Record type 80: RACF processing record

RACF® writes record type 80 for the following detected events:
  • Unauthorized attempts to enter the system. For example, during RACF processing of a RACROUTE REQUEST=VERIFY macro instruction, RACF found that a RACF-defined user either (1) has supplied an invalid password, OIDCARD, or group name, (2) is not authorized access to the terminal, or (3) had insufficient security label authority.

    RACF always writes this violation record when it detects the unauthorized attempt; this violation record supplements the information that RACF sends to the security console in RACF message ICH408I.

  • Authorized attempts to enter the system. RACF provides a RACROUTE REQUEST=VERIFY option to log successful signons and signoffs including ENVIR=CREATE or ENVIR=DELETE signons and signoffs. For the LOG keyword on the RACROUTE REQUEST=VERIFY macros, LOG=ALL or LOG=ASIS may be specified to control the generation of log records for RACROUTE REQUEST=VERIFY. The value of the LOG keyword is passed to both the RACROUTE REQUEST=VERIFY preprocessing and postprocessing installation exits. Both exits are invoked before the generation of a log record, and the LOG keyword value can be changed for both exits.
  • Authorized accesses or unauthorized attempts to access RACF-protected resources. During RACF processing of a RACROUTE REQUEST=AUTH or REQUEST=DEFINE macro instruction, RACF found that one of the following events occurred:
    1. The user was permitted access to a RACF-protected resource and allowed to perform the requested operation.
    2. The user did not have sufficient access or group authority to access a RACF-protected resource, or supplied invalid data while attempting to perform an operation on a RACF-protected resource.

    In the first case, RACF writes the record if the ALL or SUCCESS logging option is set in the resource profile by the ADDSD, ALTDSD, RALTER, or RDEFINE command and the access type is within the scope of the valid access types. RACF also writes the record if logging has been unconditionally requested by a RACROUTE REQUEST=AUTH postprocessing exit routine.

    In the second case, RACF writes the violation record if the ALL or FAILURES logging option is set in the resource profile by the ADDSD, ALTDSD, RALTER, or RDEFINE command, or if logging is unconditionally requested by a RACROUTE REQUEST=AUTH postprocessing exit routine. The violation record supplements the information that RACF sends to the security console in RACF message ICH408I.

    Note that the FAILURES (READ) option is the default in cases where new resources are RACF-protected.

    For the preceding events, a RACROUTE REQUEST=AUTH exit routine can modify the logging options by changing the LOG parameter on a RACROUTE REQUEST=AUTH macro instruction from ASIS to NOFAIL, NONE, or NOSTAT, or by unconditionally requesting or suppressing logging with the logging control field. For information about the LOG parameter of a RACROUTE REQUEST=AUTH macro instruction, see z/OS Security Server RACROUTE Macro Reference. For information about the logging options of the ADDSD, ALTDSD, ALTUSER, RALTER, RDEFINE, and SETROPTS commands, see z/OS Security Server RACF Command Language Reference.

  • Authorized or unauthorized attempts to modify profiles on a RACF database. During RACF command processing, RACF found that a user with the AUDITOR attribute specified that the following be logged:
    1. All detected changes to a RACF database by RACF commands or a RACROUTE REQUEST=DEFINE
    2. All RACF commands (except LISTDSD, LISTGRP, LISTUSER, RLIST, and SEARCH) issued by users with the SPECIAL attribute
    3. All violations detected by RACF commands (except LISTGRP, LISTUSER, RLIST, and SEARCH)
    4. Every RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE issued for the user and all RACF commands (except LISTGRP, LISTUSER, RLIST and SEARCH) issued by the user

    In the first three cases, RACF writes records if a user with the AUDITOR attribute specified AUDIT, SAUDIT, and CMDVIOL, in that order, on the SETROPTS command. In the fourth case, RACF writes the records if a user with the AUDITOR attribute specified UAUDIT on the ALTUSER command.

  • Generation or evaluation of a PassTicket via the RCVTPTGN, R_ticketserv or R_GenSec services. PassTicket use during normal logon is reflected in the SMF type 80 record generated for an authorized or an unauthorized attempt to enter the system (see above), and does not result in a separate SMF record.
You can use SMF records to:
  • Track the total use of a sensitive resource (if the ALL option is set)
  • Identify the resources that are repeated targets of detected unauthorized attempts to access them (if the ALL or FAILURES option is set)
  • Identify the users who make detected unauthorized requests
  • Track SPECIAL user activity
  • Track activity of a particular user

In most cases, RACF writes one record for each event. (RACF can write two records for one operation on a resource for example, when a RACF-protected DASD data set is deleted with scratch.)

Format of SMF type 80 records

SMF type 80 records contain the following information:

  • The record type
  • Time stamp (time and date)
  • Processor identification
  • Event code and qualifier (explained in Table of event codes and event code qualifiers)
  • User identification
  • Group name
  • A count of the relocate sections
  • Authorities used to successfully execute commands or access resources
  • Reasons for logging
    Note: In general, RACF searches for reasons for auditing an event until it finds one, then audits without looking for more reasons that might also have caused auditing. This means that most RACF SMF records will show only one reason for auditing, even though several might apply (and in a few cases, more than one might actually be shown in the record). There are many places in RACF that audit, and the order of checking is not the same in all places, so the audit reason that will be used is not entirely predictable. In some cases it would not even be possible for RACF to look for additional potential audit reasons without causing adverse performance impact to the system. For example, SPECIAL users are often granted access to a resource without even reading the resource profile that protects it, so no information is available about what auditing options the profile might have requested.
  • Command processing error flag
  • Foreground user terminal ID
  • Foreground user terminal level number
  • Job log number (job name, entry time, and date)
  • RACF version, release, and modification number
  • Security label of user
The log record RACF creates is a standard SMF record with the type 80 format. Table 1 describes the format of the type 80 record.
Table 1. Format of the SMF type 80 record
Offsets
Dec. Hex. Name Length Format Description
0 0 SMF80LEN 2 Binary Record length.
2 2 SMF80SEG 2 Binary Segment descriptor.
4 4 SMF80FLG 1 Binary System indicator
Bit
Meaning when set
0-2
Reserved for IBM®'s use.
3
MVS™/ or 5
4
MVS/
5
MVS/
6
VS2
7
Reserved for IBM's use.
Note: For MVS/, bits 3, 4, 5, and 6 are on.
5 5 SMF80RTY 1 Binary Record type: 80 (X'50').
6 6 SMF80TME 4 Binary Time of day, in hundredths of a second, that the record was moved to the SMF buffer.
10 A SMF80DTE 4 packed Date that the record was moved to the SMF buffer, in the form 0cyydddF (where F is the sign).
14 E SMF80SID 4 EBCDIC System identification (from the SID parameter).
18 12 SMF80DES 2 Binary Descriptor flags
Bit
Meaning when set
0
The event is a violation.
1
User is not defined to RACF.
2
Record contains a version indicator (see SMF80VER).
3
The event is a warning.
4
Record contains a version, release, and modification level number (see SMF80VRM).
5-15
Reserved for IBM's use.
20 14 SMF80EVT 1 Binary Event code.
21 15 SMF80EVQ 1 Binary Event code qualifier.
22 16 SMF80USR 8 EBCDIC Identifier of the user associated with this event (jobname is used if the user is not defined to RACF).
30 1E SMF80GRP 8 EBCDIC Group to which the user was connected (stepname is used if the user is not defined to RACF).
38 26 SMF80REL 2 Binary Offset to the first relocate section from SMF80FLG.
40 28 SMF80CNT 2 Binary Count of the number of relocate sections.
42 2A SMF80ATH 1 Binary Authorities used for processing commands or accessing resources. (See Note 1.)
Bit
Meaning when set
0
Normal authority check (resource access).
1
SPECIAL attribute (command processing).
2
ROAUDIT attribute (command processing).

OPERATIONS attribute (resource access, command processing).

3
AUDITOR attribute (command processing).
4
Installation exit processing (resource access).
5
Failsoft processing (resource access).
6
Bypassed-user ID = *BYPASS* (resource access).
7
Trusted attribute (resource access).
43 2B SMF80REA 1 Binary Reason for logging. These flags indicate the reason RACF produced the SMF record. (See Note 2.)
Bit
Meaning when set
0
SETROPTS AUDIT(class) changes to this class of profile are being audited.
1
User being audited.
2
SPECIAL or OPERATIONS user being audited. (See Note 2.)
3
Access to the resource is being audited due to the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACROUTE REQUEST=AUTH exit routine, or because the operator granted access during failsoft processing.
4
RACROUTE REQUEST=VERIFY or initACEE failure.
5
This command is always audited.
6
Violation detected in command and CMDVIOL is in effect.
7
Access to entity being audited due to GLOBALAUDIT option.
44 2C SMF80TLV 1 Binary Terminal level number of foreground user (zero if not available).
45 2D SMF80ERR 1 Binary Command processing error flag. (See Note 3.)
Bit
Meaning when set
0
Command had error and RACF could not back out some changes
1
No profile updates were made because of error in RACF processing
2-7
Reserved for IBM's use.
46 2E SMF80TRM 8 EBCDIC Terminal ID of foreground user (zero if not available).
54 36 SMF80JBN 8 EBCDIC Job name. For RACROUTE REQUEST=VERIFY and REQUEST=DEFINE records for batch jobs, this field can be zero if the job name is not available at the time of the RACROUTE REQUEST=VERIFY or REQUEST=DEFINE.
62 3E SMF80RST 4 Binary Time, in hundredths of a second, that the reader recognized the JOB statement for this job. For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be zero.
66 42 SMF80RSD 4 packed Date the reader recognized the JOB statement for this job, in the form 0cyydddF (where F is the sign). For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be zero.
70 46 SMF80UID 8 EBCDIC User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be zero.
78 4E SMF80VER 1 Binary Version indicator (8 = Version 1, Release 8 or later). As of RACF 1.8.1, SMF80VRM is used instead.
79 4F SMF80RE2 1 Binary Additional reasons for logging
Bit
Meaning when set
0
Security level control for auditing.
1
VMEVENT Auditing.
2
Class being audited due to SETROPTS LOGOPTIONS.
3
Audited due to SETROPTS SECLABELAUDIT.
4
Entity audited due to SETROPTS COMPATMODE.
5
Audited due to SETROPTS APPLAUDIT.
6
Audited because user not defined to z/OS® UNIX
7
Audited because user does not have appropriate authority for z/OS UNIX
80 50 SMF80VRM 4 EBCDIC FMID for RACF
2020
RACF 2.2 and OS/390® Security Server (RACF) V1 R2
2030
OS/390 Security Server (RACF) V1 R3
2040
OS/390 Security Server (RACF) V2 R4
2060
OS/390 Security Server (RACF) V2 R6
2608
OS/390 Security Server (RACF) V2 R8
7703
OS/390 Security Server (RACF) V2 R10 and z/OS Security Server (RACF) V1 R1
7705
z/OS Security Server (RACF) V1 R2
7706
z/OS Security Server (RACF) V1 R3
7707
z/OS Security Server (RACF) V1 R4
7708
z/OS Security Server (RACF) V1 R5
7709
z/OS Security Server (RACF) V1 R6
7720
z/OS Security Server (RACF) V1 R7
7730
z/OS Security Server (RACF) V1 R8
7740
z/OS Security Server (RACF) V1 R9
7750
z/OS Security Server (RACF) V1 R10
7760
z/OS Security Server (RACF) V1 R11
7770
z/OS Security Server (RACF) V1 R12
7780
z/OS Security Server (RACF) V1 R13
7790
z/OS Security Server (RACF) V2 R1
77A0
z/OS Security Server (RACF) V2 R2
77B0
z/OS Security Server (RACF) V2 R3
77C0
z/OS Security Server (RACF) V2 R4
Start of change77D0End of change
Start of changez/OS Security Server (RACF) V2 R5End of change
84 54 SMF80SEC 8 EBCDIC Security label of the user.
92 5C SMF80RL2 2 Binary Offset to extended-length relocate sections from SMF80FLG.
94 5E SMF80CT2 2 Binary Count of extended-length relocate sections.
96 60 SMF80AU2 1 Binary Authority used continued
Bit
Meaning when set
0
z/OS UNIX superuser (Both UID(0) and BPX.SUPERUSER)
1
z/OS UNIX system function
2-7
Reserved for IBM's use.
97 61 SMF80RSV 1 Binary Reserved for IBM's use
Relocate section: See Table of relocate section variable data.
0 0 SMF80DTP 1 Binary Data type
1 1 SMF80DLN 1 Binary Length of data that follows
2 2 SMF80DTA 1-255 mixed Data
Extended-length relocate section: See Table of extended-length relocate section variable data.
0 0 SMF80TP2 2 Binary Data type
2 2 SMF80DL2 2 Binary Length of data that follows
4 4 SMF80DA2 variable EBCDIC Data
Notes:
  1. SMF80ATH: These flags indicate the authority checks made for the user who requested the action. The RACF commands use bits 0, 1, and 3; the RACF requests use bits 0, 2, and 4-7.
    • Bit 0 indicates that the user's authority to issue the command or SVC was determined by the checks for a user with the SPECIAL, OPERATIONS, AUDITOR, or ROAUDIT attribute. This bit indicates that the tests were made, not that the user passed the tests and has authority to issue the command. This bit is not set on if the user has the AUDITOR attribute and entered the command with only those operands that require the AUDITOR attribute.
    • Bit 1 indicates that the user has the SPECIAL attribute and used this authority to issue the command. If the user also has the AUDITOR or ROAUDIT attribute and entered the command with only those operands that require the AUDITOR or ROAUDIT attribute, this bit is not set on because the user did not use their authority as a user with the SPECIAL attribute.
    • Bit 2 is set by RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE and indicates that the user has the OPERATIONS attribute and used this authority to obtain access to the resource.
    • Bit 3 indicates that the user has the AUDITOR or ROAUDIT attribute or group-AUDITOR and used this authority to issue the command with operands that require the AUDITOR or ROAUDIT attribute or group-AUDITOR authority.
    • Bit 4 indicates that the user has authority because the exit routine indicated that the request is to be accepted without any further authority checks.
    • Bit 5 indicates that resource access was granted by the operator during failsoft processing.
    • Bit 6 indicates that *BYPASS* was specified on the user ID field. Access was granted because RACF authority checking was bypassed.
    • Bit 7 indicates that the user has the trusted attribute.
  2. SMF80REA: These flags indicate the reason RACF produced the SMF record.
    • Bit 0 is set when there are changes made to a profile in a class specified in the AUDIT operand of the SETROPTS command.
    • Bit 1 is set when a user with the AUDITOR attribute specifies the UAUDIT operand on the ALTUSER command for a user and the user has changed RACF profiles with a RACF command, or a RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE has been issued for the user.
    • Bit 2 is set when a user with the AUDITOR attribute specifies the SAUDIT or OPERAUDIT operand on the SETROPTS command and a user with either the SPECIAL or OPERATIONS attribute has changed RACF profiles with a RACF command. To determine whether SPECIAL or OPERATIONS authority was used, see the flags in SMF80ATH. Bit 1 indicates SPECIAL. Bit 2 indicates OPERATIONS. Note that if a user has both the AUDITOR attribute and either the SPECIAL or OPERATIONS attribute when issuing a command with operands that require only the AUDITOR attribute, RACF does not log this activity because the SPECIAL or OPERATIONS authority is not used.
    • Bit 3 is set if:
      • The AUDIT option in the resource profile specifies that attempts to access the resource be logged.
      • The RACROUTE REQUEST=AUTH exit routine specifies unconditional logging.
      • The console operator grants the resource access during failsoft processing.
    • Bit 4 is set when the RACROUTE REQUEST=VERIFY fails to verify a user because of an invalid group, password, terminal, or OIDCARD, or initACEE fails because a certificate in not defined or is not trusted.
    • Bit 5 is set if the RVARY or SETROPTS command produced the SMF record. (The execution of these two commands always produces an SMF record.)
    • Bit 6 is set when a user with the AUDITOR attribute specifies logging of command violations (with the CMDVIOL operand on the SETROPTS command) and RACF detects a violation.
    • Bit 7 is set when attempts to access a RACF-protected resource are being logged, as requested by the GLOBALAUDIT option in the resource profile.
  3. SMF80ERR: These flags indicate errors during command processing and the extent of the processing.
    • Bit 0 indicates that an error occurred that prevented the command from completing all updates requested, and the command was unable to back out the updates already done. If this bit is on, there may be an inconsistency between the profiles on the RACF database, or between the profile for a data set and the RACF-indicator for the data set in the DSCB or catalog. The latter is also indicated by a bit in the command-related information for the ADDSD, ALTDSD, and DELDSD commands. For some commands (for example, ADDUSER), the inconsistency means an incompletely defined resource. For other commands, where the profiles are already defined (for example, ALTUSER), the inconsistency means that all changes were not made, but the profiles are still usable.

      This bit indicates a terminating error and should not be confused with a keyword violation or processing error where the command continues processing other operands.

    • Bit 1 indicates that none of the requested changes were made, because either (1) a terminating error occurred before the changes were made, or (2) the command was able to back out the changes after a terminating error.

Table of event codes and event code qualifiers

This table describes the SMF80EVT (event code) and SMF80EVQ (event code qualifier) fields.

The event code qualifier is 0 if the recorded event is not a violation or a warning. There are exceptions for event code 1 (Job initiation/TSO logon/logoff); event qualifier codes 8, 12, 13 and 32 are not violations or warnings.

For event codes 8 through 25, an event code qualifier of 1 indicates one of the following:
  • The command user is not RACF-defined.
  • The command user is not authorized to change the requested profiles on the RACF database.
  • The command user does not have sufficient authority for any of the operands on the command.

For event codes 8 through 25, an event code qualifier of 2 indicates that the command user does not have sufficient authority to specify some of the operands, but RACF performed the processing for the operands for which the user has sufficient authority.

Event code qualifiers of 3 and 4 apply to the ADDSD, ALTDSD, and DELDSD commands. They indicate whether the retrieval of the data set affected by the security label change was successful (3) or not (4).

For detailed descriptions of the SMF event code qualifiers, see Event code qualifier descriptions.
Event 1( 1): JOB INITIATION / TSO LOGON/LOGOFF (detected by RACINIT request)
Code Qualifier Dec(Hex) Description Relocate type sections (Possible SMF80DTP/ SMF80TP2 Values)
0( 0) Successful Initiation 1, 17, 20, 46, 47, 49, 53, 55, 331, 332, 374, 386, 392, 393, 394, 395, 424, 425, 443
1( 1) Password not valid  
2( 2) Group not valid  
3( 3) OIDCARD not valid  
4( 4) Terminal/console not valid  
5( 5) Application not valid  
6( 6) Revoked user attempting access  
7( 7) User ID automatically revoked because of excessive password and password phrase attempts.  
8( 8) Successful termination  
9( 9) Undefined user ID  
10( A) Insufficient security label authority  
11( B) Not authorized to security label  
12( C) Successful RACINIT initiation  
13( D) Successful RACINIT delete  
14( E) System now requires more authority  
15( F) Remote job entry - job not authorized  
16(10) SURROGAT class is inactive  
17(11) Submitter is not authorized by user  
18(12) Submitter not authorized to security label  
19(13) User is not authorized to job  
20(14) WARNING - Insufficient security label authority  
21(15) WARNING - security label missing from user, job, or profile  
22(16) WARNING - not authorized to security label  
23(17) Security labels not compatible  
24(18) WARNING - security labels not compatible  
25(19) Current® PASSWORD has expired  
26(1A) Invalid new PASSWORD  
27(1B) Verification failed by installation  
28(1C) Group access has been revoked  
29(1D) OIDCARD is required  
30(1E) Network job entry - job not authorized  
31(1F) Warning - unknown user from trusted node propagated  
32(20) Successful initiation using PassTicket  
33(21) Attempted replay of PassTicket  
34(22) Client security label not equivalent to server's  
35(23) User automatically revoked because of inactivity  
36(24) Password phrase is not valid  
37(25) New password phrase is not valid  
38(26) Current password phrase has expired  
39(27) No RACF user ID found for distributed identity  
40(28) Successful Multifactor Authentication (MFA)  
41(29) Failed Multifactor Authentication (MFA)  
42(2A) Failed authentication because no multifactor decision could be made for a MFA user who has the NOPWFALLBACK option.  
43(2B) IBM MFA partial success: credentials were not incorrect, but a re-authentication is required.  
44(2C) Identity Token validation error
45(2D) Identity Token build error  
46(2E) Failed Identity Token authentication  
Event 2( 2): RESOURCE ACCESS (detected by RACROUTE REQUEST=AUTH, RACROUTE REQUEST=FASTAUTH and DIRAUTH function)
Code Qualifier Dec(Hex) Description Relocate type sections (Possible SMF80DTP/SMF80TP2 Values)
0( 0) Successful access 1, 3, 4, 5, 15, 16, 17, 20, 33, 38, 46, 48, 49, 50, 51, 53, 54, 55, 64, 65, 66, 331, 332, 386, 390 (see Notes® 1 and 2), 392, 393, 394, 395, 396 (see Note 3), 424, 425, 445
1( 1) Insufficient authority  
2( 2) Profile not found - RACFIND specified on macro  
3( 3) Access permitted because of warning  
4( 4) Failed because of PROTECTALL  
5( 5) WARNING issued because of PROTECTALL  
6( 6) Insufficient CATEGORY/SECLEVEL  
7( 7) Insufficient security label authority  
8( 8) WARNING - security label missing from job, user, or profile  
9( 9) WARNING - insufficient security label authority  
10( A) WARNING - Data set not cataloged  
11( B) Data set not cataloged  
12( C) Profile not found - required for authority checking  
13( D) WARNING - insufficient CATEGORY/SECLEVEL  
14( E) WARNING - Non-MAIN execution environment detected while in ENHANCED PGMSECURITY mode. Conditional access or use of EXECUTE-controlled program temporarily allowed.  
15( F) Conditional access or use of EXECUTE-controlled program allowed through BASIC mode program while in ENHANCED PGMSECURITY mode.  
Notes:
  1. The SMF80DTP value 4 (access authority allowed) can be less than the SMF80DTP value 3 (access authority requested) in two cases:
    • When RACF authorizes access to a user who requested access to a database because the user has the OPERATIONS attribute.
    • When the RACROUTE REQUEST=AUTH exit routine returns a return code of 12, which indicates that the request should be granted.
  2. The SMF80DTP value of 16 appears only when the RACROUTE REQUEST=AUTH received an old volume (OLDVOL) as input. The value of 33 appears when a generic profile is used.
  3. Relocate 396 appears with event code qualifier 0. It appears only when access is granted because of the criteria entries on the conditional access list.
Event 3( 3): ADDVOL/CHGVOL (detected by RACROUTE REQUEST=DEFINE TYPE=ADDVOL or CHGVOL)
Code Qualifier Dec(Hex) Description Relocate type sections (Possible SMF80DTP/ SMF80DA2 Values)
0( 0) Successful processing of new volume 1, 4, 5, 15, 16, 17, 33, 38, 44, 46, 49, 53, 51, 55, 331, 332, 386 (see Note), 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (DATASET only)  
2( 2) Insufficient security label authority  
3( 3) Less specific profile exists with different security label  
Note: The SMF80DTP value of 16 appears only when the RACROUTE REQUEST=AUTH received an old volume (OLDVOL) as input. The value of 33 appears when a generic profile is used.
Event 4( 4): RENAME RESOURCE (detected by RACROUTE REQUEST=DEFINE with TYPE=DEFINE and NEWNAME specified)
Code Qualifier Dec(Hex) Description Relocate type sections (Possible SMF80DTP/ SMF80DA2 Values)
0( 0) Successful rename 1, 2, 5, 15, 17, 33, 38, 44, 46, 49, 51, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Group not valid  
2( 2) User not in group  
3( 3) Insufficient authority  
4( 4) Resource name already defined  
5( 5) User not defined to RACF  
6( 6) Resource not protected  
7( 7) WARNING - resource not protected  
8( 8) User in second qualifier is not RACF-defined  
9( 9) Less specific profile exists with different security label  
10( A) Insufficient security label authority  
11( B) Resource not protected by security label  
12( C) New name not protected by security label  
13( D) New security label must dominate old security label  
14( E) Insufficient security label authority  
15( F) WARNING - resource not protected by security label  
16(10) WARNING - new name not protected by security label  
17(11) WARNING - new security label must dominate old security label  
Note: In cases where the RACROUTE REQUEST=DEFINE is used to rename a resource (SMF80EVT=4), the data type 33 relocate section can hold a resource name that is either the old name or the new name, or it can hold the generic profile that protects the old or the new name.
Event 5( 5): DELETE RESOURCE (detected by RACROUTE REQUEST=DEFINE, TYPE=DELETE or DELETE)
Code Qualifier Dec(Hex) Description Relocate type sections (Possible SMF80DTP/ SMF80DA2 Values)
0( 0) Successful scratch 1, 5, 15, 17, 33, 38, 44, 46, 49, 51, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Resource not found  
2( 2) Invalid volume identification (DATASET only)  
Event 6( 6): DELETE 1 VOLUME OF MULTIVOLUME RESOURCE (detected by RACROUTE REQUEST=DEFINE, TYPE=DELETE)
Code Qualifier Dec(Hex) Description Relocate type sections (Possible SMF80DTP/ SMF80DA2 Values)
0( 0) Successful deletion 1, 5, 8, 15, 17, 38, 44, 46, 49, 51, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
Event 7( 7): DEFINE RESOURCE (detected by RACROUTE REQUEST=DEFINE, TYPE=DEFINE)
Code Qualifier Dec(Hex) Description Relocate type sections (Possible SMF80DTP/ SMF80DA2 Values)
0( 0) Successful definition 1, 5, 15, 17, 18, 19, 33, 38, 44, 46, 49, 51, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Group undefined  
2( 2) User not in group  
3( 3) Insufficient authority  
4( 4) Resource name already defined  
5( 5) User not defined to RACF  
6( 6) Resource not protected  
7( 7) WARNING - resource not protected  
8( 8) WARNING - security label missing from job, user, or profile  
9( 9) WARNING - insufficient security label authority  
10( A) User in second qualifier is not RACF-defined  
11( B) Insufficient security label authority  
12( C) Less specific profile exists with a different security label  
EVENT dec(hex) Command Code qualifier dec(hex) Description Relocate type sections (possible SMF80DTP/ SMF80DA2 values)
8( 8) ADDSD 0( 0) No violations detected 6, 7, 10, 13, 33, 38, 40, 44, 49, 50, 51, 53, 55, 62, 63, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
3( 3) Successful retrieval of data set names affected by a security label change
4( 4) Error during retrieval of data set names affected by a security label change
9( 9) ADDGROUP 0( 0) No violations detected 6, 7, 37, 38, 44, 49, 53, 55, 63, 301, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
10( A) ADDUSER 0( 0) No violations detected 6, 7, 8, 28, 37, 38, 40, 44, 49, 53, 55, 301, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
11( B) ALTDSD 0( 0) No violations detected 6, 7, 10, 11, 33, 38, 40, 41, 44, 49, 50, 51, 53, 55, 62, 63, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
3( 3) Successful retrieval of data set names affected by a security label change
4( 4) Error during retrieval of data set names affected by a security label change
12( C) ALTGROUP 0( 0) No violations detected 6, 7, 37, 38, 44, 49, 53, 55, 301, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
13( D) ALTUSER 0( 0) No violations detected 6, 7, 8, 28, 37, 38, 40, 41, 44, 49, 53, 55, 301, 331, 332, 386, 392, 393, 394, 395, 424, 425, 440, 441, 442
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
14( E) CONNECT 0( 0) No violations detected 6, 38, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
15( F) DELDSD 0( 0) No violations detected 6, 38, 49, 50, 51, 53, 55, 62, 63, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
3( 3) Successful retrieval of data set names affected by a security label change
4( 4) Error during retrieval of data set names affected by a security label change
16(10) DELGROUP 0( 0) No violations detected 6, 38, 44, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
17(11) DELUSER 0( 0) No violations detected 6, 38, 44, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
18(12) PASSWORD 0( 0) No violations detected 6, 38, 49, 53, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
19(13) PERMIT 0( 0) No violation detected 6, 9, 12, 13, 14, 17, 26, 38, 39, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Insufficient authority (partial or no update to RACF database; see SMF80ERR)
20(14) RALTER 0( 0) No violations detected 6, 7, 9, 10, 11, 17, 24, 25, 29, 33, 38, 40, 41, 44, 49, 50, 51, 53, 55, 301, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
21(15) RDEFINE 0( 0) No violations detected 6, 7, 9, 13, 17, 24, 29, 33, 38, 40, 44, 49, 50, 51, 53, 55, 301, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
22(16) RDELETE 0( 0) No violations detected 6, 9, 17, 38, 44, 49, 50, 51, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
23(17) REMOVE 0( 0) No violations detected 6, 17, 38, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
24(18) SETROPTS 0( 0) No violations detected 6, 21, 22, 23, 27, 32, 34, 35, 36, 42, 43, 44, 45, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
25(19) RVARY 0( 0) No violations detected 6, 27, 30, 31, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority (no update to RACF database)
2( 2) Keyword violations detected (partial or no update to RACF database; see SMF80ERR)
26(1A) APPC SESSION ESTABLISHMENT 0( 0) Partner verification was successful 1, 17, 33, 38, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Session established without verification
2( 2) Local LU key will expire in <= 5 days
3( 3) Partner LU access has been revoked
4( 4) Partner LU key does not match this LU key
5( 5) Session terminated for security reason
6( 6) Required SESSION KEY not defined
7( 7) Possible security attack by partner LU
8( 8) SESSION KEY not defined for partner LU
9( 9) SESSION KEY not defined for this LU
10( A) SNA security-related protocol error
11( B) Profile change during verification
12( C) Expired SESSION KEY
27(1B) GENERAL 0( 0) General purpose auditing 17, 46, 49, 53, 55, 331, 332, 386, 392, 393, 394, 395, 424, 425
28(1C) DIRECTORY SEARCH 0( 0) Access allowed 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265 266, 267, 268, 269, 270, 291, 295, 297, 298, 299, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to search directory
2( 2) Security label failure
29(1D) CHECK ACCESS TO DIRECTORY 0( 0) Access allowed 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264 265, 266, 267, 268, 269, 270, 297, 298, 299, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Caller does not have requested access authority
2( 2) Security label failure
30(1E) CHECK ACCESS TO FILE 0( 0) Access allowed 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 298, 299, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Caller does not have requested access authority
2( 2) Security label failure
31(1F) CHAUDIT 0( 0) File's audit options changed 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 292, 293, 294, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Caller does not have authority to change user audit options of specified file
2( 2) Caller does not have authority to change auditor audit options
3( 3) Security label failure
32(20) CHDIR 0( 0) Current working directory changed 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
* Failures logged as directory search event types
33(21) CHMOD 0( 0) File's mode changed 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 263, 264, 265, 266, 289, 290, 296, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Caller does not have authority to change mode of specified file
2( 2) Security label failure
34(22) CHOWN 0( 0) File's owner or group owner changed 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 280, 281, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Caller does not have authority to change owner or group owner of specified file
2( 2) Security label failure
35(23) CLEAR SETID BITS FOR FILE 0( 0) S_ISUID, S_ISGID, and S_ISVTX bits changed to zero (write) 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 289, 290, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
  No failure cases
36(24) EXEC WITH SETUID/SETGID 0( 0) Successful change of z/OS UNIX user identifiers (UIDs) and z/OS UNIX group identifiers (GIDs). 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 272, 273, 274, 275, 276, 277, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
  No failure cases. Access to program file is audited by an internal open
37(25) GETPSENT 0( 0) Access allowed 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 282, 283, 284, 288, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to access specified process
38(26) INITIALIZE z/OS UNIX PROCESS (DUB) 0( 0) z/OS UNIX process successfully initiated 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) User not defined as a z/OS UNIX user (no user profile or no OMVS segment)
2( 2) User incompletely defined as a z/OS UNIX user (no z/OS UNIX user identifier (UID) in user profile)
3( 3) User's current group has no z/OS UNIX group identifier (GID).
39(27) z/OS UNIX PROCESS COMPLETION (UNDUB) 0( 0) Process completed 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
  No failure cases
40(28) KILL 0( 0) Access allowed 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 282, 283, 284, 288, 300, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to access specified process
2( 2) Security label failure
41(29) LINK 0( 0) New link created 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 270, 299, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
* Failures logged as directory search or check access event types
42(2A) MKDIR 0( 0) Directory successfully created 17, 49, 50, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 289, 290, 294, 296, 307, 308, 309, 310, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
* Failures logged as directory search or check access event types
43(2B) MKNOD 0( 0) Node successfully created 17, 49, 50, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 289, 290, 294, 296, 307, 308, 309, 310, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
* Failures logged as directory search or check access event types
44(2C) MOUNT FILE SYSTEM 0( 0) Successful mount 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 295, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
* Failures logged as ck_priv event type
45(2D) OPEN (NEW FILE) 0( 0) File successfully created 17, 49, 50, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 289, 290, 294, 296, 307, 308, 309, 310, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
* Failures logged as directory search or check access event types
46(2E) PTRACE 0( 0) Access allowed 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 282, 283, 284, 285, 286, 287, 288, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to access specified process
2( 2) Security label failure
47(2F) RENAME 0( 0) Rename successful 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 270, 271, 278, 279, 294, 299, 302, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
* Failures logged as directory search or check access event types
48(30) RMDIR 0( 0) Successful rmdir 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
* Failures logged as directory search or check access event types
49(31) SETEGID 0( 0) Successful change of effective z/OS UNIX group identifier (GID). 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 275, 276, 277, 281, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to setegid
50(32) SETEUID 0( 0) Successful change of effective z/OS UNIX user identifier (UID). 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 272, 273, 274, 280, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to seteuid
51(33) SETGID 0( 0) Successful change of z/OS UNIX group identifiers (GIDs). 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 275, 276, 277, 281, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to setgid
52(34) SETUID 0( 0) Successful change of z/OS UNIX user identifiers (UIDs). 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 272, 273, 274, 280, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to setuid
53(35) SYMLINK 0( 0) Successful symlink 17, 49, 50, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 297, 307, 308, 309, 310, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
* Failures logged as directory search or check access event types
54(36) UNLINK 0( 0) Successful unlink 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 302, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
* Failures logged as directory search or check access event types
55(37) UNMOUNT THE SYSTEM 0( 0) Successful unmount 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 295, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
* Failures logged as ck_priv event type
56(38) CHECK FILE OWNER 0( 0) User is the owner 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 307, 308, 309, 310, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) User is not the owner
2( 2) Security label failure
57(39) CK_PRIV 0( 0) User is authorized 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) User is not authorized to use requested function
58(3A) OPEN SUBSIDIARY TTY 0( 0) Access allowed 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 282, 283, 284, 288, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to access specified process
59(3B) RACLINK 0( 0) Access allowed 6, 49, 53, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority
2( 2) Keyword violation detected
3( 3) Association already defined
4( 4) Association already approved
5( 5) Association does not match
6( 6) Association does not exist
7( 7) Password not valid or user ID is revoked
60(3C) CHECK IPC ACCESS 0( 0) Access allowed 17, 49, 51, 56, 256, 257, 258, 259, 260, 261, 262, 265, 266, 267, 268, 269, 303, 304, 305, 306, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Caller does not have proper access authority
2( 2) Security label failure
61(3D) IPCGET (MAKE ISP) 0( 0) Successful creation of ISP 17, 49, 51, 56, 256, 257, 258, 259, 260, 261, 262, 265, 266, 269, 303, 304, 305, 306, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Security label failure
62(3E) R_IPC control 0( 0) Access allowed 17, 49, 51, 56, 256, 257, 258, 259, 260, 261, 262, 265, 266, 280, 281, 289, 290, 291, 296, 303, 304, 305, 306, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Caller does not have proper authority.
2( 2) Security label failure
63(3F) SETGROUP 0( 0) Access allowed 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to access specified process
64(40) CHECK OWNER, TWO FILES 0( 0) User is the owner 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 271, 278, 279, 315, 316, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) User is not the owner
2( 2) Security label failure
65(41) R_AUDIT 0( 0) Successful r_audit 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
  No failure case
66(42) RACDCERT 0( 0) No violation detected 6, 49, 53, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 336, 337, 338, 339, 386, 392, 393, 394, 395, 398, 399, 424, 425Start of change, 446End of change
1( 1) Insufficient authority (no update to RACF database)
67(43) INITACEE 0( 0) Successful certificate registration 49, 53, 318, 319, 331, 332 374, 386, 392, 393, 394, 395, 424, 425Start of change, 446End of change
1( 1) Successful certificate deregistration
2( 2) Not authorized to register the certificate
3( 3) Not authorized to unregister the certificate
4( 4) No user ID found for the certificate
5( 5) The certificate is not trusted
6( 6) Successful CERTAUTH certificate registration
7( 7) Insufficient authority to register the CERTAUTH certificate
8( 8) Client security label not equivalent to server's
9( 9) A SITE or CERTAUTH certificate was used to authenticate a user
10(A) No RACF user ID found for distributed identity
68(44) GRANT OF INITIAL KERBEROS TICKET (reserved for use by Network Authentication Service) 0( 0) Success 333, 334, 335
1( 1) Failure
69(45) R_PKIServ GENCERT 0( 0) Successful GENCERT request 46, 49, 53, 318, 319, 331, 332, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 357, 358, 359, 373, 375, 376, 377, 378, 386, 388, 391, 392, 393, 394, 395, 422, 424, 425, 426, 427, 428
1( 1) Insufficient authority for GENCERT
2( 2) Successful REQCERT request
3( 3) Insufficient authority for REQCERT
4( 4) Successful GENRENEW request
5( 5) Insufficient authority for GENRENEW
6( 6) Successful REQRENEW request
7( 7) Insufficient authority for REQNRENEW
8( 8) Successful PREREGISTER request
9( 9) Insufficient authority for PREREGISTER
70(46) R_PKIServ EXPORT 0( 0) Successful EXPORT request 46, 49, 53, 331, 332, 343, 344, 351, 359, 386, 391, 392, 393, 394, 395, 421, 424, 425
1( 1) Insufficient authority for EXPORT
2( 2) Incorrect pass phrase specified for EXPORT
71(47) POLICY DIRECTOR ACCESS CONTROL DECISION (reserved for use by Policy Director Authorization Services) 0( 0) Authorized 352, 353, 354, 355, 356, 372
1( 1) Not authorized but permitted because of warning mode
2( 2) Not authorized because of insufficient traverse authority but permitted because of warning mode
3( 3) Not authorized because of time-of-day check but permitted because of warning mode
4( 4) Not authorized
5( 5) Not authorized because of insufficient traverse authority
6( 6) Not authorized because of time-of-day check
72(48) R_PKIServ QUERY, DETAILS, or VERIFY 0( 0) Successful admin QUERY or DETAILS request 20, 46, 49, 53, 318, 319, 331, 332, 340, 341, 342, 346, 351, 358, 360, 361, 362, 363, 373, 375, 386, 391, 392, 393, 394, 395, 421, 422, 424, 425, 426, 429, 433, 434
1( 1) Insufficient authority for admin QUERY or DETAILS
2( 2) Successful VERIFY request
3( 3) Insufficient authority for VERIFY
4( 4) Incorrect VERIFY certificate, no record found for this certificate
73(49) R_PKIServ UPDATEREQ 0( 0) Successful admin UPDATEREQ request 46, 49, 53, 331, 332, 340, 341, 342, 346, 347, 348, 349, 350, 351, 357, 364, 365, 375, 376, 377, 378, 386, 388, 391, 392, 393, 394, 395, 424, 425, 427, 428
1( 1) Insufficient authority for admin UPDATEREQ
74(4A) R_PKIServ UPDATECERT or REVOKE 0( 0) Successful admin UPDATECERT request 48, 49, 53, 318, 331, 332,364, 365, 366, 386, 391, 392, 393, 394, 395, 423, 424, 425
1( 1) Insufficient authority for admin UPDATECERT
2( 2) Successful REVOKE request
3( 3) Insufficient authority for REVOKE
75(4B) Change file ACL 0( 0) ACL successfully changed 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 307, 308, 309, 310, 315, 316, 317, 331, 332, 367, 368, 369, 370, 371, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority to change ACL
2( 2) Security label failure
76(4C) Remove file ACL 0( 0) Entire ACL removed 17, 49, 51, 53, 55, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 307, 308, 309, 310, 315, 316, 317, 331, 332, 367, 386, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority to remove ACL
2( 2) Security label failure
77(4D) Set file security label (R_setfsecl) 0( 0) Security label change successful 17, 49, 50, 51, 53, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 317, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to change security label
78(4E) Set write-down privilege (R_writepriv) 0( 0) Requested function successful 49, 53, 331, 332, 386, 392, 393, 394, 395, 424, 425
1( 1) Not authorized to IRR.WRITEDOWN.BYUSER
79(4F) CRL publication 0( 0) See z/OS Cryptographic Services PKI Services Guide and Reference.  
80(50) RPKIRESP 0( 0) Successful RESPOND request 46, 49, 53, 331, 332, 386, 389, 391, 392, 393, 394, 395, 424, 425
1( 1) Insufficient authority for RESPOND
81(51) PassTicket evaluation 0( 0) Success 20, 48, 49, 53
1( 1) Failure
82(52) PassTicket generation 0( 0) Success 20, 48, 49, 53
1( 1) Failure
83(53) RPKISCEP 0( 0) Successful AutoApprove PKCSReq request 46, 49, 53, 318, 319, 331, 332, 340, 341, 342, 346, 347, 348, 349, 350, 351, 357, 358, 359, 373, 375, 386, 388, 391, 392, 393, 394, 395, 424, 425, 427, 428
1( 1) Successful AdminApprove PKCSReq request
2( 2) Successful GetCertInitial request
3( 3) Rejected PKCSReq or GetCertInitial request
4( 4) Incorrect SCEP transaction ID specified for GetCertInitial
5( 5) Insufficient authority for SCEPREQ
84(54) RDATAUPD 0( 0) Successful NewRing 49, 53, 318, 319, 320, 331, 332, 343, 344, 346, 386, 392, 393, 394, 395, 400®, 401, 402, 403, 404, 405, 406, 407, 424, 425, 435, 436, 437, 438Start of change, 446End of change
1( 1) Not authorized to call NewRing
2( 2) Successful DataPut
3( 3) Not authorized to call DataPut
4( 4) Successful DataRemove
5( 5) Not authorized to call DataRemove
6( 6) Successful DelRing
7( 7) Not authorized to call DelRing
85(55) PKIAURNW 0( 0) Successful autoRenew 318, 319, 341, 342, 346, 358, 363, 373, 391, 408
86(56) R_PgmSignVer 0( 0) Successful signature verification 1, 15, 46, 49, 53, 66, 331, 332, 386, 392, 393, 394, 395, 409, 410, 411, 412, 413, 414, 424, 425
1( 1) Signature appears valid but root CA certificate not trusted
2( 2) Module signature failed verification
3( 3) Module certificate chain incorrect
4( 4) Signature required but module not signed
5( 5) Signature required but signature has been removed
6( 6) Program verification module not loaded. Program verification was not available when attempt was made to load this program.
7( 7) The algorithmic self-test failed while verifying the program verification module.
87(57) RACMAP 0( 0) No violation detected 6, 49, 53, 331, 332, 386, 392, 393, 394, 395, 415, 416, 424, 425
1( 1) Insufficient authority (no update to RACF database)
88(58) AUTOPROF 0( 0) Successful profile modification 17, 49, 53, 55, 256, 257, 258, 259, 260, 261, 262, 317, 331, 332, 386, 392, 393, 394, 395, 417, 418, 419, 420, 424, 425
89(59) RPKIQREC 0( 0) Successful user QRECOVER request 20, 46, 49, 53, 318, 319, 331, 332, 341, 342, 346, 358, 386, 391, 392, 393, 394, 395, 421, 424, 425
1( 1) Insufficient authority for user QRECOVER
Start of change90(5A)End of change Start of changePKIGENCEnd of change Start of change0( 0)End of change Start of changeSuccessful profile commandEnd of change Start of change318, 319, 341, 342, 346, 391, 446, 447End of change

Table of relocate section variable data

This table describes the variable data elements of the relocate section.

Data type (SMF80DTP) dec(hex) Data length (SMF80DLN) Format Description (SMF80DTA)
 1( 1) 1-255 EBCDIC Resource name or old resource name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE)
 2( 2) 1-255 EBCDIC New data set name (RACROUTE REQUEST=DEFINE)
 3( 3) 1 Binary Access requested (see Note 1)
 4( 4) 1 Binary Access allowed (see Note 2)
 5( 5) 1 Binary Data set level number (00-99)
 6( 6) 1-255 mixed RACF command-related data (see Table of data type 6 command-related data)
 7( 7) 1-255 EBCDIC DATA installation-defined data (ADDUSER, ALTUSER, RALTER, RDEFINE, ADDGROUP, ALTGROUP, ADDSD, ALTDSD)
 8( 8) 1-20 EBCDIC NAME user-name (ADDUSER, ALTUSER)
 9( 9) 1-255 EBCDIC Resource name (PERMIT, RALTER, RDEFINE, RDELETE)
10( A) 7 EBCDIC Volume serial (ALTDSD ADDVOL, RALTER ADDVOL, ADDSD VOLUME). When set on, bit 0 of the first byte indicates that the volume was not processed. Bytes 2-7 contain the volume serial number.
11( B) 7 EBCDIC Volume serial (ALTDSD DELVOL, RALTER DELVOL). When set on, bit 0 of the first byte indicates that the volume was not processed. Bytes 2-7 contain the volume serial.
12( C) 9-243   1 to 27 ID names (PERMIT), each 9 bytes long
Binary Byte 1: Processing flags:
Bit
Meaning when set
0
ID ignored because of processing error (see Note 3)
1-7
Reserved for IBM's use
EBCDIC Bytes 2-9: ID name
13( D) 1-255 EBCDIC FROM resource name (PERMIT, ADDSD, RDEFINE)
14( E) 12 EBCDIC VOLUME volume serial (6 bytes) followed by FVOLUME volume serial (6 bytes) (PERMIT)
15( F) 6 EBCDIC VOLSER volume serial (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE)

(Note that when RACROUTE REQUEST=AUTH receives a DATASET profile as input, the volume serial logged is the first volume serial contained in the profiles list of volume serials.)

16(10) 6 EBCDIC OLDVOL volume serial (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE)

(Note that when RACROUTE REQUEST=AUTH receives a DATASET profile as input, the volume serial logged is the first volume serial contained in the profiles list of volume serials.)

17(11) 1-8 EBCDIC Class name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE, RDEFINE, RALTER, RDELETE, PERMIT, or VMXEVENT auditing). For z/OS UNIX, class controlling auditing for the request.
18(12) 1-255 EBCDIC MENTITY model resource name (RACROUTE REQUEST=DEFINE)
19(13) 6 EBCDIC Volume serial of model resource (RACROUTE REQUEST=DEFINE)
20(14) 8 EBCDIC Application name (RACROUTE REQUEST=VERIFY and VERIFYX)
21(15) 10   Current class options (set by SETROPTS or RACF initialization)
binary Byte 1:
Bit
Meaning when set
0
Statistics are in effect
1
Auditing is in effect
2
Protection is in effect
3
Generic profile processing is in effect
4
Generic command processing is in effect
5
Global access checking active
6
RACLIST option in effect
7
GENLIST option in effect
EBCDIC Bytes 2-9: Class name
Byte 10:
Bit
Meaning when set
0
Reserved for IBM's use
1
LOGOPTIONS(ALWAYS) is in effect
2
LOGOPTIONS(NEVER) is in effect
3
LOGOPTIONS(SUCCESSES) is in effect
4
LOGOPTIONS(FAILURES) is in effect
5
LOGOPTIONS(DEFAULT) is in effect
6-7
Reserved for IBM's use
22(16) 8 EBCDIC Class name from STATISTICS/NOSTATISTICS keyword (SETROPTS)
23(17) 8 EBCDIC Class name from AUDIT/NOAUDIT keyword (SETROPTS)
24(18) 2-247 EBCDIC Resource name from ADDMEM keyword (RDEFINE, RALTER)
Byte 1:
Bit
Meaning when set
0
Resource name not processed
1
Resource name ignored because command user lacked sufficient authority to perform the operation

Bytes 2-247: Resource name

25(19) 2-247 EBCDIC Resource name from DELMEM keyword (RALTER). Bit 0 of the first byte, when set on, indicates that the resource name was not processed. Bytes 2-247 contain the resource name.
26(1A) 8 EBCDIC Class name from FCLASS keyword (PERMIT)
27(1B) 8 EBCDIC Class name from CLASSACT/NOCLASSACT keyword (SETROPTS, RVARY)
28(1C) 9 mixed Class name from CLAUTH/NOCLAUTH keyword (ADDUSER, ALTUSER). Bit 1 of the first byte, when set on, indicates that the class was ignored because the command user did not have sufficient authority to perform the operation. Bytes 2-9 contain the class name.
29(1D) 1-255 EBCDIC Application data (RDEFINE, RALTER)
30(1E) 12-55 mixed RACF database status (RVARY, RACF initialization)
Byte 1:
Bit
Meaning when set
0
Database is active
1
Database is backup
2-7
Reserved for IBM's use

Bytes 2-4: Unit name

Bytes 5-10 Volume

Byte 11: Sequence number

Byte 12: 1-44 character data set name

31(1F) 1-44 EBCDIC Data set name from DATASET operand (RVARY)
32(20) 89 mixed
Byte
Description
1
Password interval value
2
Password history value
3
User ID revoke value
4
Password warning level value
5-84
Password syntax rules value
85
User ID inactive interval
86-89
Indicators
Bit
Meaning when set
0
MODEL(GDG) in effect
1
MODEL(USER) in effect
2
MODEL(GROUP) in effect
3
GRPLIST in effect
4-31
Reserved for IBM's use
33(21) 2-255 mixed Byte 1: Processing Flags
Bit
Meaning when set
0
1=Resource name is generic
 
0=Generic profile is used
1
1=The old name of a data set renamed by RACROUTE REQUEST=DEFINE.
 
0=The new name of a data set renamed by RACROUTE REQUEST=DEFINE.
2-7
Reserved for IBM's use

Bytes 2-254: Generic resource name or name of generic profile used

Note: This relocate section does not appear in the record when a generic profile was not used, for example when a user is granted access to his own JES spool files without using a profile, even though one exists.
34(22) 8 EBCDIC Class name from GENERIC/NOGENERIC (SETROPTS)
35(23) 8 EBCDIC Class name from GENCMD/NOGENCMD (SETROPTS)
36(24) 8 EBCDIC Class name from GLOBAL/NOGLOBAL (SETROPTS)
37(25) 1-44 EBCDIC Model name
38(26) 8 EBCDIC User ID or group name that owns the profile (RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE and all the RACF commands that produce log records, except SETROPTS and RVARY). During DEFINE operations, this field contains the owner that the profile is defined with; in all other operations, it contains the current owner. Thus, for owner changes, it contains the old owner.
39(27) 4-255   Variable number of entity names (PERMIT), each 4 to 42 bytes long
binary Bytes 1-2: Processing flags:
Bit
Meaning when set
0
Entity ignored because of processing error
1
PROGRAM class entity
2
CONSOLE class entity
3
TERMINAL class entity
4
JESINPUT class entity
5
APPCPORT class entity
6
SYSID entity
7
SERVAUTH class entity
8
CRITERIA entity
9-15
Reserved for IBM's use

Byte 3: Entity length

EBCDIC Bytes 4-end: Entity name
40(28) 2-45   Category name (ADDSD, ALTDSD, ADDUSER, ALTUSER, RDEFINE, RALTER commands and RACROUTE REQUEST=DEFINE) to be added to the profile, and organized as follows:
binary Byte 1 (at offset 0): Processing flags:
Bit
Meaning when set
0
Category name ignored because of processing error
1-7
Reserved for IBM's use
EBCDIC Bytes 2-end (at offset 1): Category name added
41(29) 2-45   Category name (ALTDSD, ALTUSER, and RALTER commands) to be deleted from the profile and organized as follows:
binary Byte 1 (at offset 0): Processing flags:
Bit
Meaning when set
0
Category name ignored because of processing error
1-7
Reserved for IBM's use
EBCDIC Bytes 2-end (at offset 1): Category name deleted
42(2A) 8 EBCDIC Class name from SETROPTS RACLIST/NORACLIST
43(2B) 1-8 EBCDIC Class name from SETROPTS GENLIST/NOGENLIST
44(2C) 1-255 mixed Any segment data, except BASE
Byte 1:
Bit
Meaning when set
0
Reserved for IBM's use
1
Delete the segment
2-7
Reserved for IBM's use
Byte 2-9:
Name of segment
Byte 10:
Length of subkeyword
Variable length
The subkeyword specified
Variable length
The value associated with the subkeyword (limited to 245 minus length of subkeyword)
44(2C) 1-255 mixed Directed command information
Byte
Description
1
Bit string
2-9
Name of segment - CMDSRC
10
Length of subkeyword - 15
11-25
Subkeyword ORIGINATED_FROM
Variable length
Contains one of the following:
  • node.userid.DIRECTED_BY_AT
  • node.userid.DIRECTED_BY_ONLYAT
  • node.userid.DIRECTED_AUTOMATICALLY
44(2C) 1-255 mixed Directed application update information
Byte
Description
1
Bit string
2-9
Name of segment - APPLSRC
10
Length of subkeyword - 15
11-25
Subkeyword ORIGINATED_FROM
Variable length
node.userid.DIRECTED_AUTOMATICALLY
45(2D) 9   Class and logging options from SETROPTS LOGOPTIONS
EBCDIC Bytes 1-8: Class name
mixed Byte 9:
Bit
Meaning when set
0
ALWAYS
1
NEVER
2
SUCCESSES
3
FAILURES
4
DEFAULTS
5-7
Reserved for IBM's use
46(2E) 1-255 EBCDIC Variable length string of data specified on LOGSTR= keyword on RACROUTE macro.
Note: The log string specified on RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX is propagated to the port of entry authorization check made in the SERVAUTH class performed by VERIFY/X when SERVAUTH= is specified by the caller.
47(2F) 8 EBCDIC JOBNAME that user is not authorized to submit for a JESJOBS job
48(30) 8 EBCDIC User ID to whom data is directed (RECVR= keyword on RACROUTE macro)
49(31) 1-20 EBCDIC User name from ACEE
50(32) 8 EBCDIC Security label name (ADDSD, ALTDSD, ALTUSER, RDEFINE, and RALTER commands, and the R_setfsecl, makeFSP and makeISP callable services) to be added to the profile or security packet, or the user security label for RACROUTE REQUEST=DIRAUTH
51(33) 8 EBCDIC Security label name (RACROUTE REQUEST=AUTH and DIRAUTH, ck_access, ck_IPC_access, R_IPC_ctl, R_chmod, R_chown, R_audit, R_setfacl, ck_file_owner, ck_owner_two_files, ck_process_owner, R_ptrace or VMXEVENT auditing) of the resource, or security label name (ALTDSD, ALTUSER, RALTER commands and the R_setfsecl callable service) to be deleted from the profile or security packet.
53(35) 80 mixed User security token, see RUTKN in z/OS Security Server RACF Data Areas in the z/OS Internet library.
54(36) 80 mixed Resource security token (RACROUTE REQUEST=AUTH) see RUTKN in z/OS Security Server RACF Data Areas in the z/OS Internet library.
55(37) 8 Binary Key to link audit records together
62(3E) 1-44 EBCDIC Data set name affected by a security label change (used by SMF type 83 records)
63(3F) 4 EBCDIC Link value to connect data sets affected by a security label change with the RACF command that caused the change
64(40) 4 EBCDIC Link value to connect client and server audit records. A link value can appear for a client or server without a corresponding link value if:
  • The client has failed authorization
  • Auditing is not performed for both users
65(41) 1 Binary Flags that indicate ACEE type:
Bit
Meaning when set
0–4
Reserved for IBM's use
5
1=Nested ACEE
6
0=Reserved for IBM's use
 
1=Server
7
0=Unauthenticated client
 
1=Authenticated client
66(42) 44 EBCDIC Partitioned data set name
Start of change67(43)End of change Start of changevariableEnd of change Start of changemixedEnd of change Start of change
Byte 1: PassTicket Generation or Evaluation Details
Bit
Meaning when set
0
Legacy PassTicket
Start of change1End of change
Start of changeEvaluation: Legacy PassTicket SuccessfulEnd of change
Start of change2End of change
Start of changeEnhanced PassTicket Type UPPER End of change
Start of change3End of change
Start of changeEvaluation: Enhanced PassTicket Type UPPER SuccessfulEnd of change
Start of change4End of change
Start of changeEnhanced PassTicket Type MIXED End of change
Start of change5End of change
Start of changeEvaluation: Enhanced PassTicket Type MIXED SuccessfulEnd of change
Start of change6End of change
Start of changeEvaluation: Failure due to PassTicket replay attempt End of change
Start of change7End of change
Start of changeReservedEnd of change

Start of changeByte 2: ReservedEnd of change

Start of changeByte 3-6: Return CodeEnd of change

Start of changeByte 7-10: Reason CodeEnd of change

Start of changeByte 11-18: Application NameEnd of change

End of change
Notes:
  1. The access flags are:
    • Bit - Access authority
    • 0 - ALTER
    • 1 - CONTROL
    • 2 - UPDATE
    • 3 - READ
    • 4 - NONE
    • 5 - Reserved for IBM's use
    • 6 - WRITE (for REQUEST=DIRAUTH only). For RACROUTE REQUEST=DIRAUTH, bits 3 and 6 can both be on, indicating READWRITE authority.
  2. The access flags for RACROUTE REQUEST=DIRAUTH are:
    • Bit Access type
    • 0 - Always on
    • 1 - Mandatory access check
    • 2 - Reverse mandatory access check
    • 3 - Equal mandatory access check
    The access flags for other RACROUTE REQUEST types are:
    • Bit Access authority
    • 0 - ALTER
    • 1 - CONTROL
    • 2 - UPDATE
    • 3 - READ
    • 4 - NONE
    • 5 - EXECUTE
    The access flags could all be off if a mandatory access check has failed.
  3. This bit is turned on for each ID in the list (data type 12) and each program entity name in the list (data type 39) that was not processed because of a non-terminating error, such as user IDs (specified on the ID operand of the PERMIT command) that are not defined to RACF. If a terminating error, such as a RACF manager error, occurred while processing an ID or entity, this bit is turned on for all remaining IDs or entities that were not processed.

    For the PERMIT DELETE command, when no terminating error has occurred, this bit is turned ON only if no entry in the access list was deleted for the ID or entity.

The access flags for other RACROUTE REQUEST types are:
  • Bit Access authority
  • 0 - ALTER
  • 1 - CONTROL
  • 2 - UPDATE
  • 3 - READ
  • 4 - NONE
  • 5 - EXECUTE
The access flags could all be off if a mandatory access check has failed.

Table of extended-length relocate section variable data

This table describes the variable data elements of the extended-length relocate section.

Table 2. Table of extended-length relocate section variable data
Data type (SMF80TP2) dec(hex) Data length (SMF80DL2) Format Audited by event code Description (SMF80DA2)
256(100) 2 Binary All Audit function code, indicating the calling service. Refer to the description of IRRPAFC in z/OS RACF Data Areas in the z/OS Internet library.
257(101) 4 Binary All Old real z/OS UNIX user identifier (UID)
258(102) 4 Binary All Old effective z/OS UNIX user identifier (UID)
259(103) 4 Binary All Old saved z/OS UNIX user identifier (UID)
260(104) 4 Binary All Old real z/OS UNIX group identifier (GID)
261(105) 4 Binary All Old effective z/OS UNIX group identifier (GID)
262(106) 4 Binary All Old saved z/OS UNIX group identifier (GID)
263(107) 1-1023 EBCDIC 28,29,30,31,32, 33,34,35,41,42, 43,44,45,47,48, 53,54,55,56,64 Requested path name (see also data type 299)
Note: For events 47 (rename) and 41 (link), this is the old path name.
264(108) 16 Binary 28,29,30,31,32, 33,34,35,41,42, 43,44,45,47,48, 53,54,55,56,64 File identifier
265(109) 4 Binary 28,29,30,31,32, 33,34,35,41,42, 43,44,45,47,48, 53,54,55,56,64 File owner z/OS UNIX user identifier (UID)
265(109) 4 Binary 60,61,62 IPC key owner z/OS UNIX user identifier (UID)
266(10A) 4 Binary 28,29,30,31,32, 33,34,35,41,42, 43,44,45,47,48, 53,54,55,56,64 File owner z/OS UNIX group identifier (GID)
266(10A) 4 Binary 60,61,62 IPC key owner z/OS UNIX group identifier (GID)
267(10B) 1 Binary 28,29,30 Requested access
Value
Meaning
X'04'
Read access
X'02'
Write access
X'01'
Execute access
X'81'
Directory search access
X'87'
Any access

Multiple bits may be set.

267(10B) 1 Binary 60 IPC requested access
Value
Meaning
X'00'
No access
X'02'
Write access
X'04'
Read access
X'06'
Read and write access
268(10C) 1 Binary 28, 29, 30, 60 Access type (bits used to make access check)
Value
Meaning
1
'owner' bits
2
'group' bits
3
'other' bits
4
no bits used
5
UID ACL entry
6
GID ACL entry or entries
7
ACL exists but could not be retrieved
8
A restricted user ID was denied access because it was not the file owner and was not explicitly permitted to the file

The access type value could be 0 if a mandatory access check has failed.

269(10D) 1 Binary 28,29,30 Access allowed
Value
Meaning
X'04'
Read access
X'02'
Write access
X'01'
execute/search

Multiple bits can be set.

269(10D) 1 Binary 60 IPC access allowed
Value
Meaning
X'02'
Write access
X'04'
Read access

Multiple bits can be set.

270(10E) 1-1023 EBCDIC 28,29,30,41,47 Second requested path name (see also data type 299)
Note: For events 47 (rename) and 41 (link), this is the new path name.
271(10F) 16 Binary 47,64 Second file identifier
272(110) 4 Binary 36,50,52 New real z/OS UNIX user identifier (UID)
273(111) 4 Binary 36,50,52 New effective z/OS UNIX user identifier (UID)
274(112) 4 Binary 36,50,52 New saved z/OS UNIX user identifier (UID)
275(113) 4 Binary 36,49,51 New real z/OS UNIX group identifier (GID)
276(114) 4 Binary 36,49,51 New effective z/OS UNIX group identifier (GID)
277(115) 4 Binary 36,49,51 New saved z/OS UNIX group identifier (GID)
278(116) 4 Binary 47 Owner z/OS UNIX user identifier (UID) of deleted file
278(116) 4 Binary 64 Second file owner z/OS UNIX user identifier (UID)
279(117) 4 Binary 47 Owner z/OS UNIX group identifier (GID) of deleted file
279(117) 4 Binary 64 Second file owner z/OS UNIX group identifier (GID)
280(118) 4 Binary 34,50,52 z/OS UNIX user identifier (UID) input parameter
280(118) 4 Binary 62 IPC owner z/OS UNIX user identifier (UID) input parameter
281(119) 4 Binary 34,49,51 z/OS UNIX group identifier (GID) input parameter
281(119) 4 Binary 62 IPC owner z/OS UNIX group identifier (GID) input parameter
282(11A) 4 Binary 37,40,46,58 Target real z/OS UNIX user identifier (UID)
283(11B) 4 Binary 37,40,46,58 Target effective z/OS UNIX user identifier (UID)
284(11C) 4 Binary 37,40,46,58 Target saved z/OS UNIX user identifier (UID)
285(11D) 4 Binary 46 Target real z/OS UNIX group identifier (GID)
286(11E) 4 Binary 46 Target effective z/OS UNIX group identifier (GID)
287(11F) 4 Binary 46 Target saved z/OS UNIX group identifier (GID)
288(120) 4 Binary 37,40,46,58 Target PID
289(121) 4 Binary 33,35 Old mode
Bit
Meaning
0-19
Reserved for IBM's use
20
S_ISGID bit
21
S_ISUID bit
22
S_ISVTX bit
23-25
Owner permission bits (read/write/execute)
26-28
Group permission bits (read/write/execute)
29-31
Other permission bits (read/write/execute)
289(121) 4 Binary 62 IPC old mode
Bit
Meaning
0-22
Reserved for IBM's use
23-25
Owner permission bits (RW-)
26-28
Group permission bits (RW-)
29-31
Other permission bits (RW-)
290(122) 4 Binary 33,35,42,43,45 New mode
Bit
Meaning
0-19
Reserved for IBM's use
20
S_ISGID bit
21
S_ISUID bit
22
S_ISVTX bit
23-25
Owner permission bits (read/write/execute)
26-28
Group permission bits (read/write/execute)
29-31
Other permission bits (read/write/execute)
290(122) 4 Binary 62 IPC new mode
Bit
Meaning
0-22
Reserved for IBM's use
23-25
Owner permission bits (RW-)
26-28
Group permission bits (RW-)
29-31
Other permission bits (RW-)
291(123) 2 Binary 28 Service that was being processed. Used when data type 256 indicates that the calling service was lookup (path name resolution).
291(123) 2 Binary 62 Service that was being processed. Used when data type 256 indicates that the calling service was to remove an ID, set, or setmqb.
292(124) 4 Binary 31 Requested audit options
Byte
Meaning
1
Read access audit options
2
Write access audit options
3
execute/search audit options
4
Reserved for IBM's use
In each byte, the following flags are defined:
Value
Meaning
X'00'
Do not audit any access attempts
X'01'
Audit successful accesses
X'02'
Audit failed access attempts
X'03'
Audit both successful and failed access attempts
293(125) 8 Binary 31 Old audit options (user and auditor)
Byte
Meaning
1
User read access audit options
2
User write access audit options
3
User execute/search audit options
4
Reserved for IBM's use
5
Auditor read access audit options
6
Auditor write access audit options
7
Auditor execute/search audit options
8
Reserved for IBM's use
In each byte, the following flags are defined:
Value
Meaning
X'00'
Do not audit any access attempts
X'01'
Audit successful accesses
X'02'
Audit failed access attempts
X'03'
Audit both successful and failed access attempts
294(126) 8 Binary 31 New audit options (user and auditor)
Byte
Meaning
1
User read access audit options
2
User write access audit options
3
User execute/search audit options
4
Reserved for IBM's use
5
Auditor read access audit options
6
Auditor write access audit options
7
Auditor execute/search audit options
8
Reserved for IBM's use
In each byte, the following flags are defined:
Value
Meaning
X'00'
Do not audit any access attempts
X'01'
Audit successful accesses
X'02'
Audit failed access attempts
X'03'
Audit both successful and failed access attempts
295(127) 1-44 EBCDIC 28,44,55 Data set name for mounted file system
296(128) 4 Binary 33,42,43,45 Requested file mode
Bit
Meaning
0-19
Reserved for IBM's use
20
S_ISGID bit
21
S_ISUID bit
22
S_ISVTX bit
23-25
Owner permission bits (read/write/execute)
26-28
Group permission bits (read/write/execute)
29-31
Other permission bits (read/write/execute)
296(128) 4 Binary 61,62 IPC requested ISP mode.
Bit
Meaning
0-22
Reserved for IBM's use
23-25
Owner permission bits (RW-)
26-28
Group permission bits (RW-)
29-31
Other permission bits (RW-)
297(129) 1-1023 EBCDIC 28,29,53 Content of symlink
298(12A) 1-256 EBCDIC 28,29,30 File name being checked
299(12B) 1 Binary 28,29,30, 41,47 Flag indicating whether the requested path name is the old (or only) path name or the new path name. This field is X'01' except for ck_access events where authority to a new name is being checked. The second path name contains the new name specified.
Value
Meaning
X'01'
Old (or only) path name
X'02'
New path name
300(12C) 4 Binary 40 Kill signal code
301(12D) variable EBCDIC 9,10,12,13

Command segment data

Bytes 1-2
Bit
Meaning when set
0
Keyword was ignored because of insufficient authority
1
Segment is to be deleted, by using a NOxxx keyword
2-3
Data format
01
Numeric
10
Hex
11
Undefined
4
Keyword has no subfield
5-15
Reserved for IBM's use

Bytes 3-10: Name of segment (main keyword)

Byte 11: Length of subkeyword; 0 if byte 1 bit 1 is set

Variable length: The subkeyword specified; null if byte 1 bit 1 is set

2 bytes: Length of data

Variable length: The data as entered on the command

302(12E) 1 Binary 47,54 Last link deleted flag
Value
Meaning
X'00'
Last link was not deleted
X'01'
Last link was deleted.
303(12F) 4 Binary 60,61,62 IPC key
304(130) 4 Binary 60,61,62 IPC ID
305(131) 4 Binary 60,61,62 IPC key creator z/OS UNIX user identifier (UID)
306(132) 4 Binary 60,61,62 IPC key creator z/OS UNIX group identifier (GID)
307(133) 8 EBCDIC 28,29,30,31,33, 34,41,42,43,45, 47,48,53,54,56 Filepool name
308(134) 8 EBCDIC 28,29,30,31,33, 34,41,42,43,45, 47,48,53,54,56 Filespace name
309(135) 4 Binary 28,29,30,31,33, 34,41,42,43,45, 47,48,53,54,56 Inode (file serial number)
310(136) 4 Binary 28,29,30,31,33, 34,41,42,43,45, 47,48,53,54,56 SCID (file serial number)
311(137) 8 EBCDIC 47 Second filepool name
312(138) 8 EBCDIC 47 Second filespace name
313(139) 4 Binary 47 Second Inode (file serial number)
314(13A) 4 Binary 47 Second SCID (file serial number)
315(13B) 4 EBCDIC 28,29,30,31,32, 33,34,41,44,47, 48,54,55,56,57, 63,64 Link value to connect client and server audit records. A link value may appear for a client or server without a corresponding link value if:
  • the client has failed authorization
  • auditing is not performed for both users
316(13C) 1 Binary 28,29,30,31,32, 33,34,41,44,47,48,54, 55,56,57,63,64 Flags that indicate ACEE type:
Bit
Meaning when set
0–4
Reserved for IBM's use
5
1=Nested ACEE
6
0=Reserved for IBM's use
 
1=Server
7
0=Unauthenticated client
 
1=Authenticated client
317(13D) 1 Binary 28,29,30,31,32, 33,34,35,36,37, 38,39,40,41,42, 43,44,45,46,47, 48,49,50,51,52, 53,54,55,56,57, 58,60,61,62,63, 64,65
Value
Meaning
X'80'
Indicates a default z/OS UNIX security environment is in effect.
318(13E) 1-255 EBCDIC 66, 67, 69, 72, 74, 79, 83, 85, 89 Certificate or CRL serial number
319(13F) 1-255 EBCDIC 66, 67, 69, 72, 74, 79, 83, 85, 89 Certificate or CRL issuer's distinguished name
320(140) 1-237 Char 66 Ring name
321(141) 1-64 Char 66 C from SUBJECTSDN
322(142) 1-64 Char 66 SP from SUBJECTSDN
323(143) 1-64 Char 66 L from SUBJECTSDN
324(144) 1-64 Char 66 O from SUBJECTSDN
325(145) 1-64 Char 66 OU from SUBJECTSDN
326(146) 1-64 Char 66 T from SUBJECTSDN
327(147) 1-64 Char 66 CN from SUBJECTSDN
328(148) 1-255 EBCDIC 66 SDNFILTER filter name
329(149) 1-255 EBCDIC 66 IDNFILTER filter name
330(14A) 1-255 EBCDIC 66 CRITERIA or NEWCRITERIA value
331(14B) 1-255 EBCDIC ALL events except 68 Subject's distinguished name
332(14C) 1-255 EBCDIC ALL events except 68 Issuer's distinguished name
333(14D) 1-240 EBCDIC 68 Kerberos principal name (reserved for use by Network Authentication Service)
334(14E) 7-22 EBCDIC 68 Kerberos login request source (reserved for use by Network Authentication Service)
335(14F) 1-10 EBCDIC 68 Kerberos KDC status code (reserved for use by Network Authentication Service)
336(150) 1-255 EBCDIC 66 ALTNAME IP address
337(151) 1-255 EBCDIC 66 ALTNAME email
338(152) 1-255 EBCDIC 66 ALTNAME Domain
339(153) 1-255 EBCDIC 66 ALTNAME URI
340(154) 1 Binary 69, 83 IRRSPX00 flags byte 1 – KeyUsage flag combinations:
Bits
Meaning
1... ....
"handshake" (digitalsig, keyencrypt)
.1.. ....
"dataencrypt"
..1. ....
"certsign" (keycertsign, crlsign)
...1 ....
"docsign"
.... 1...
"keyagree"
.... .1..
"digitalsig"
.... ..1.
"keycertsign"
1... .1..
"keyencrypt"
..1. ..1.
"crlsign"
341(155) 10 EBCDIC 69, 83, 85, 89 Requested NotBefore field in the format yyyy/mm/dd
342(156) 10 EBCDIC 69, 83, 85, 89 Requested NotAfter field in the format yyyy/mm/dd
343(157) 8 EBCDIC 69, 70 IRRSPX00 target user ID
344(158) 1-32 EBCDIC 69, 70 IRRSPX00 target label
345(159) 1-45 EBCDIC 69 IRRSPX00 SignWith field
346(15A) 1-255 EBCDIC 69, 83, 85, 89 Requested Subject's DN
347(15B) 1-64 EBCDIC 69, 83 Requested AltlPAddr field
348(15C) 1-255 EBCDIC 69, 83 Requested AltURI field
349(15D) 1-100 EBCDIC 69, 83 Requested AltEmail field
350(15E) 1-100 EBCDIC 69, 83 Requested AltDomain field
351(15F) 1-56 EBCDIC 69, 70, 83 IRRSPX00 CertId
352(160) 1-4096 EBCDIC 71 Policy Director protected object (reserved for use by Policy Director Authorization Services)
353(161) 1-1024 EBCDIC 71 Requested Policy Director permissions (reserved for use by Policy Director Authorization Services)
354(162) 8 EBCDIC 71 Policy Director principal user ID (reserved for use by Policy Director Authorization Services)
355(163) 36 EBCDIC 71 Principal ID string in the format nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn where n is any hexadecimal digit (reserved for use by Policy Director Authorization Services)
356(164) 4 Binary 71 Policy Director quality of protection value (reserved for use by Policy Director Authorization Services)
357(165) 1024 EBCDIC 69, 70, 73, 83 HostIDMappings extension data
358(166) 1-32 EBCDIC 70, 83, 85, 89 Certificate requester's name
359(167) 1 Binary 69, 70, 83 IRRSPX00 flags byte 2
Bit
Meaning
0
Pass phrase specified
360(168) 32 EBCDIC 72 Certificate or certificate request status:
  • Pending approval
  • Approved
  • Completed
  • Rejected
  • Rejected, User Notified
  • Active
  • Expired
  • Revoked
  • Revoked, Expired
361(169) 10 EBCDIC 72 Creation date in the format yyyy/mm/dd
362(16A) 10 EBCDIC 72 Last modified in the format yyyy/mm/dd
363(16B) 1–255 EBCDIC 72, 85 Certificate serial number for previously issued certificate
364(16C) 4 Binary 73, 74 Action taken on certificate or certificate request
365(16D) 1–64 EBCDIC 74 Action comment
366(16E) 4 Binary 74 Certificate revocation reason
367(16F) 1 Binary 75, 76 ACL type
Value
Meaning
X'80'
Access ACL
X'40'
File model
X'20'
Directory model
368(170) 1 Unsigned 75 Effective ACL entry operation type
Value
Meaning
1
Add
2
Modify
3
Delete
369(171) 5 Binary 75 ACL entry identifier. This consists of a 1–byte type code followed by the 4–byte hexadecimal UID or GID value.
Value
Meaning
X'01'
User (UID) entry
X'02'
Group (GID) entry
370(172) 1 Binary 75 Old ACL entry bits for modify and delete operations.
371(173) 1 Binary 75 New ACL entry bits for add and modify operations.
372(174) 1 Binary 71 Policy Director credential type flag reserved for use by Policy Director Authorization Services
Value
Meaning
X'00'
Unauthenticated
X'01'
Authenticated
373(175) 1–64 EBCDIC 69, 72, 83, 85 Email address for notification purposes
374(176) 8 EBCDIC 1, 67 Server's security label
375(177) 1-255 EBCDIC 69, 72, 73, 83 Extended keyUsage
376(178) 1-32 EBCDIC 69, 73 Certificate policies
377(179) 1-1024 EBCDIC 69, 73 Authority information access
378(17A) 1-255 EBCDIC 69, 73 Critical extensions
379(17B) 1-255 EBCDIC 79 CRL's issuing distribution point DN
380(17C) 10 EBCDIC 79 CRL's date of issue
381(17D) 8 EBCDIC 79 CRL's time of issue
382(17E) 10 EBCDIC 79 CRL's expiration date
383(17F) 8 EBCDIC 79 CRL's expiration time
384(180) 10 EBCDIC 79 CRL's date of publish
385(181) 8 EBCDIC 79 CRL's time of publish
386(182) 1–64 EBCDIC All, except 68, 71, 79, and 85 SERVAUTH port of entry name (profile name protecting the SERVAUTH name if resource name is unavailable)
387(183) 1–1024 EBCDIC 79 CRL's issuing distribution point URI
388(184) 1–1024 EBCDIC 69, 73, 83 Requested ALTNAME OtherName
389(185) 1–1024 EBCDIC 80 Response from OCSP responder containing a list of triplets:
  • Certificate serial number
  • Status: GOOD, REVOKED, or UNKNOWN
  • Issuer's DN, or "UNKNOWN ISSUER"
Each item is separated by a comma and each triplet is separated by a blank.
390(186) 8 EBCDIC 2 Primary (client) user ID for this nested ACEE.
391(187) 8 EBCDIC 69, 70, 72, 73, 74, 80, 83, 85, 89 Domain name of the target PKI Services certificate authority.
392(188) 1-510 EBCDIC All, except 68, 71, 79, 81, 82, and 85 Authenticated user name.
393(189) 1-255 EBCDIC All, except 68, 71, 79, 81, 82, and 85 Authenticated user registry name.
394(18A) 1-128 EBCDIC All, except 68, 71, 79, 81, 82, and 85 Authenticated user host name.
395(18B) 1-16 EBCDIC All, except 68, 71, 79, 81, 82, and 85 Authenticated user authentication mechanism object identifier (OID).
396(18C) 3-244 EBCDIC 2 Access criteria.
Note: When this relocate is used, the data appears in the form of criteria-name=criteria-value.
398(18E) 1-64 EBCDIC 66 PKDS label.
399(18F) 1-32 EBCDIC 66 Token name.
400(190) 8 EBCDIC 84 Ring owner.
401(191) 1 Binary 84 Reuse attribute flag for NewRing.
402(192) 1 Binary 84 Trust attribute flag for DataPut.
403(193) 1 Binary 84 HighTrust attribute flag for DataPut.
404(194) 1 Binary 84 Delete attribute flag for DataRemove.
405(195) 8 EBCDIC 84 Certificate usage: ‘SITE’, ‘CERTAUTH’ or ‘PERSONAL’.
406(196) 1 Binary 84 Default flag. X'01' means default certificate.
407(197) 1 Binary 84 Private key specified. X'01' means that private key is specified.
408(198) 256 EBCDIC 85 AutoRenew Exit path name.
409(199) 1-255 EBCDIC 86 Root signing certificate subject's distinguished name
410(19A) 1-255 EBCDIC 86 Program signer (end entity) certificate subject's distinguished name
411(19B) 1 Binary 86 R_PgmSignVer flags byte
Bit
Meaning
0
1 = Module allowed to be loaded
412(19C) 8 EBCDIC 86 Time module was signed
413(19D) 10 EBCDIC 86 Date module was signed
414(19E) 10 EBCDIC 86 Date when module certificate chain expires
415(19F) 1-246 EBCDIC 87 Value of the user ID filter from the USERDIDFILTER keyword on MAP
416(1A0) 1-255 EBCDIC 87 Value of the registry name from the REGISTRY keyword of RACMAP
417(1A1) 1-20 EBCDIC 88 Service or process name for automatically updated profile
418(1A2) 1-8 EBCDIC 88 Class for automatically updated profile
419(1A3) 1-255 EBCDIC 88 Automatically updated profile name
420(1A4) 1-4000 EBCDIC 88 Automatically updated profile data
421(1A5) 40 EBCDIC 70, 72, 89 Key ID
422(1A6) 4 EBCDIC 69 Key size
423(1A7) 32 EBCDIC 74 Requester email
424(1A8) 1-246 UTF-8 All, except 68, 71, 79, 81, 82, and 85 Authenticated distributed-identity user name
425(1A9) 1-246 UTF-8 All, except 68, 71, 79, 81, 82, and 85 Authenticated distributed-identity registry name
426(1AA) 10 EBCDIC 69 Key algorithm
427(1AB) 1024 EBCDIC 69, 73, 83 Customized extension
428(1AC) 32 EBCDIC 69, 73, 83 Record link
429(1AD) 32 EBCDIC 72 Signing Algorithm
430(1AE)       Reserved
431(1AF)       Reserved
432(1B0)       Reserved
433(1B1) 2 Unsigned 72 Number of approvals required for the request
434(1B2) 2 Unsigned 72 Count of approvals performed
435(1B3) 1 Binary 84 Notrust attribute flag for DataPut and DataAlter
436(1B4) 1 Binary 84 Delete attribute flag for DataRemove, even if the certificate is connected to rings
437(1B5) 1 Binary 84 Delete attribute flag for DataRemove, even if the certificate is used for GENREQ
438(1B6) 32 EBCDIC 84 Source certificate label
440(1B8) 8 binary 13 Byte 1: MFA subkeyword specified flags
Bit
Meaning
0
PWFALLBACK specified
1
NOPWFALLBACK specified
2
FACTOR specified
3
DELFACTOR specified
4
ACTIVE specified
5
NOACTIVE specified
6
TAGS specified
7
DELTAGS specified
Byte 2: MFA subkeyword specified flags
Bit
Meaning
0
NOTAGS specified
1
ADDPOLICY specified
2
DELPOLICY specified
3-7
Reserved
Bytes 3-8: Reserved for IBM's use
441(1B9) variable EBCDIC 13 Multifactor authentication factor name
442(1BA) variable EBCDIC 13 MFA tag entry from the TAGS/DELTAGS keyword.

When TAGS is specified, the entry value is the tag name and value separated by a colon (":"). When DELTAGS is specified, the entry value is the tag name only.

443(1BB) variable mixed 1 Byte 1: Authentication information:
Bit
Meaning
0
ACEE was created from VLF cache
1
User has active MFA factor(s)
2
MFA user allowed to fall back when no MFA decision can be made
3
No MFA decision for MFA user
4
IBM MFA requested that RACROUTE REQUEST=VERIFY return the password-expired return code.
5
IBM MFA requested that RACROUTE REQUEST=VERIFY return the new-password-invalid return code.
6
IBM MFA requested that RACROUTE REQUEST=VERIFY return the password-invalid return code, but not to increment the password revoke count (partial success - needs more information).
7
Relocate 443 is extended.
Byte 2: Authenticator(s) used:
Bit
Meaning
0
Password Evaluated
1
Password Successful
2
Password Phrase Evaluated
3
Password Phrase Successful
4
Passticket Evaluated
5
Passticket Successful
6
MFA authentication successful
7
MFA authentication unsuccessful

Bytes 3-6: MFA Authorization Return Code.

Bytes 7-10: MFA Authorization Reason Code

443(1BB) (Cont.) variable mixed 1
Note: Below fields are only present when relocate 443 is extended.

Bytes 11-14: PassTicket Return Code

Bytes 15-18: PassTicket Reason Code

Byte 19: Flag byte 3: Authentication Details
Bit
Meaning when set
0
Password or Password Phrase expired
1
New Password or Password Phrase invalid
2
Identity Token (IDT) Evaluated
3
Identity Token (IDT) Successful
4
IBM MFA requested that RACROUTE REQUEST=VERIFY return the password-invalid return code, but not to increment the password revoke count (reauthentication requested).
Start of change5End of change
Start of changeLegacy PassTicket EvaluatedEnd of change
Start of change6End of change
Start of changeLegacy PassTicket SuccessfulEnd of change
Start of change7End of change
Start of changeEnhanced PassTicket Type UPPER EvaluatedEnd of change
Byte 20: Flag byte 4: Authentication Details
Bit
Meaning when set
Start of change0End of change
Start of changeEnhanced PassTicket Type UPPER SuccessfulEnd of change
Start of change1End of change
Start of changeEnhanced PassTicket Type MIXED EvaluatedEnd of change
Start of change2End of change
Start of changeEnhanced PassTicket Type MIXED SuccessfulEnd of change
Start of change3-7End of change
Start of changeReservedEnd of change

Bytes 21-28: Derived Application Name

Bytes 29-32: IDT Validation Reason Code

Bytes 33-36: IDT Error Reason Code

Bytes 37-40: Failing Service ID

Bytes 41-44: Failing Service Return Code

Bytes 45-48: Failing Service Reason Code

444 (1BC) variable EBCDIC 13 MFA policy name entry from the ADDPOLICY/DELPOLICY keyword.
445 (1BD) variable mixed 2
Bytes
Meaning
1 - 2
  • Includes the length of the ID and length field
  • Maximum length value is 1100 bytes
3 - 4
  • IDs from X'0000' to X'0FFF' are reserved for IBM
    • X'0001' identifies the data as a CICS® identity
  • IDs from X'1000' to X'1FFF' are reserved for vendors
  • IDs from X'2000' to X'FFFF' are reserved for customer data.
5 - end
Triplet of values per field each consisting of:
  • 2 byte ID values
  • 2 byte length
  • Variable data
Note: For more information about REQUEST=FASTAUTH, see z/OS Security Server RACROUTE Macro Reference.
Start of change446 (1BE)End of change Start of change32End of change Start of changeunsignedEnd of change Start of change66, 67, 69, 70. 74, 83, 84, 85, 90End of change Start of changeSubject Certificate fingerprintEnd of change
Start of change447 (IBF)End of change Start of change32End of change Start of changeunsignedEnd of change Start of change85, 90End of change Start of changeIssuer Certificate fingerprintEnd of change
Start of change448 (1C0)End of change Start of change32End of change Start of changeunsignedEnd of change Start of change85End of change Start of changePrevious Certificate fingerprintEnd of change

Table of data type 6 command-related data

This table describes the RACF command-related data that is associated with data type 6.

  • ADDGROUP
  • ADDSD
  • ADDUSER
  • ALTDSD
  • ALTGROUP
  • ALTUSER
  • CONNECT
  • DELDSD
  • DELGROUP
  • DELUSER
  • PASSWORD
  • PERMIT
  • RACDCERT
  • RACLINK
  • RACMAP
  • RALTER
  • RDEFINE
  • RDELETE
  • REMOVE
  • RVARY
  • SETROPTS

The actual format and content of the data depends upon the command being logged. Command-related data does not appear in the SMF record if the command user is not RACF-defined. Some of the commands also omit the command-related data if the user is not authorized for the requested profile on the RACF database.

The table is arranged by event code. In each description, the keyword flags contain one flag for each possible keyword that you can specify (explicitly or by default) on the command. The ‘flags for keywords specified’ field indicates whether the keyword was specified or defaulted.

The ‘flags for keywords ignored because of insufficient authority’ indicates whether the keyword was ignored because the user did not have sufficient authority to use the keyword. The event code qualifier (SMF80EVQ), described in Table 1, is set to 1 if the command user does not have sufficient authority for any of the keywords that are specified or taken as defaults. The event code qualifier is set to 2 if the command user does not have sufficient authority for some (but not all) of the keywords that are specified or taken as defaults. In the latter case, the command continues processing the authorized operands.

The ‘flags for keywords ignored due to error conditions’ field indicates individual keywords that were not processed for reasons other than insufficient authority. Not all commands (event codes 8-25) have these flags. The keyword errors are not terminating errors (like the errors that are indicated in SMF80ERR) and the command continues processing other specified operands. If a terminating error, these flags do not necessarily indicate what processing was done or not done. Any keyword errors occurring before the terminating error are indicated, but the keywords, that are not processed because of a terminating error, are not indicated. The bits in SMF80ERR indicate whether RACF already made changes to the RACF database before the terminating error or whether no updates were made.

Other fields in the command-related data field indicate the subfields that are specified (or defaulted) for keywords. The fields are flags for subfields that are keywords (such as SUCCESS subfield of AUDIT); they are data for subfields such as owner name or group name.

For example, if the owner of the profile for USERA issues the command:
ALTUSER USERA ADSP GRPACC SPECIAL OWNER(USERB)
and USERB, the requested new owner is not RACF-defined, then the command-related data would appear in the log record as:
012C0000 00040000 00080000 00E4E2C5
D9C14040 40000000 00000000 00000000
00000000 000000E4 E2C5D9C2 40404000
00000000

The first word indicates the keywords that are specified. The second word indicates that the user does not have sufficient authority to use the SPECIAL keyword. The third word indicates that there was an error processing the OWNER keyword. Offset X'0D' is the name of the user profile that is being altered. Offset X'27' is the name of the owner that is specified on the command. RACF processed the ADSP and GRPACC keywords.

Note: If you use SMF records to reconstruct a RACF database, passwords and OIDCARDs are not contained in the records and require special handling, and statistics updates are not recorded.
Event code dec(hex) Command Data length Format Description
8( 8) ADDSD 2 Binary Flags for keywords specified:
Bit - Keyword specified
Byte 0
Bit
Keyword specified
Byte 0
0
VOLUME
1
UNIT
2
UACC
3
OWNER
4
AUDIT
5
SET
6
NOSET
7
LEVEL
Byte 1
0
PASSWORD
1
DATA
2
MODEL
3
WARNING
4
GENERIC
5
SECLEVEL
6
ADDCATEGORY
7
NOTIFY
2 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
8( 8) (Cont.) ADDSD (Cont.) 44 EBCDIC Data set name
8 EBCDIC Type (UNIT keyword)
1 Binary Flags for UACC keyword:
Note: If this is a non-DFP data set, RACF ignores bit 4 when checking access to data sets.
Bit
Authority specified
0
ALTER
1
CONTROL
2
UPDATE
3
READ
4
EXECUTE
5–6
Reserved for IBM's use
7
NONE
8 EBCDIC User ID or group name (OWNER keyword)
1 Binary Flags for AUDIT keyword: (only one set at a time)
Bit
Option specified
0
ALL
1
SUCCESS
2
FAILURES
3
NONE
4–5
SUCCESS qualifier codes:
‘00’  READ
‘01’  UPDATE
‘10’  CONTROL
‘11’  ALTER
6–7
FAILURES qualifier codes:
‘00’  READ
‘01’  UPDATE
‘10’  CONTROL
‘11’  ALTER
1 Binary nn (LEVEL keyword)
8( 8) (Cont.) ADDSD (Cont.) 1 Binary Flags for RACF processing:
Bit
Meaning
0
Data set profile inconsistent with RACF indicator
1
Generic profile name specified
2
FROM entity is longer than 44 characters entity is passed in relocate type 13
3–7
Reserved for IBM's use
    8 EBCDIC User to be notified when this profile denies access
    2 Binary Flags for keywords specified:
Bit
Keyword specified
Byte 0
0
SETONLY
1
TAPE
2
FILESEQ
3
RETPD
4
ERASE
5
FROM
6
FCLASS
7
FVOLUME
Byte 1
0
FGENERIC
1
SECLABEL
2–7
Reserved for IBM's use
    2 Binary Flags for keywords ignored. Same format as flags for keywords specified.
    1 EBCDIC Reserved for IBM's use
    2 Binary File sequence number
    2 Binary Retention period
    8 EBCDIC FROM class name
    44 EBCDIC FROM resource name
    8 EBCDIC FROM volume serial
    44 EBCDIC SECLEVEL name
    8 EBCDIC SECLABEL
9( 9) ADDGROUP 1 Binary Flags for keywords specified:
Bit
Keyword specified
0
SUPGROUP
1
OWNER
2
NOTERMUACC
3
TERMUACC
4
DATA
5
MODEL
6
UNIVERSAL
7
Reserved for IBM's use
1 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
8 EBCDIC Group name
8 EBCDIC Superior group name (SUPGROUP keyword)
8 EBCDIC User ID or group name (OWNER keyword)
10( A) ADDUSER * The data for event code 10 is identical to the data for event code 13, with these exceptions.
4 Binary Flags for keywords specified:
Bit
Keyword specified
Byte 0
0
DFLTGRP
*1
GROUP
2
PASSWORD
3
NOPASSWORD
4
NAME
5
AUTHORITY
6
DATA
7
GRPACC
Byte 1
0
NOGRPACC
1
UACC
2
ADSP
3
NOADSP
4
OWNER
5
SPECIAL
6
NOSPECIAL
7
OPERATIONS
Byte 2
0
NOOPERATIONS
1
CLAUTH
2
NOCLAUTH
3
AUDITOR
4
NOAUDITOR
5
OIDCARD
6
NOOIDCARD
*7
REVOKE
10( A) (Cont.) ADDUSER (Cont.) 4 Binary
Byte 3
*0
RESUME
*1
AUDIT
*2
NOAUDIT
3
MODEL
*4
NOMODEL
5
WHEN
6
ADDCATEGORY
7
DELCATEGORY
    4 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
    4 Binary Flags for keywords ignored because of error conditions
    1 Binary Flags for other violations:
Bit
Violation
*0
Command invoker does not have CLAUTH attribute of USER
1
Command invoker does not have sufficient authority to group
*2
Command invoker does not have sufficient authority to user profile
*3–7
Reserved for IBM's use
    8 EBCDIC User ID
    8 EBCDIC Group name (DFLTGRP keyword)
    8 EBCDIC *Group name (GROUP keyword)
10( A) (Cont.) ADDUSER (Cont.) 1 Binary Flags for AUTHORITY keyword:
Bit
Authority specified
0
JOIN
1
CONNECT
2
CREATE
3
USE
4–7
Reserved for IBM's use
    1 Binary Flags for UACC keyword:
Bit
Authority specified
0
ALTER
1
CONTROL
2
UPDATE
3
READ
4–6
Reserved for IBM's use
7
NONE
    8 EBCDIC User ID or group name (OWNER keyword)
    2 Binary Flags for classes specified (CLAUTH keyword)
Bit
Keyword specified
Byte 0
0–1
Reserved for IBM's use
2
USER
3
Reserved for IBM's use
4
DASDVOL
5
TAPEVOL
6
TERMINAL
7
Reserved for IBM's use
Byte 1
0–7
Reserved for IBM's use
    2 Binary Flags for classes ignored because of insufficient authority: Same format as flags for classes specified. Note: if all classes specified are ignored because of insufficient authority, then the ‘flags for keywords ignored because of insufficient authority’ field indicates that CLAUTH was ignored.
    2 Binary Flags for additional keywords specified:
Bit
Keyword specified
Byte 0
0
SECLEVEL
1
NOSECLEVEL
2
SECLABEL
3
NOSECLABEL
4
NOEXPIRED
5
EXPIRED
6
RESTRICTED
7
NORESTRICTED
Byte 1
0
Reserved for IBM's use
1
Reserved for IBM's use
2
PHRASE
3
NOPHRASE
4-5
Reserved for IBM's use
6
ROAUDIT
7
NOROAUDIT
10( A) (Cont.) ADDUSER (Cont.) 2 Binary Flags for additional keywords ignored (authorization):
Bit
Keyword ignored
Byte 0
0
SECLEVEL
1
NOSECLEVEL
2
SECLABEL
3
NOSECLABEL
4
NOEXPIRED
5
EXPIRED
6
RESTRICTED
7
NORESTRICTED
Byte 1
0
Reserved for IBM's use
1
Reserved for IBM's use
2
PHRASE
3
NOPHRASE
4-5
Reserved for IBM's use
6
ROAUDIT
7
NOROAUDIT
    2 Binary Flags for additional keywords ignored because of processing error:
Bit
Keyword specified
Byte 0
0
SECLEVEL
1
NOSECLEVEL
2
SECLABEL
3
NOSECLABEL
4
Reserved for IBM's use
5
Reserved for IBM's use
6
RESTRICTED
7
NORESTRICTED
Byte 1
0-4
Reserved for IBM's use
5
ROAUDIT
6
NOROAUDIT
7
Reserved for IBM's use
    3 packed Logon time (packed); if time is not specified, this field contains binary zeros; if TIME(ANYTIME) is specified, this field contains X'F0F0F0'.
    3 packed Logoff time (packed); if time is not specified, this field contains binary zeros; if TIME(ANYTIME) is specified, this field contains X'F0F0F0'.
10( A) (Cont.) ADDUSER (Cont.) 1 Binary Logon day
Bit
Days the user cannot log on
0
Sunday
1
Monday
2
Tuesday
3
Wednesday
4
Thursday
5
Friday
6
Saturday
7
Day not specified
    4 EBCDIC REVOKE date
    4 EBCDIC RESUME date
    44 EBCDIC SECLEVEL name
    8 EBCDIC SECLABEL name
11( B) ALTDSD 2 Binary Flags for keywords specified:
Bit
Keyword specified
Byte 0
0
OWNER
1
UACC
2
AUDIT
3
LEVEL
4
ADDVOL
5
DELVOL
6
SET
7
NOSET
Byte 1
0
GLOBALAUDIT
1
VOLUME
2
PASSWORD
3
UNIT
4
ALTVOL
5
DATA
6–7
Reserved for IBM's use
    2 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified, except that Byte 1, Bit 2 is reserved for IBM's use.
    2 Binary Flags for keywords ignored because of error conditions: Same format as flags for keywords specified, except that Byte 1, Bit 2 is reserved for IBM's use.
    44 EBCDIC Data set name
    8 EBCDIC User ID or group name (OWNER keyword)
    1 Binary Flags for UACC keyword:
Note: If this is a non-DFP data set, RACF ignores bit 4 when checking access to the data set.
Bit
Authority specified
0
ALTER
1
CONTROL
2
UPDATE
3
READ
4
EXECUTE
5–6
Reserved for IBM's use
7
NONE
    1 Binary Flags for AUDIT keyword:
Bit
Option specified
0
ALL
1
SUCCESS
2
FAILURES
3
NONE
4–5
SUCCESS qualifier codes
6–7
FAILURES qualifier codes
    1 Binary nn (LEVEL keyword)
    1 Binary Flags for GLOBALAUDIT keyword: Same format as flags for AUDIT keyword.
    6 EBCDIC Volume serial ID (VOLUME keyword)
11( B) (Cont.) ALTDSD (Cont.) 8 EBCDIC Unit information
    1 Binary Flags for RACF processing:
Bit
Meaning
0
Profile inconsistent with RACF indicator.
1
Generic profile name specified
2–7
Reserved for IBM's use
    2 Binary Additional keywords specified:
Bit
Keyword specified
Byte 0
0
GENERIC
1
WARNING
2
NOWARNING
3
ERASE
4
NOERASE
5
RETPD
6
NOTIFY
7
NONOTIFY
Byte 1
0
SECLEVEL
1
ADDCATEGORY
2
DELCATEGORY
3
NOSECLEVEL
4
SECLABEL
5
NOSECLABEL
6–7
Reserved for IBM's use
    2 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
    2 Binary Flags for keywords ignored because of a processing error: Same format as flags for keywords specified.
    2 Binary Retention period
    8 EBCDIC User to be notified when access denied.
    44 EBCDIC SECLEVEL name
    8 EBCDIC SECLABEL name
12( C) ALTGROUP 1 Binary Flags for keywords specified:
Bit
Keyword specified
0
SUPGROUP
1
OWNER
2
NOTERMUACC
3
TERMUACC
4
DATA
5
MODEL
6–7
Reserved for IBM's use
    1 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keyword's specified.
    1 Binary Flags for other violations:
Bit
Violation
0
Lack of proper authority to old SUPGROUP
1–7
Reserved for IBM's use
    8 EBCDIC Group name
    8 EBCDIC Superior group name (SUPGROUP keyword)
    8 EBCDIC User ID or group name (OWNER keyword)
    1 Binary Flags for keywords ignored because of error conditions: Same format as flags for keywords specified.
13( D) ALTUSER * The data for event code 13 is identical to the data for event code 10, with these exceptions.
    4 Binary Flags for keywords specified:
Bit
Keyword specified
Byte 0
0
DFLTGRP
*1
GROUP
2
PASSWORD
3
NOPASSWORD
4
NAME
5
AUTHORITY
6
DATA
7
GRPACC
Byte 1
0
NOGRPACC
1
UACC
2
ADSP
3
NOADSP
4
OWNER
5
SPECIAL
6
NOSPECIAL
7
OPERATIONS
    4 Binary
Byte 2
0
NOOPERATIONS
1
CLAUTH
2
NOCLAUTH
3
AUDITOR
4
NOAUDITOR
5
OIDCARD
6
NOOIDCARD
*7
REVOKE
Byte 3
*0
RESUME
*1
UAUDIT
*2
NOUAUDIT
3
MODEL
4
NOMODEL
5
WHEN
6
ADDCATEGORY
7
DELCATEGORY
    4 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
    4 Binary Flags for keywords ignored because of error conditions: Same format as flags for keywords specified.
    1 Binary Flags for other violations:
Bit
Violation
*0
Command invoker does not have CLAUTH attribute of USER
1
Command invoker does not have sufficient authority to group
*2
Command invoker does not have sufficient authority to user profile
3
Reserved for IBM's use
4
NOEXPIRED
5
EXPIRED
6–7
Reserved for IBM's use
13( D) (Cont.) ALTUSER (Cont.) 8 EBCDIC User ID
    8 EBCDIC Group name (DFLTGRP keyword)
    8 EBCDIC *Group name (GROUP keyword)
    1 Binary Flags for AUTHORITY keyword:
Bit
Authority specified
0
JOIN
1
CONNECT
2
CREATE
3
USE
4–7
Reserved for IBM's use
    1 Binary Flags for UACC keyword:
Bit
Authority specified
0
ALTER
1
CONTROL
2
UPDATE
3
READ
4–6
Reserved for IBM's use
7
NONE
    8 EBCDIC User ID (OWNER keyword)
    2 Binary Flags for classes specified (CLAUTH keywords)
Bit
Option specified
Byte 0
0–1
Reserved for IBM's use
2
USER
3
Reserved for IBM's use
4
DASDVOL
5
TAPEVOL
6
TERMINAL
7
Reserved for IBM's use
Byte 1
0–7
Reserved for IBM's use
    2 Binary Flags for classes ignored because of insufficient authority: Same format as flags for classes specified.

Note that if all classes specified are ignored because of insufficient authority, then the ‘flags for keywords ignored because of insufficient authority’ field indicates that CLAUTH or NOCLAUTH was ignored.

    2 Binary Flags for additional keywords specified:
Bit
Keyword specified
Byte 0
0
SECLEVEL
*1
NOSECLEVEL
*2
SECLABEL
*3
NOSECLABEL
*4
NOEXPIRED
*5
EXPIRED
*6
RESTRICTED
*7
NORESTRICTED
13( D) (Cont.) ALTUSER (Cont.) 2 Binary Flags for additional keywords specified:
Byte 1
0
NOREVOKE
1
NORESUME
2
PHRASE
3
NOPHRASE
4
*PWCLEAN
5
*PWCONVERT
6
ROAUDIT
7
NOROAUDIT
    2 Binary Flags for additional keywords ignored (authorization):
Bit
Keyword ignored
Byte 0
0
SECLEVEL
*1
NOSECLEVEL
*2
SECLABEL
*3
NOSECLABEL
*4
NOEXPIRED
*5
EXPIRED
*6
RESTRICTED
*7
NORESTRICTED
Byte 1
0
NOREVOKE
1
NORESUME
2
PHRASE
3
NOPHRASE
4
*PWCLEAN
5
*PWCONVERT
6
ROAUDIT
7
NOROAUDIT
    2 Binary Flags for additional keywords ignored because of processing error:
Bit
Keyword specified
Byte 0
0
SECLEVEL
*1
NOSECLEVEL
*2
SECLABEL
*3
NOSECLABEL
*4
NOEXPIRED
*5
EXPIRED
*6
RESTRICTED
*7
NORESTRICTED
Byte 1
0
*PWCLEAN
1
*PWCONVERT
2-4
Reserved for IBM's use
5
ROAUDIT
6
NOROAUDIT
7
Reserved for IBM's use
    3 packed Logon time (packed); if time is not specified, this field contains binary zeros; if TIME(ANYTIME) is specified, this field contains X'F0F0F0'.
    3 packed Logoff time (packed); if time is not specified, this field contains binary zeros; if TIME(ANYTIME) is specified, this field contains X'F0F0F0'.
13( D) (Cont.) ALTUSER (Cont.) 1 Binary Days the user cannot log on
Bit
Day specified
0
Sunday
1
Monday
2
Tuesday
3
Wednesday
4
Thursday
5
Friday
6
Saturday
7
Day not specified
    4 EBCDIC REVOKE date
    4 EBCDIC RESUME date
    44 EBCDIC SECLEVEL name
    8 EBCDIC SECLABEL name
13 (D) ALTUSER 4 Binary Flags for additional keywords specified:
Bit
Keyword specified
Byte 0
0
*MFA
1
*NOMFA
2-7
Reserved for IBM's use
Byte 1
0-7
Reserved for IBM's use
Byte 2
0-7
Reserved for IBM's use
Byte 3
0-7
Reserved for IBM's use
    4 Binary Flags for additional keywords ignored (authorization):
Bit
Keyword specified
Byte 0
0
*MFA
1
*NOMFA
2-7
Reserved for IBM's use
Byte 1
0-7
Reserved for IBM's use
Byte 2
0-7
Reserved for IBM's use
Byte 3
0-7
Reserved for IBM's use
    4 Binary Flags for additional keywords ignored because of processing error:
Bit
Keyword specified
Byte 0
0
*MFA
1
*NOMFA
2-7
Reserved for IBM's use
Byte 1
0-7
Reserved for IBM's use
Byte 2
0-7
Reserved for IBM's use
Byte 3
0-7
Reserved for IBM's use
14( E) CONNECT 2 Binary Flags for keywords specified:
Bit
Keyword specified
Byte 0
0
GROUP
1
UACC
2
AUTHORITY
3
ADSP
4
NOADSP
5
REVOKE
6
RESUME
7
GRPACC
Byte 1
0
NOGRPACC
1
OPERATIONS
2
NOOPERATIONS
3
SPECIAL
4
NOSPECIAL
5
AUDITOR
6
NOAUDITOR
7
OWNER
2 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
14( E) (Cont.) CONNECT (Cont.) 8 EBCDIC User ID
8 EBCDIC Group name (GROUP keyword)
1 Binary Flags for UACC keyword:
Bit
Authority specified
0
ALTER
1
CONTROL
2
UPDATE
3
READ
4–6
Reserved for IBM's use
7
NONE
1 Binary Flags for AUTHORITY keyword:
Bit
Authority specified
0
JOIN
1
CONNECT
2
CREATE
3
USE
4–7
Reserved for IBM's use
1 Binary Flags for additional keywords specified
Bit
Keyword specified
0
NOREVOKE
1
NORESUME
2–7
Reserved for IBM's use
1 Binary Flags for additional keywords ignored because of insufficient authority. Same format as flags for additional keywords specified.
8 EBCDIC User ID or group name (OWNER keyword)
4 packed REVOKE date, packed
4 packed RESUME date, packed
15( F) DELDSD 1 Binary Flags for keywords specified or taken as defaults:
Bit
Keyword specified
0
SET
1
NOSET
2
VOLUME
3
GENERIC
4–7
Reserved for IBM's use
1 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
44 EBCDIC Data set name
6 EBCDIC Volume serial ID (VOLUME keyword)
1 Binary Flags for RACF processing:
Bit
Meaning
0
Profile inconsistent with RACF indicator
1
Generic profile name specified
2–7
Reserved for IBM's use
16(10) DELGROUP 8 EBCDIC Group name
17(11) DELUSER 8 EBCDIC User ID
18(12) PASSWORD 1 Binary Flags for keywords specified:
Bit
Keyword specified
0
INTERVAL
1
USER
2
PASSWORD
3
PHRASE
Start of change
4
PHRASEINT
End of change Start of change
5-7
Reserved for IBM's use
End of change
    1 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
    1 Binary Flags for keywords ignored because of error conditions: Same format as flags for keywords specified.
    4 Binary Change-interval (INTERVAL keyword)
Note: If the NOINTERVAL keyword is specified, the change-interval changes to X'FF'.
    8 EBCDIC User ID (USER keyword)
Start of change End of change Start of change End of change Start of change4End of change Start of changeBinaryEnd of change Start of changePassword phrase change-interval (PHRASEINT keyword)
Note: If the NOPHRASEINT keyword is specified, the Password phrase change-interval changes to 65535 (X'FFFF').
End of change
19(13) PERMIT 2 Binary Flags for keywords specified or taken as defaults:
Bit
Keyword specified
Byte 0
0
CLASS
1
ID
2
ACCESS
3
FROM
4
DELETE
5
FCLASS
6
VOLUME
7
FVOLUME
Byte 1
0
GENERIC
1
FGENERIC
2
RESET
3
WHEN
4
RESET(WHEN)
5
RESET(STANDARD)
6–7
Reserved for IBM's use
    2 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified, except that bits are not set for RESET(STANDARD) or RESET(WHEN).
    2 Binary Flags for keywords ignored because of error conditions: Same format as flags for keywords specified, except that bits are not set for RESET(STANDARD) or RESET(WHEN).
    2 Binary Flags for CLASS keyword, and for the RESET keyword:
Bit
Option specified
Byte 0
0–2
Reserved for IBM's use
3
DATASET
4
DASDVOL
5
TAPEVOL
6
TERMINAL
7
Reserved for IBM's use
Byte 1
0
FROM generic resource
1–5
Reserved for IBM's use
6
Conditional access list is indicated by RESET keyword.
7
Standard access list is indicated by RESET keyword.
19(13) (Cont.) PERMIT (Cont.) 1 Binary Flags for ACCESS keyword:
Note: If this is a non-DFP data set, RACF ignores bit 4 when checking access to the data set.
Bit
Authority specified
0
ALTER
1
CONTROL
2
UPDATE
3
READ
4
EXECUTE
5–6
Reserved for IBM's use
7
NONE
2 Binary Flags for FCLASS keyword:

Same format as flags for CLASS keyword.

20(14) RALTER * The data for event code 20 is identical to the data for event code 21, with these exceptions.
    2 Binary Flags for keywords specified:
Bit
Keyword specified
Byte 0
0
DATA
1
OWNER
2
UACC
3
LEVEL
4
AUDIT
*5
GLOBALAUDIT
*6
ADDVOL
*7
DELVOL
Byte 1
0
ADDMEM
1
DELMEM
2
APPLDATA
3
SINGLEDSN
*4
NOSINGLEDSN
5
WARNING
6
NOWARNING
7
WHEN
    2 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
    2 Binary Flags for class name:
Bit
Option specified
Byte 0
0–3
Reserved for IBM's use
4
DASDVOL
5
TAPEVOL
6
TERMINAL
7
Reserved for IBM's use
Byte 1
0
Generic resource name specified.
1–7
Reserved for IBM's use
    8 EBCDIC User ID or group name (OWNER keyword)
    1 Binary Flags for UACC keyword:
Bit
Authority specified
0
ALTER
1
CONTROL
2
UPDATE
3
READ
4
EXECUTE
5–6
Reserved for IBM's use
7
NONE
    1 Binary nn (LEVEL keyword)
20(14) (Cont.) RALTER (Cont.) 1 Binary Flags for AUDIT keyword:
Bit
Option specified
0
ALL
1
SUCCESS
2
FAILURES
3
NONE
4–5
Success qualifier codes:
‘00’  READ
‘01’  UPDATE
‘10’  CONTROL
‘11’  ALTER
6–7
FAILURES qualifier codes:
‘00’  READ
‘01’  UPDATE
‘10’  CONTROL
‘11’  ALTER
    1 Binary *Flags for GLOBALAUDIT keyword: Same format as flags for AUDIT keyword.
    2 Binary Flags for keywords specified:
Bit
Keyword specified
Byte 0
0
NOTIFY
*1
NONOTIFY
2
TVTOC
*3
NOTVTOC
4
TIMEZONE
*5
NOTIMEZONE
6
ADDCATEGORY
*7
DELCATEGORY
Byte 1
0
SECLEVEL
*1
NOSECLEVEL
2
FROM
3
FCLASS
4
FVOLUME
5
FGENERIC
6
SECLABEL
7
NOSECLABEL
    2 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
    8 EBCDIC User ID to be notified when profile denies access
    44 EBCDIC FROM resource name
    6 EBCDIC FROM volume volser
20(14) (Cont.) RALTER (Cont.) 8 EBCDIC FROM class name
1 Binary LOGON days:
Bit
Day specified
0
Sunday
1
Monday
2
Tuesday
3
Wednesday
4
Thursday
5
Friday
6
Saturday
7
No keyword
3 packed Logon time, packed. If no subkeyword, then binary zeros.
3 packed Logoff time, packed. If no subkeyword, then binary zeros.
3 packed TIMEZONE value:
Bit
Bit value specified
Byte 0–2
 
Signed decimal number
44 EBCDIC SECLEVEL name
8 EBCDIC SECLABEL name
21(15) RDEFINE * The data for event code 21 is identical to the data for event code 20, with these exceptions.
2 Binary Flags for keywords specified:
Bit
Keyword specified
Byte 0
0
DATA
1
OWNER
2
UACC
3
LEVEL
4
AUDIT
5
GLOBALAUDIT
6
ADDVOL
7
DELVOL
Byte 1
0
ADDMEM
1
DELMEM
2
APPLDATA
3
SINGLEDSN
4
NOSINGLEDSN
5
WARNING
6
NOWARNING
7
WHEN
2 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
2 Binary Flags for class name:
Bit
Option specified
Byte 0
0–3
Reserved for IBM's use
4
DASDVOL
5
TAPEVOL
6
TERMINAL
7
Reserved for IBM's use
Byte 1
0
Generic resource name specified
1–7
Reserved for IBM's use
8 EBCDIC User ID or group name (OWNER keyword)
21(15) (Cont.) RDEFINE (Cont.) 1 Binary Flags for UACC keyword:
Bit
Authority specified
0
ALTER
1
CONTROL
2
UPDATE
3
READ
4
EXECUTE
5–6
Reserved for IBM's use
7
NONE
1 Binary nn (LEVEL keyword)
1 Binary Flags for AUDIT keyword:
Bit
Authority specified
0
ALL
1
SUCCESS
‘00’  READ
‘01’  UPDATE
‘10’  CONTROL
‘11’  ALTER
2
FAILURES
‘00’  READ
‘01’  UPDATE
‘10’  CONTROL
‘11’  ALTER
3
NONE
4–5
SUCCESS qualifier codes
6–7
FAILURES qualifier codes
    1 Binary *Reserved for IBM's use
    2 Binary Flags for keywords specified:
Bit
Option specified
Byte 0
0
NOTIFY
*1
NONOTIFY
2
TVTOC
*3
NOTVTOC
4
TIMEZONE
*5
NOTIMEZONE
6
ADDCATEGORY
*7
DELCATEGORY
Byte 1
0
SECLEVEL
*1
NOSECLEVEL
2
FROM
3
FCLASS
4
FVOLUME
5
FGENERIC
6
SECLABEL
7
NOSECLABEL
    2 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
    8 EBCDIC User ID to be notified when profile denies access
    44 EBCDIC FROM resource name
21(15) (Cont.) RDEFINE (Cont.) 6 EBCDIC FROM volume volser
8 EBCDIC FROM class name
1 Binary LOGON days:
Bit
Day specified
0
Sunday
1
Monday
2
Tuesday
3
Wednesday
4
Thursday
5
Friday
6
Saturday
7
No keyword
3 packed Logon time, packed. If no subkeyword, then binary zeros.
3 packed Logoff time, packed. If no subkeyword, then binary zeros.
3 packed TIMEZONE value:
Bit
Option specified
Byte 0
0–7
Reserved for IBM's use
Byte 1
0–7
Reserved for IBM's use
Byte 2
0–3
Reserved for IBM's use
4–7
Time zone
44 EBCDIC SECLEVEL name
8 EBCDIC SECLABEL name
22(16) RDELETE 2 Binary Flags for class name:
Bit
Option specified
Byte 0
0–3
Reserved for IBM's use
4
DASDVOL
5
TAPEVOL
6
TERMINAL
7
Reserved for IBM's use
Byte 1
0
Generic resource name specified
1–7
Reserved for IBM's use
23(17) REMOVE 1 Binary Flags for keywords specified:
Bit
Keyword specified
0
GROUP
1
OWNER
2–7
Reserved for IBM's use
1 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
8 EBCDIC User ID (to be removed)
8 EBCDIC Group name (GROUP keyword)
8 EBCDIC User ID or group name (OWNER keyword)
24(18) SETROPTS 3 Binary Flags for keywords specified:
Bit
Option specified
Byte 0
0
TAPE
1
NOTAPE
2
INITSTATS
3
NOINITSTATS
4
SAUDIT
5
NOSAUDIT
6
STATISTICS
7
NOSTATISTICS
Byte 1
0
AUDIT
1
NOAUDIT
2
TERMINAL
3
NOTERMINAL
4
INTERVAL (PASSWORD)
5
CMDVIOL
6
NOCMDVIOL
7
DASD
Byte 2
0
NODASD
1
CLASSACT
2
NOCLASSACT
3
HISTORY or NOHISTORY
4
WARNING or NOWARNING
5
REVOKE or NOREVOKE
6
NORULES or RULEn
7
INACTIVE INTERVAL
    3 Binary Flags for keywords ignored because of insufficient authority: Same format as flags for keywords specified.
    1 Binary Flags for STATISTICS or NOSTATISTICS keyword:
Bit
Option specified
Byte 0
0–2
Reserved for IBM's use
3
DATASET
4
DASDVOL
5
TAPEVOL
6
TERMINAL
7
Reserved for IBM's use
    1 Binary Flags for keywords ignored:
Bit
Keyword specified
0
MODEL-GDG
1
MODEL-NOGDG
2
MODEL-USER
3
MODEL-NOUSER
4
MODEL-GROUP
5
MODEL-NOGROUP
6
GRPLIST
7
NOGRPLIST
24(18) (Cont.) SETROPTS (Cont.) 1 Binary Flags for AUDIT or NOAUDIT keyword:
Bit
Option specified
0
Reserved for IBM's use
1
GROUP
2
USER
3
DATASET
4
DASDVOL
5
TAPEVOL
6
TERMINAL
7
Reserved for IBM's use
    1 Binary Flags for keywords specified:
Bit
Option specified
0
MODEL-GDG
1
MODEL-NOGDG
2
MODEL-USER
3
MODEL-NOUSER
4
MODEL-GROUP
5
MODEL-NOGROUP
6
GRPLIST
7
NOGRPLIST
    1 Binary Change-interval (INTERVAL keyword)
    1 Binary Flags for TERMINAL keyword:
Bit
Option specified
0–2
Reserved for IBM's use
3
READ
4–6
Reserved for IBM's use
7
NONE
    1 Binary Flags for current statistics options after SETROPTS has executed:
Bit
Option specified
0
Reserved for IBM's use
1
Bypass RACINIT statistics
2
Bypass data set statistics
3
Bypass tape volume statistics
4
Bypass DASD volume statistics
5
Bypass terminal statistics
6
Bypass ADSP attribute
7
EGN in effect
    1 Binary Flags for current audit options after SETROPTS has executed:
Bit
Option specified
0
Reserved for IBM's use
1
Log group class
2
Log user class
3
Log data set class
4
Log DASD volume class
5
Log tape volume class
6
Log terminal class
7
Reserved for IBM's use
    1 Binary Reserved for IBM's use
24(18) (Cont.) SETROPTS (Cont.) 2 Binary Flags for miscellaneous options after SETROPTS has executed:
Bit
Option specified
Byte 0
0
Perform terminal authorization checking
1
Terminal UACC=NONE (if this bit is off, terminal UACC=READ)
2
Log RACF command violations
3
Log SPECIAL user activity
5–7
Reserved for IBM's use
Byte 1
0
Tape volume protection is in effect
1
DASD volume protection is in effect
2
Generic profile processing is in effect for the DATASET class
3
Generic command (GENCMD) processing is in effect for the DATASET class
4
REALDSN is in effect
5
JES-XBMALLRACF is in effect
6
JES-EARLYVERIFY is in effect
7
JES-BATCHALLRACF is in effect
    1 Binary Maximum password interval
    1 Binary Password history generation value
    1 Binary Password revoke value
    1 Binary Password warning level
    80 Binary EBCDIC Password syntax rules (eight rules). Each rule has the following basic format:
Byte
Description
0
Starting length value
1
Ending length value
2–9
Character content rules for each of the eight possible positions. The character values are:
L = Alphanumeric
A = Alphabetic
N = Numeric
V = Vowel
C = Consonant
W = No vowels
c  = Mixed consonant
m = Mixed numeric
v  = Mixed vowel
$  = National
s  = Special
x  = Mixed all
*  = Anything
    1 Binary User ID inactive interval
24(18) (Cont.) SETROPTS (Cont.) 3 Binary Flags for keywords specified:
Bit
Option specified
Byte 0
0
ADSP
1
NOADSP
2
GENERIC
3
NOGENERIC
4
GENCMD
5
NOGENCMD
6
GLOBAL
7
NOGLOBAL
Byte 1
0
PREFIX
1
NOPREFIX
2
REALDSN
3
NOREALDSN
4
JES-XBMALLRACF
5
JES-NOXBMALLRACF
6
JES-BATCHALLRACF
7
JES-NOBATCHALLRACF
Byte 2
0
JES-EARLYVERIFY
1
JES-NOEARLYVERIFY
2
REFRESH
3
PROTECTALL-WARNING
4
PROTECTALL-FAILURE
5
NOPROTECTALL
6
EGN in effect
7
NOEGN in effect
    3 Binary Flags for keywords specified but ignored because of insufficient authority: Same format as flags for keywords specified.
    8 EBCDIC Single-level data set name prefix
    3 Binary Flags for keywords specified:
Bit
Keyword specified
Byte 0
0
TAPEDSN
1
NOTAPEDSN
2
NOEOS
3
EOS
4
EOS-SECLEVEL
5
EOS-NOSECLEVEL
6
RETPD
7
WHEN
Byte 1
0
NOWHEN
1
OPERAUDIT
2
NOOPERAUDIT
3
RVARY SWITCH
4
RVARY ACTIVE/INACTIVE
5
ERASE-ALL
6
APPLAUDIT
7
NOAPPLAUDIT
Byte 2
0–7
Reserved for IBM's use
24(18) (Cont.) SETROPTS (Cont.) 3 Binary Flags for keywords specified but ignored because of insufficient authority: Same format as flags for keywords specified.
    1 Binary Erase on scratch security level
    2 Binary Retention period
    1 Binary Flags for miscellaneous options after SETROPTS processing:
Bit
Option specified
Byte 0
0
PROTECTALL-WARNING
1
PROTECTALL-FAILURES
2
EOS
3
EOS-SECLEVEL
4
TAPEDSN
5
WHEN
6
EOS ALL IN EFFECT (erase everything)
7
Reserved for IBM's use
24(18) (Cont.) SETROPTS (Cont.) 5 Binary Flags for keywords specified:
Bit
Option specified
Byte 0
0–7
Reserved for IBM's use
Byte 1
0
GENLIST
1
NOGENLIST
2
RACLIST
3
NORACLIST
4
SECLEVELAUDIT
5
NOSECLEVELAUDIT
6
SECLABELAUDIT
7
NOSECLABELAUDIT
8
SECLABELCONTROL
9
NOSECLABELCONTROL
10
MLQUIET
11
NOMLQUIET
12
MLSTABLE
13
NOMLSTABLE
14
GENERICOWNER
15
NOGENERICOWNER
16
SESSIONINTERVAL
17
NOSESSIONINTERVAL
18
JES NJEUSERID (user ID)
19
JES UNDEFINEDUSER (user ID)
20
COMPATMODE
24 (18) (Cont.) SETROPTS (Cont.) 5 Binary
21
NOCOMPATMODE
22
MLS WARNING
23
MLS FAILURES
24
NOMLS
25
MLACTIVE WARNING
26
MLACTIVE FAILURES
27
NOMLACTIVE
28
CATDSNS WARNING
29
CATDSNS FAILURES
30
NOCATDSNS
31
LOGOPTIONS
    4 Binary Flags for keywords specified but ignored because of insufficient authority: Same format as flags for keywords specified.
    1 Binary SECLEVEL audit value (auditing occurs for all resources having at least this value
    2 Binary SESSIONINTERVAL interval
    1 Binary Log options for data set
Bit
Keyword specified
0
ALWAYS
1
NEVER
2
SUCCESSES
3
FAILURES
4
DEFAULT
5–7
Reserved for IBM's use
    2 Binary Current SETROPTS options for multilevel security
Bit
Keyword specified
0
SECLABELAUDIT
1
SECLABELCONTROL
2
MLQUIET
3
MLSTABLE
4
GENERICOWNER
5
COMPATMODE
6
MLS WARNING
7
MLS FAILURES
8
MLACTIVE WARNING
9
MLACTIVE FAILURES
10
CATDSNS WARNING
11
CATDSNS FAILURES
12
APPLAUDIT
13
ADDCREATOR
14
ENHANCEDGENERICOWNER
15
Reserved for IBM's use
    8 EBCDIC User ID for JES NJEUSERID
    8 EBCDIC User ID for JES UNDEFINEDUSER
    1 Binary Password MINCHANGE interval value
    1 EBCDIC Reserved for IBM's use
    4 Binary Flags for keywords specified
Bit
Keyword specified
0
Primary language specified
1
Secondary language specified
2
ADDCREATOR specified
3
NOADDCREATOR specified
4
LIST specified
5
KERBLVL specified
6
ENHANCEDGENERICOWNER specified
7
Reserved for IBM's use
8
Password MINCHANGE specified
9
Password MIXEDCASE specified
10
Password NOMIXEDCASE specified
11
Password SPECIALCHARS specified
12
Password NOSPECIALCHARS specified
13
Password ALGORITHM specified
14
Password NOALGORITHM specified
Start of change15End of change
Start of changePassword PHRASEINT specifiedEnd of change
16
MLFSOBJ(ACTIVE) specified
17
MLFSOBJ(INACTIVE) specified
18
MLIPCOBJ(ACTIVE) specified
19
MLFSOBJ(INACTIVE) specified
20
MLNAMES specified
24(18) (Cont.) SETROPTS (Cont.)    
21
NOMLNAMES specified
22
SECLBYSYSTEM specified
23
NOSECLBYSYSTEM specified
24–31
Reserved for IBM's use
    4 Binary Flags for keywords specified but ignored because of insufficient authority: same format as flags for keywords specified.
    3 EBCDIC Primary language default
    3 EBCDIC Secondary language default
    1 Binary Flags for asterisk (*) specified
Bit
Keyword specified
0
Asterisk (*) specified for GENERIC
1
Asterisk (*) specified for GLOBAL
2
Asterisk (*) specified for AUDIT
3
Asterisk (*) specified for STATISTICS
4
Asterisk (*) specified for CLASSACT
5
Asterisk (*) specified for GENCMD
6
Asterisk (*) specified for LOGOPTIONS DEFAULT
7
Reserved for IBM's use
    1 Binary KERBLVL setting
    1 Binary Current multilevel security options
Bit
Keyword specified
0
MLFSOBJ is active
1
MLIPCOBJ is active
2
MLNAMES is active
3
SECLBYSYSTEM is active
4–7
Reserved for IBM's use
    1 Binary Current minimum password change interval (MINCHANGE)
    1 Binary Current options
Bit
Option
0
Mixed case passwords are allowed
1
Special characters are allowed in passwords
2–7
Reserved for IBM's use
    1 Binary Password algorithm in effect
Bit
Meaning
0
Existing algorithm as indicated by ICHDEX01 (masking, DES, or installation-defined)
1
KDFAES
Start of change End of change Start of change End of change Start of change2End of change Start of changeBinaryEnd of change Start of changePassword Phrase change-interval (PHRASEINT) keyword)End of change
Start of change End of change Start of change End of change Start of change73End of change Start of changeEBCDICEnd of change Start of changeReserved for IBM's useEnd of change
25(19) RVARY 1 Binary Flags for keywords specified:
Bit
Keyword specified
0
ACTIVE
1
INACTIVE
2
NOTAPE
3
NOCLASSACT
4
SWITCH
5
DATASET
6
LIST
7
NOLIST
    1 Binary Flags for other violations:
Bit
Violation
0
Command denied by operator
1
Nonzero code returned from RACF manager during ACTIVE processing
2–7
Reserved for IBM's use
    1 Binary Flags for other keywords specified:
Bit
Keyword specified
0
DATASHARE
1
NODATASHARE
59(3B) RACLINK 20 EBCDIC Phase identifier (1 of 3 values: LOCAL ISSUANCE, TARGET PROCESSING, or TARGET RESPONSE)
    2 Binary Flags for keywords specified:
Bit
Option specified
Byte 0
0
DEFINE
1
UNDEFINE
2
APPROVE
3–7
Reserved for IBM's use
Byte 1
0
PEER
1
MANAGED
2
PWSYNC
3
NOPWSYNC
4
Password supplied
5–7
Reserved for IBM's use
    2 Binary Reserved for IBM's use
    8 EBCDIC Issuing node
    8 EBCDIC Issuing user ID
    8 EBCDIC Source user ID for association (from ID keyword)
    8 EBCDIC Target node name
    8 EBCDIC Target user ID
    8 EBCDIC Target authorization ID (ID under whose authority the association was established)
    4 EBCDIC Originating system's SMF ID from where LOCAL ISSUANCE occurred
    4 Binary Original time stamp (local time) from when LOCAL ISSUANCE occurred
    4 Packed Original date when LOCAL ISSUANCE occurred
Note: The preceding 3 fields contain the LOCAL ISSUANCE information for all 3 phases.
    1 Binary Status flags:
Bit
Status
Byte 0
0
Association established
1
Association pending
2
Association deleted
3
Password supplied is not valid
4
Valid password supplied
5
Expired password supplied
6
Revoked user ID
7
Reserved for IBM's use
Note: When the event code qualifier is 0, and the status flags indicate that no password was supplied and that the association is established, an authorization user ID was used from the association list. If the status flags indicate that no password was supplied and the association is pending, no user ID in the authorization list had the appropriate authority or no association list exists.
66(42) RACDCERT 4 Binary Flags for keywords specified:
Bit
Keyword specified
Byte 0
0
ADD
1
ALTER
2
DELETE
3
CONNECT
4
REMOVE
5
SITE
6
CERTAUTH
7
ICSF
Byte 1
0
TRUST
1
NOTRUST
2
ADDRING
3
DELRING
4
USAGE(PERSONAL)
5
USAGE(SITE)
6
USAGE(CERTAUTH)
7
DEFAULT
Byte 2
0
CONNECT(SITE)
1
CONNECT(CERTAUTH)
2
GENCERT
3
EXPORT
4
GENREQ
5
SIGNWITH(CERTAUTH... specified
6
SIGNWITH(SITE... specified
7
PASSWORD
66(42) (Cont.) RACDCERT (Cont.) 4 Binary
Byte 3
0
MAP
1
ALTMAP
2
DELMAP
3
MULTIID
4
HIGHTRUST
5
PCICC
6
DSA
7
FROMICSF
    8 EBCDIC User ID (from ID keyword on RACDCERT)
    44 EBCDIC Data set name
    32 EBCDIC Label name
    8 EBCDIC User ID (from ID sub-keyword)
    32 EBCDIC WITHLABEL
    4 Binary SIZE
    10 EBCDIC NOTBEFORE(date) in the format yyyy/mm/dd
    8 EBCDIC NOTBEFORE(time) in the format hh:mm:ss
    10 EBCDIC NOTAFTER(date) in the format yyyy/mm/dd
    8 EBCDIC NOTAFTER(time) in the format hh:mm:ss
    1 Binary FORMAT
X'01'
CERTB64
X'02'
CERTDER
X'03'
PKCS12B64
X'04'
PKCS12DER
X'05'
PKCS7B64
X'06'
PKCS7DER
66(42) (Cont.) RACDCERT (Cont.) 4 Binary More flags for keywords specified:
Bit
Keyword specified
Byte 0
0
ALTIP
1
ALTEMAIL
2
ALTDOMAIN
3
ALTURI
4
KUHANDSHAKE
5
KUDATAENCR
6
KUDOCSIGN
7
KUCERTSIGN
Byte 1
0
REKEY
1
ROLLOVER
2
FORCE
3
ADDTOKEN
4
DELTOKEN
5
BIND
6
UNBIND
7
IMPORT
Byte 2
0
NISTECC
1
BPECC
2
KUKEYAGREE
3
RSA
4
PKDS
5
TOKEN
6–7
Reserved for IBM's use
Byte 3
0–7
Reserved for IBM's use
    4 Binary SEQNUM
87(57) RACMAP 4 Binary Flags for keywords specified:
Bit
Keyword specified
Byte 0
0
MAP
1
DELMAP
2
QUERY
3–7
Reserved for IBM's use
Byte 1
0–7
Reserved for IBM's use
Byte 2
0–7
Reserved for IBM's use
Byte 3
0–7
Reserved for IBM's use
    8 EBCDIC User ID
    32 EBCDIC Label name