveUser |
User's effective UID setting | SMF80DA2 |
Event |
Short description of the event code and qualifier | SMF80EVT, SMF80EVQ |
EventCode |
Event code | SMF80EVT |
EventDate |
Date that the event occurred | SMF80DTE |
EventDesc |
Verbose description of the event code and qualifier | SMF80EVT |
EventQual |
Event code qualifier | SMF80EVQ |
Failed |
Event code qualifier is nonzero, which indicates a failed request (Y/N) | SMF80EVQ |
Filename |
File name of the file that is being checked | SMF80DA2 |
FileOwnerGroup |
File owner's GID | SMF80DA2 |
FileOwnerUser |
File owner's UID | SMF80DA2 |
Generic |
Generic profile used (Y/N) | SMF80DTP |
GroupExec |
Group permissions bit: execute | SMF80DA2 |
GroupRead |
Group permissions bit: read | SMF80DA2 |
GroupWrite |
Group permissions bit: write | SMF80DA2 |
ISGID |
Requested file mode: S_ISGID bit | SMF80DA2 |
ISUID |
Requested file mode: S_ISUID bit | SMF80DA2 |
ISVTX |
Requested file mode: S_ISVTX bit | SMF80DA2 |
OtherExec |
Other permissions bit: execute | SMF80DA2 |
OtherRead |
Other permissions bit: read | SMF80DA2 |
OtherWrite |
Other permissions bit: write | SMF80DA2 |
OwnerExec |
Owner permissions bit: execute | SMF80DA2 |
OwnerRead |
Owner permissions bit: read | SMF80DA2 |
OwnerWrite |
Owner permissions bit: write | SMF80DA2 |
Pathname |
Full path name of the file that is being checked | SMF80DA2 |
ProfileName |
Name of the Resource Access Control Facility (RACF) profile that is used to access the resource | SMF80DTA |
RealGroup |
User's real GID setting | SMF80DA2 |
RealUser |
User's real UID setting | SMF80DA2 |
RecordType |
Internal record type. The following values are possible:
|
Set by the data provider |
ResourceName |
Resource name | SMF80DTA |
SavedGroup |
User's saved GID setting | SMF80DA2 |
SavedUser |
User's saved UID setting | SMF80DA2 |
Special |
SPECIAL attribute (Y/N) | SMF80ATH |
SuperUser |
z/OS UNIX superuser (Y/N) | SMF80AU2 |
SystemID |
The MVS™ system ID, which is also the SMF system ID | SMF80SID |
TermID |
Terminal ID of the foreground user (zero if not available) | SMF80TRM |
UserID |
Identifier of the user that is associated with this event. The value of
JobName is used if the user is not defined to RACF. |
SMF80USR |