Record extensions

The JOBINIT record extension

Table 1 describes the format of a record that is created by the RACINIT function, which occurs for user logons, batch job initiations, and at other times during the life of a unit of work. These fields are only present on JOBINIT records that are created from SMF type 80 records. JOBINIT records that are created from SMF type 30 records contain blanks in these fields.

The event qualifiers that can be associated with a JOBINIT event are shown in Table 2.

Table 1. Format of the job initiation record extension (event code 01)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
INIT_APPL	Char	8	282	289	Application name specified on the REQUEST=VERIFY.
INIT_LOGSTR	Char	255	291	545	LOGSTR= data from the RACROUTE
INIT_BAD_JOBNAME	Char	8	547	554	The invalid job name that was processed.
INIT_USER_NAME	Char	20	556	575	The name associated with the user ID.
INIT_UTK_ENCR	Yes/No	4	577	580	Is the UTOKEN associated with this user encrypted?
INIT_UTK_PRE19	Yes/No	4	582	585	Is this a pre-1.9 token?
INIT_UTK_VERPROF	Yes/No	4	587	590	Is the VERIFYX propagation flag set?
INIT_UTK_NJEUNUSR	Yes/No	4	592	595	Is this the NJE undefined user?
INIT_UTK_LOGUSR	Yes/No	4	597	600	Is UAUDIT specified for this user?
INIT_UTK_SPECIAL	Yes/No	4	602	605	Is this a SPECIAL user?
INIT_UTK_DEFAULT	Yes/No	4	607	610	Is this a default token?
INIT_UTK_UNKNUSR	Yes/No	4	612	615	Is this an undefined user?
INIT_UTK_ERROR	Yes/No	4	617	620	Is this user token in error?
INIT_UTK_TRUSTED	Yes/No	4	622	625	Is this user a part of the trusted computing base (TCB)?
INIT_UTK_SESSTYPE	Char	8	627	634	The session type of this session. See z/OS Security Server RACROUTE Macro Reference for a description of the valid values for session type. A null session type results in the unloading of blanks.
INIT_UTK_SURROGAT	Yes/No	4	636	639	Is this a surrogate user?
INIT_UTK_REMOTE	Yes/No	4	641	644	Is this a remote job?
INIT_UTK_PRIV	Yes/No	4	646	649	Is this a privileged user ID?
INIT_UTK_SECL	Char	8	651	658	The security label of the user.
INIT_UTK_EXECNODE	Char	8	660	667	The execution node of the work.
INIT_UTK_SUSER_ID	Char	8	669	676	The submitting user ID.
INIT_UTK_SNODE	Char	8	678	685	The submitting node.
INIT_UTK_SGRP_ID	Char	8	687	694	The submitting group name.
INIT_UTK_SPOE	Char	8	696	703	The port of entry.
INIT_UTK_SPCLASS	Char	8	705	712	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
INIT_UTK_USER_ID	Char	8	714	721	User ID associated with the record.
INIT_UTK_GRP_ID	Char	8	723	730	Group name associated with the record.
INIT_UTK_DFT_GRP	Yes/No	4	732	735	Is a default group assigned?
INIT_UTK_DFT_SECL	Yes/No	4	737	740	Is a default security label assigned?
INIT_APPC_LINK	Char	16	742	757	A key to link together audit record together for a user's APPC transaction processing work.
INIT_UTK_NETW	Char	8	759	766	The port of entry network name.
INIT_RES_NAME	Char	255	768	1022	Resource name.
INIT_CLASS	Char	8	1024	1031	Class name.
INIT_X500_SUBJECT	Char	255	1033	1287	Subject's name associated with this event.
INIT_X500_ISSUER	Char	255	1289	1543	Issuer's name associated with this event.
INIT_SERVSECL	Char	8	1545	1552	Security label of the server.
INIT_SERV_POENAME	Char	64	1554	1617	SERVAUTH resource or profile name.
INIT_CTX_USER	Char	510	1619	2128	Authenticated user name.
INIT_CTX_REG	Char	255	2130	2384	Authenticated user registry name.
INIT_CTX_HOST	Char	128	2386	2513	Authenticated user host name.
INIT_CTX_MECH	Char	16	2515	2530	Authenticated user authentication mechanism object identifier (OID).
INIT_IDID_USER	Char	985	2532	3516	Authenticated distributed user name.
INIT_IDID_REG	Char	1021	3518	4538	Authenticated distributed user registry name.
INIT_ACEE_VLF	Yes/No	4	4540	4543	The ACEE was created from the VLF cache.
INIT_MFA_USER	Yes/No	4	4545	4548	The user has active MFA factors.
INIT_MFA_FALLBACK	Yes/No	4	4550	4553	The MFA user is allowed to fall back to password authentication when IBM® MFA is unavailable.
INIT_MFA_UNAVAIL	Yes/No	4	4555	4558	MFA was unavailable to make an authentication decision for the IBM MFA user.
INIT_MFA_PWD_EXPIRED	Yes/No	4	4560	4563	IBM MFA requested that RACROUTE REQUEST=VERIFY return the password-expired return code.
INIT_MFA_NPWD_INV	Yes/No	4	4565	4568	IBM MFA requested that RACROUTE REQUEST=VERIFY return the new-password-invalid return code.
INIT_MFA_PART_SUCC	Yes/No	4	4570	4573	IBM MFA requested that RACROUTE REQUEST=VERIFY return the password-invalid return code, but not to increment the password revoke count (partial success - needs more information).
INIT_RELO443_EXTENDED	Yes/No	4	4575	4578	Relocate 443 is extended up to field INIT_SERVICE_RSNC. When this bit is off, the last field is INIT_AUTH_RSN2.
INIT_PASSWORD_EVAL	Yes/No	4	4580	4583	The supplied password was evaluated.
INIT_PASSWORD_SUCC	Yes/No	4	4585	4588	The supplied password was evaluated successfully.
INIT_PHRASE_EVAL	Yes/No	4	4590	4593	The supplied password phrase was evaluated.
INIT_PHRASE_SUCC	Yes/No	4	4595	4598	The supplied password phrase was evaluated successfully.
INIT_PASSTICKET_EVAL	Yes/No	4	4600	4603	The supplied password was evaluated as a PassTicket.
INIT_PASSTICKET_SUCC	Yes/No	4	4605	4608	The supplied password was evaluated successfully as a PassTicket.
INIT_MFA_SUCC	Yes/No	4	4610	4613	MFA authentication successful.
INIT_MFA_FAIL	Yes/No	4	4615	4618	MFA authentication unsuccessful.
INIT_AUTH_RSN1	Char	8	4620	4627	MFA Authentication return code. Expressed as hexadecimal number.
INIT_AUTH_RSN2	Char	8	4629	4636	MFA Authentication reason code. Expressed as hexadecimal number.
INIT_AUTH_RSN3	Char	8	4638	4645	PassTicket Authentication return code. Expressed as hexadecimal number.
INIT_AUTH_RSN4	Char	8	4647	4654	PassTicket Authentication reason code. Expressed as hexadecimal number.
INIT_PWD_PHR_EXPIRED	Yes/No	1	4656	4659	The supplied password or password phrase was expired.
INIT_NPWD_NPHR_NONVAL	Yes/No	1	4661	4664	The supplied new password or new password phrase was not valid.
INIT_IDT_EVAL	Yes/No	1	4666	4669	The supplied Identity Token (IDT) was evaluated.
INIT_IDT_SUCC	Yes/No	1	4671	4674	The supplied Identity Token (IDT) was evaluated successfully.
INIT_MFA_REAUTHENT	Yes/No	1	4676	4679	IBM MFA requested that RACROUTE REQUEST=VERIFY return the password-invalid return code, but not to increment the password revoke count (reauthentication requested).
INIT_LPT_EVAL	Yes/No	4	4681	4684	The supplied Password was evaluated as a legacy PassTicket.
INIT_LPT_SUCC	Yes/No	4	4686	4689	The supplied Password was evaluated successfully as a legacy PassTicket.
INIT_EPT_UPPER_EVAL	Yes/No	4	4691	4694	The supplied Password was evaluated as an enhanced PassTicket type UPPER.
INIT_ EPT_UPPER_SUCC	Yes/No	4	4696	4699	The supplied Password was evaluated successfully as an enhanced PassTicket type UPPER.
INIT_EPT_MIXED_EVAL	Yes/No	4	4701	4704	The supplied Password was evaluated as an enhanced PassTicket type MIXED.
INIT_EPT_MIXED_SUCC	Yes/No	4	4706	4709	The supplied Password was evaluated successfully as an enhanced PassTicket type MIXED.
INIT_IDT_FROM_SEC_ENV	Yes/No	4	4711	4714	IDT from existing security environment.
INIT_RELO443_EXTEND_2	Yes/No	4	4716	4719	Relocate 443 is extended up to field INIT_RESERVED_22.
INIT_RESERVED_09	Yes/No	4	4721	4724	Reserved for IBM use.
INIT_RESERVED_10	Yes/No	4	4726	4729	Reserved for IBM use.
INIT_RESERVED_11	Yes/No	4	4731	4734	Reserved for IBM use.
INIT_DERIVED_APPL_NAM	Char	8	4736	4743	Derived Application Name
INIT_IDT_VALIDTN_RSNC	Char	8	4745	4752	IDT Validation Reason Code.
INIT_IDT_ERROR_RSNC	Char	8	4754	4761	IDT Error Reason Code.
INIT_SERVICE_CODE	Char	8	4763	4770	Failing Service Identifier.
INIT_SERVICE_RC	Char	8	4772	4779	Failing Service Return Code.
INIT_SERVICE_RSNC	Char	8	4781	4788	Failing Service Reason Code.
INIT_IDT_SIG_ALG	Char	10	4790	4799	Signature algorithm from IDT.
INIT_IDT_KID	Char	32	4801	4832	Key Identifier from IDT.
INIT_RESERVED_12	Char	100	4834	4933	Reserved for IBM use.
INIT_RESERVED_13	Char	100	4935	5034	Reserved for IBM use.
INIT_RESERVED_14	Char	246	5036	5281	Reserved for IBM use.
INIT_IDT_SIG_EVAL_PRI	Yes/No	4	5283	5286	IDT signature evaluated with primary label.
INIT_IDT_SIG_EVAL_TOK	Yes/No	4	5288	5291	IDT signature evaluated with token.
INIT_RESERVED_17	Yes/No	4	5293	5296	Reserved for IBM use.
INIT_RESERVED_18	Yes/No	4	5298	5301	Reserved for IBM use.
INIT_RESERVED_19	Yes/No	4	5303	5306	Reserved for IBM use.
INIT_RESERVED_20	Yes/No	4	5308	5311	Reserved for IBM use.
INIT_RESERVED_21	Yes/No	4	5313	5316	Reserved for IBM use.
INIT_RESERVED_22	Yes/No	4	5318	5321	Reserved for IBM use.

Table 2. Event qualifiers for JOBINIT records
Event qualifier	Event qualifier number	Event description
SUCCESS	--	Successful initiation (from type 30 record)
TERM	--	Successful termination (from type 30 record)
SUCCESSI	00	Successful initiation.
INVPSWD	01	Not a valid password.
INVGRP	02	Not a valid group.
INVOID	03	Not a valid OIDCARD.
INVTERM	04	Not a valid terminal.
INVAPPL	05	Not a valid application.
REVKUSER	06	User has been revoked.
REVKAUTO	07	User automatically revoked because of excessive password and password phrase attempts.
SUCCESST	08	Successful termination.
UNDFUSER	09	User not defined to RACF®.
INSSECL	10	Insufficient security label.
NASECL	11	Not authorized to security label.
RACINITI	12	Successful RACINIT initiation.
RACINITD	13	Successful RACINIT deletion.
MOREAUTH	14	User does not have authority to log on while SETROPTS MLQUIET is in effect.
RJENAUTH	15	RJE not authorized.
SURROGTI	16	Surrogate class inactive.
SUBNATHU	17	Submitter not authorized by user.
SUBNATHS	18	Submitter not authorized by security label.
USERNJOB	19	User not authorized to the job.
WINSSECL	20	Warning: Insufficient security label.
WSECLM	21	Warning: security label missing from job.
WNASECL	22	Warning: Not authorized to security label.
SECLNCM	23	Security labels not compatible.
WSECLNCM	24	Warning: security labels not compatible.
PWDEXPR	25	Current password has expired.
INVNPWD	26	Not a valid new password.
EXITFAIL	27	Failed by installation exit.
GRPARVKD	28	Group access revoked.
OIDREQD	29	OIDCARD required.
NJENAUTH	30	NJE job not authorized.
WUKNUPRP	31	Warning: Undefined user from trusted node propagated.
SUCCESSP	32	Successful initiation using a PassTicket.
PTKTREPL	33	Attempted replay of PassTicket.
SECLSRVM	34	Mismatch with server's security label.
REVKINAC	35	User automatically revoked because of inactivity.
INVPHRS	36	Password phrase is not valid.
INVNPHRS	37	New password phrase is not valid.
PHRSEXPR	38	Current password phrase has expired.
DIDNOTDF	39	No RACF user ID found for distributed identity.
SUCCESSM	40	Successful IBM Multi-Factor Authentication authentication.
INVMFA	41	Failed IBM Multi-Factor Authentication authentication.
MFAUNAVL	42	Failed authentication because no multi-factor authentication decision could be made for an IBM MFA user who has the NOPWFALLBACK option.
MFAPSUCC	43	IBM MFA partial success: credentials were not incorrect, but a re-authentication is required.
IDTVALF	44	Identity Token validation error.
IDTF	45	Identity Token build error.
INVIDT	46	Failed Identity Token authentication.

The ACCESS record extension

Table 3 describes the format of a record that is created by the access to a resource.

The event qualifiers that can be associated with an access event are shown in Table 4.

Table 3. Format of the ACCESS record extension (event code number 02)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
ACC_RES_NAME	Char	255	282	536	Resource name or old resource name.
ACC_REQUEST	Char	8	538	545	Access authority requested.
ACC_GRANT	Char	8	547	554	Access authority granted.
ACC_LEVEL	Integer	3	556	558	Level of the resource.
ACC_VOL	Char	6	560	565	Volume of the resource.
ACC_OLDVOL	Char	6	567	572	OLDVOL of the resource.
ACC_CLASS	Char	8	574	581	Class name.
ACC_APPL	Char	8	583	590	Application name specified.
ACC_TYPE	Char	8	592	599	Type of resource data. Valid values are as follows: `RESOURCE` If the resource name is generic, `ACC_TYPE` is `RESOURCE`. `PROFILE` If the profile name is generic, `ACC_TYPE` is `PROFILE`. If both the resource name and profile name are discrete, `ACC_TYPE` is blank.
ACC_NAME	Char	246	601	846	Resource name or profile name. Note: This field is blank if a discrete profile was used, or when no profile was used, such as when a user accesses their own JES spool files. For discrete profiles, the profile name that was used is the same as the resource name.
ACC_OWN_ID	Char	8	848	855	Name of the profile owner.
ACC_LOGSTR	Char	255	857	1111	LOGSTR= data from the RACROUTE.
ACC_RECVR	Char	8	1113	1120	User ID to whom the data is directed (RECVR= on RACROUTE).
ACC_USER_NAME	Char	20	1122	1141	User name from the ACEE.
ACC_SECL	Char	8	1143	1150	Security label of the resource.
ACC_UTK_ENCR	Yes/No	4	1152	1155	Is the UTOKEN associated with this user encrypted?
ACC_UTK_PRE19	Yes/No	4	1157	1160	Is this a pre-1.9 token?
ACC_UTK_VERPROF	Yes/No	4	1162	1165	Is the VERIFYX propagation flag set?
ACC_UTK_NJEUNUSR	Yes/No	4	1167	1170	Is this the NJE undefined user?
ACC_UTK_LOGUSR	Yes/No	4	1172	1175	Is UAUDIT specified for this user?
ACC_UTK_SPECIAL	Yes/No	4	1177	1180	Is this a SPECIAL user?
ACC_UTK_DEFAULT	Yes/No	4	1182	1185	Is this a default token?
ACC_UTK_UNKNUSR	Yes/No	4	1187	1190	Is this an undefined user?
ACC_UTK_ERROR	Yes/No	4	1192	1195	Is this user token in error?
ACC_UTK_TRUSTED	Yes/No	4	1197	1200	Is this user a part of the trusted computing base (TCB)?
ACC_UTK_SESSTYPE	Char	8	1202	1209	The session type of this session.
ACC_UTK_SURROGAT	Yes/No	4	1211	1214	Is this a surrogate user?
ACC_UTK_REMOTE	Yes/No	4	1216	1219	Is this a remote job?
ACC_UTK_PRIV	Yes/No	4	1221	1224	Is this a privileged user ID?
ACC_UTK_SECL	Char	8	1226	1233	The security label of the user.
ACC_UTK_EXECNODE	Char	8	1235	1242	The execution node of the work.
ACC_UTK_SUSER_ID	Char	8	1244	1251	The submitting user ID.
ACC_UTK_SNODE	Char	8	1253	1260	The submitting node.
ACC_UTK_SGRP_ID	Char	8	1262	1269	The submitting group name.
ACC_UTK_SPOE	Char	8	1271	1278	The port of entry.
ACC_UTK_SPCLASS	Char	8	1280	1287	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
ACC_UTK_USER_ID	Char	8	1289	1296	User ID associated with the record.
ACC_UTK_GRP_ID	Char	8	1298	1305	Group name associated with the record.
ACC_UTK_DFT_GRP	Yes/No	4	1307	1310	Is a default group assigned?
ACC_UTK_DFT_SECL	Yes/No	4	1312	1315	Is a default security label assigned?
ACC_RTK_ENCR	Yes/No	4	1317	1320	Is the RTOKEN associated with this user encrypted?
ACC_RTK_PRE19	Yes/No	4	1322	1325	Is this a pre-1.9 token?
ACC_RTK_VERPROF	Yes/No	4	1327	1330	Is the VERIFYX propagation flag set?
ACC_RTK_NJEUNUSR	Yes/No	4	1332	1335	Is this the NJE undefined user?
ACC_RTK_LOGUSR	Yes/No	4	1337	1340	Is UAUDIT specified for this user?
ACC_RTK_SPECIAL	Yes/No	4	1342	1345	Is this a SPECIAL user?
ACC_RTK_DEFAULT	Yes/No	4	1347	1350	Is this a default token?
ACC_RTK_UNKNUSR	Yes/No	4	1352	1355	Is this an undefined user?
ACC_RTK_ERROR	Yes/No	4	1357	1360	Is this user token in error?
ACC_RTK_TRUSTED	Yes/No	4	1362	1365	Is this user a part of the trusted computing base (TCB)?
ACC_RTK_SESSTYPE	Char	8	1367	1374	The session type of this session.
ACC_RTK_SURROGAT	Yes/No	4	1376	1379	Is this a surrogate user?
ACC_RTK_REMOTE	Yes/No	4	1381	1384	Is this a remote job?
ACC_RTK_PRIV	Yes/No	4	1386	1389	Is this a privileged user ID?
ACC_RTK_SECL	Char	8	1391	1398	The security label of the user.
ACC_RTK_EXECNODE	Char	8	1400	1407	The execution node of the work.
ACC_RTK_SUSER_ID	Char	8	1409	1416	The submitting user ID.
ACC_RTK_SNODE	Char	8	1418	1425	The submitting node.
ACC_RTK_SGRP_ID	Char	8	1427	1434	The submitting group name.
ACC_RTK_SPOE	Char	8	1436	1443	The port of entry.
ACC_RTK_SPCLASS	Char	8	1445	1452	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
ACC_RTK_USER_ID	Char	8	1454	1461	User ID associated with the record.
ACC_RTK_GRP_ID	Char	8	1463	1470	Group name associated with the record.
ACC_RTK_DFT_GRP	Yes/No	4	1472	1475	Is a default group assigned?
ACC_RTK_DFT_SECL	Yes/No	4	1477	1480	Is a default security label assigned?
ACC_APPC_LINK	Char	16	1482	1497	A key to link together audit record together for a user's APPC transaction processing work.
ACC_DCE_LINK	Char	16	1499	1514	Link to connect DCE records that originate from a single DCE request.
ACC_AUTH_TYPE	Char	13	1516	1528	Defines the type of request. Valid values are SERVER, AUTH_CLIENT, UNAUTH_CLIENT and NESTED.
ACC_PDS_DSN	Char	44	1530	1573	Partitioned data set name.
ACC_UTK_NETW	Char	8	1575	1582	The port of entry network name.
ACC_RTK_NETW	Char	8	1584	1591	The network name from the RTOKEN.
ACC_X500_SUBJECT	Char	255	1593	1847	Subject's name associated with this event.
ACC_X500_ISSUER	Char	255	1849	2103	Issuer's name associated with this event.
ACC_USECL	Char	8	2105	2112	Security label of the resource (for DIRAUTH processing only).
ACC_SERV_POENAME	Char	64	2114	2177	SERVAUTH resource or profile name.
ACC_NEST_PRIMARY	Char	8	2179	2186	Primary (client) user ID in nested ACEE.
ACC_CTX_USER	Char	510	2188	2697	Authenticated user name.
ACC_CTX_REG	Char	255	2699	2953	Authenticated user registry name.
ACC_CTX_HOST	Char	128	2955	3082	Authenticated user host name.
ACC_CTX_MECH	Char	16	3084	3099	Authenticated user authentication mechanism object identifier (OID).
ACC_CRITERIA	Char	244	3101	3344	Access criteria.
ACC_IDID_USER	Char	985	3346	4330	Authenticated distributed user name.
ACC_IDID_REG	Char	1021	4332	5352	Authenticated distributed user registry name.
ACC_Reserved_1	Integer	4	5354	5357
ACC_Reserved_2	Char	8	5359	5366
ACC_Reserved_3	Char	8	5368	5375
ACC_LOGSTRX_TYPE	Char	4	5377	5380	Value=`0001` is the only value currently supported and indicates that the following triplets contain the identity of the CICS® client accessing a resource.
ACC_CICSU_USER_ID	Char	8	5382	5389	CICS client user ID.
ACC_CICSU_X500_SUBJECT	Char	255	5391	5645	CICS client `X500` subject if a certificate is provided.
ACC_CICSU_X500_ISSUER	Char	255	5647	5901	CICS client `X500` certificate issuer.
ACC_CICSU_IDID_USR_EBC	Char	738	5903	6640	CICS client IDID User in EBCDIC.
ACC_CICSU_IDID_USR_UTF8	Char	246	6642	6887	CICS client IDID user in UTF8.
ACC_CICSU_IDID_REG_EBC	Char	765	6889	7653	CICS client IDID registry in EBCDIC.
ACC_CICSU_IDID_REG_UTF8	Char	255	7655	7909	CICS client IDID registry in UTF8.
ACC_CICSU_APPLID	Char	8	7911	7918	CICS client Application ID.
ACC_CICSU_TRANID	Char	4	7920	7923	CICS client Transaction ID.

Table 4. Event qualifiers for access records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful access.
INSAUTH	01	Insufficient authority.
PRFNFND	02	Profile not found; RACFIND specified on macro.
WARNING	03	Access allowed by WARNING.
FPROTALL	04	Failed by PROTECTALL.
WPROTALL	05	PROTECTALL warning.
INSCATG	06	Insufficient category or level.
INSSECL	07	Insufficient security label.
WSECLM	08	Warning: security label missing.
WINSSECL	09	Warning: Insufficient security label.
WNOTCAT	10	Warning: Data set not cataloged, but was required for authority check.
NOTCAT	11	Data set not cataloged.
PRFNFDAI	12	Profile not found.
WINSCATG	13	Warning: Insufficient category or level.
WNONMAIN	14	Warning: Non-MAIN execution environment detected while in ENHANCED PGMSECURITY mode. Conditional access of EXECUTE-controlled program temporarily allowed.
PGMBASIC	15	Conditional access or use of EXECUTE-controlled program allowed through BASIC mode program while in ENHANCED PGMSECURITY mode.

The ADDVOL record extension

Table 5 describes the format of a record that is created by the ADDVOL or CHGVOL operations.

The event qualifiers that can be associated with an ADDVOL event are shown in Table 6.

Table 5. Format of the ADDVOL record extension (event code 03)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
ADV_RES_NAME	Char	255	282	536	Resource name.
ADV_GRANT	Char	8	538	545	The access authority granted.
ADV_LEVEL	Integer	3	547	549	The level of the resource.
ADV_VOL	Char	6	551	556	Volume of the resource.
ADV_OLDVOL	Char	6	558	563	OLDVOL of the resource.
ADV_CLASS	Char	8	565	572	Class name.
ADV_OWN_ID	Char	8	574	581	Name of the profile owner.
ADV_LOGSTR	Char	255	583	837	LOGSTR= data from the RACROUTE
ADV_USER_NAME	Char	20	839	858	User name from the ACEE.
ADV_UTK_ENCR	Yes/No	4	860	863	Is the UTOKEN associated with this user encrypted?
ADV_UTK_PRE19	Yes/No	4	865	868	Is this a pre-1.9 token?
ADV_UTK_VERPROF	Yes/No	4	870	873	Is the VERIFYX propagation flag set?
ADV_UTK_NJEUNUSR	Yes/No	4	875	878	Is this the NJE undefined user?
ADV_UTK_LOGUSR	Yes/No	4	880	883	Is UAUDIT specified for this user?
ADV_UTK_SPECIAL	Yes/No	4	885	888	Is this a SPECIAL user?
ADV_UTK_DEFAULT	Yes/No	4	890	893	Is this a default token?
ADV_UTK_UNKNUSR	Yes/No	4	895	898	Is this an undefined user?
ADV_UTK_ERROR	Yes/No	4	900	903	Is this user token in error?
ADV_UTK_TRUSTED	Yes/No	4	905	908	Is this user a part of the trusted computing base (TCB)?
ADV_UTK_SESSTYPE	Char	8	910	917	The session type of this session.
ADV_UTK_SURROGAT	Yes/No	4	919	922	Is this a surrogate user?
ADV_UTK_REMOTE	Yes/No	4	924	927	Is this a remote job?
ADV_UTK_PRIV	Yes/No	4	929	932	Is this a privileged user ID?
ADV_UTK_SECL	Char	8	934	941	The security label of the user.
ADV_UTK_EXECNODE	Char	8	943	950	The execution node of the work.
ADV_UTK_SUSER_ID	Char	8	952	959	The submitting user ID.
ADV_UTK_SNODE	Char	8	961	968	The submitting node.
ADV_UTK_SGRP_ID	Char	8	970	977	The submitting group name.
ADV_UTK_SPOE	Char	8	979	986	The port of entry.
ADV_UTK_SPCLASS	Char	8	988	995	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
ADV_UTK_USER_ID	Char	8	997	1004	User ID associated with the record.
ADV_UTK_GRP_ID	Char	8	1006	1013	Group name associated with the record.
ADV_UTK_DFT_GRP	Yes/No	4	1015	1018	Is a default group assigned?
ADV_UTK_DFT_SECL	Yes/No	4	1020	1023	Is a default security label assigned?
ADV_APPC_LINK	Char	16	1025	1040	Key to link together APPC records.
ADV_SPECIFIED	Char	1024	1042	2065	The keywords specified.
ADV_UTK_NETW	Char	8	2067	2074	The port of entry network name.
ADV_X500_SUBJECT	Char	255	2076	2330	Subject's name associated with this event.
ADV_X500_ISSUER	Char	255	2332	2586	Issuer's name associated with this event.
ADV_SERV_POENAME	Char	64	2588	2651	SERVAUTH resource or profile name.
ADV_RES_SECL	Char	8	2653	2660	Resource security label.
ADV_CTX_USER	Char	510	2662	3171	Authenticated user name.
ADV_CTX_REG	Char	255	3173	3427	Authenticated user registry name.
ADV_CTX_HOST	Char	128	3429	3556	Authenticated user host name.
ADV_CTX_MECH	Char	16	3558	3573	Authenticated user authentication mechanism object identifier (OID).
ADV_IDID_USER	Char	985	3575	4559	Authenticated distributed user name.
ADV_IDID_REG	Char	1021	4561	5581	Authenticated distributed user registry name.

Table 6. Event qualifiers for add volume/change volume records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	The volume was successfully added or changed.
INSAUTH	01	Insufficient authority.
INSSECL	02	Insufficient security label authority.
LESSSPEC	03	A less-specific profile exists with a different security label.

The RENAMEDS record extension

Table 7 describes the format of a record that is created by the rename data set, rename SFS file, or rename SFS directory operation.

The event qualifiers that can be associated with a RENAMEDS event are shown in Table 8.

Table 7. Format of the RENAMEDS record extension (event code 04)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
REN_RES_NAME	Char	255	282	536	Old resource name.
REN_NEW_RES_NAME	Char	255	538	792	New Resource name.
REN_LEVEL	Integer	3	794	796	The level of the resource.
REN_VOL	Char	6	798	803	Volume of the resource.
REN_CLASS	Char	8	805	812	Class name.
REN_OWN_ID	Char	8	814	821	Name of the profile owner.
REN_LOGSTR	Char	255	823	1077	LOGSTR= data from the RACROUTE
REN_USER_NAME	Char	20	1079	1098	User name from the ACEE.
REN_UTK_ENCR	Yes/No	4	1100	1103	Is the UTOKEN associated with this user encrypted?
REN_UTK_PRE19	Yes/No	4	1105	1108	Is this a pre-1.9 token?
REN_UTK_VERPROF	Yes/No	4	1110	1113	Is the VERIFYX propagation flag set?
REN_UTK_NJEUNUSR	Yes/No	4	1115	1118	Is this the NJE undefined user?
REN_UTK_LOGUSR	Yes/No	4	1120	1123	Is UAUDIT specified for this user?
REN_UTK_SPECIAL	Yes/No	4	1125	1128	Is this a SPECIAL user?
REN_UTK_DEFAULT	Yes/No	4	1130	1133	Is this a default token?
REN_UTK_UNKNUSR	Yes/No	4	1135	1138	Is this an undefined user?
REN_UTK_ERROR	Yes/No	4	1140	1143	Is this user token in error?
REN_UTK_TRUSTED	Yes/No	4	1145	1148	Is this user a part of the trusted computing base (TCB)?
REN_UTK_SESSTYPE	Char	8	1150	1157	The session type of this session.
REN_UTK_SURROGAT	Yes/No	4	1159	1162	Is this a surrogate user?
REN_UTK_REMOTE	Yes/No	4	1164	1167	Is this a remote job?
REN_UTK_PRIV	Yes/No	4	1169	1172	Is this a privileged user ID?
REN_UTK_SECL	Char	8	1174	1181	The security label of the user.
REN_UTK_EXECNODE	Char	8	1183	1190	The execution node of the work.
REN_UTK_SUSER_ID	Char	8	1192	1199	The submitting user ID.
REN_UTK_SNODE	Char	8	1201	1208	The submitting node.
REN_UTK_SGRP_ID	Char	8	1210	1217	The submitting group name.
REN_UTK_SPOE	Char	8	1219	1226	The port of entry.
REN_UTK_SPCLASS	Char	8	1228	1235	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
REN_UTK_USER_ID	Char	8	1237	1244	User ID associated with the record.
REN_UTK_GRP_ID	Char	8	1246	1253	Group name associated with the record.
REN_UTK_DFT_GRP	Yes/No	4	1255	1258	Is a default group assigned?
REN_UTK_DFT_SECL	Yes/No	4	1260	1263	Is a default security label assigned?
REN_APPC_LINK	Char	16	1265	1280	Key to link together APPC records.
REN_SPECIFIED	Char	1024	1282	2305	The keywords specified.
REN_UTK_NETW	Char	8	2307	2314	The port of entry network name.
REN_X500_SUBJECT	Char	255	2316	2570	Subject's name associated with this event.
REN_X500_ISSUER	Char	255	2572	2826	Issuer's name associated with this event.
REN_SERV_POENAME	Char	64	2828	2891	SERVAUTH resource or profile name.
REN_RES_SECL	Char	8	2893	2900	Resource security label.
REN_CTX_USER	Char	510	2902	3411	Authenticated user name.
REN_CTX_REG	Char	255	3413	3667	Authenticated user registry name.
REN_CTX_HOST	Char	128	3669	3796	Authenticated user host name.
REN_CTX_MECH	Char	16	3798	3813	Authenticated user authentication mechanism object identifier (OID).
REN_IDID_USER	Char	985	3815	4799	Authenticated distributed user name.
REN_IDID_REG	Char	1021	4801	5821	Authenticated distributed user registry name.

Table 8. Event qualifiers for RENAMEDS records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful rename.
INVGRP	01	Invalid group.
NOTINGRP	02	User not in group.
INSAUTH	03	Insufficient authority.
ALRDEFD	04	Resource already defined.
NOTRACF	05	User is not RACF-defined.
NOTPROT	06	Resource not protected.
WNOTPROT	07	Warning: Resource not protected
NOT2RACF	08	User in second qualifier is not RACF-defined.
LESSSPEC	09	A less-specific profile exists with a different security label.
INSSECL	10	Insufficient security label authority.
RSNSECL	11	Resource not protected by security label.
NMNSECL	12	New name not protected by security label.
NODOMIN	13	New security label must dominate old security label.
WINSSECL	14	Warning: Insufficient security label authority.
WRSNSECL	15	Warning: Resource not protected by security label.
WNMNSECL	16	Warning: New name not protected by security label.
WNODOMIN	17	Warning: New security label must dominate old security label.

The DELRES record extension

Table 9 describes the format of a record that is created by the delete resource operation.

The event qualifiers that may be associated with a DELRES event are shown in Table 10.

Table 9. Format of the DELRES record extension (event code 05)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
DELR_RES_NAME	Char	255	282	536	Old resource name.
DELR_LEVEL	Integer	3	538	540	The level of the resource.
DELR_VOL	Char	6	542	547	Volume of the resource.
DELR_CLASS	Char	8	549	556	Class name.
DELR_OWN_ID	Char	8	558	565	Name of the profile owner.
DELR_LOGSTR	Char	255	567	821	LOGSTR= data from the RACROUTE
DELR_USER_NAME	Char	20	823	842	User name from the ACEE.
DELR_UTK_ENCR	Yes/No	4	844	847	Is the UTOKEN associated with this user encrypted?
DELR_UTK_PRE19	Yes/No	4	849	852	Is this a pre-1.9 token?
DELR_UTK_VERPROF	Yes/No	4	854	857	Is the VERIFYX propagation flag set?
DELR_UTK_NJEUNUSR	Yes/No	4	859	862	Is this the NJE undefined user?
DELR_UTK_LOGUSR	Yes/No	4	864	867	Is UAUDIT specified for this user?
DELR_UTK_SPECIAL	Yes/No	4	869	872	Is this a SPECIAL user?
DELR_UTK_DEFAULT	Yes/No	4	874	877	Is this a default token?
DELR_UTK_UNKNUSR	Yes/No	4	879	882	Is this an undefined user?
DELR_UTK_ERROR	Yes/No	4	884	887	Is this user token in error?
DELR_UTK_TRUSTED	Yes/No	4	889	892	Is this user a part of the trusted computing base (TCB)?
DELR_UTK_SESSTYPE	Char	8	894	901	The session type of this session.
DELR_UTK_SURROGAT	Yes/No	4	903	906	Is this a surrogate user?
DELR_UTK_REMOTE	Yes/No	4	908	911	Is this a remote job?
DELR_UTK_PRIV	Yes/No	4	913	916	Is this a privileged user ID?
DELR_UTK_SECL	Char	8	918	925	The security label of the user.
DELR_UTK_EXECNODE	Char	8	927	934	The execution node of the work.
DELR_UTK_SUSER_ID	Char	8	936	943	The submitting user ID.
DELR_UTK_SNODE	Char	8	945	952	The submitting node.
DELR_UTK_SGRP_ID	Char	8	954	961	The submitting group name.
DELR_UTK_SPOE	Char	8	963	970	The port of entry.
DELR_UTK_SPCLASS	Char	8	972	979	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
DELR_UTK_USER_ID	Char	8	981	988	User ID associated with the record.
DELR_UTK_GRP_ID	Char	8	990	997	Group name associated with the record.
DELR_UTK_DFT_GRP	Yes/No	4	999	1002	Is a default group assigned?
DELR_UTK_DFT_SECL	Yes/No	4	1004	1007	Is a default security label assigned?
DELR_APPC_LINK	Char	16	1009	1024	Key to link together APPC records.
DELR_SPECIFIED	Char	1024	1026	2049	Keywords specified.
DELR_UTK_NETW	Char	8	2051	2058	The port of entry network name.
DELR_X500_SUBJECT	Char	255	2060	2314	Subject's name associated with this event.
DELR_X500_ISSUER	Char	255	2316	2570	Issuer's name associated with this event.
DELR_SERV_POENAME	Char	64	2572	2635	SERVAUTH resource or profile name.
DELR_RES_SECL	Char	8	2637	2644	Resource security label.
DELR_CTX_USER	Char	510	2646	3155	Authenticated user name.
DELR_CTX_REG	Char	255	3157	3411	Authenticated user registry name.
DELR_CTX_HOST	Char	128	3413	3540	Authenticated user host name.
DELR_CTX_MECH	Char	16	3542	3557	Authenticated user authentication mechanism object identifier (OID).
DELR_IDID_USER	Char	985	3559	4543	Authenticated distributed user name.
DELR_IDID_REG	Char	1021	4545	5565	Authenticated distributed user registry name.

Table 10. Event qualifiers for delete resource records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	The resource was successfully deleted.
NOTFOUND	01	Resource not found.
INVVOL	02	Invalid volume.

The DELVOL record extension

Table 11 describes the format of a record that is created by the delete resource operation.

The event qualifier that can be associated with a DELVOL event is shown in Table 12.

Table 11. Format of the DELVOL record extension (event code 06)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
DELV_RES_NAME	Char	255	282	536	Old resource name.
DELV_LEVEL	Integer	3	538	540	The level of the resource.
DELV_VOL	Char	6	542	547	Volume of the resource.
DELV_CLASS	Char	8	549	556	Class name.
DELV_OWN_ID	Char	8	558	565	Name of the profile owner.
DELV_LOGSTR	Char	255	567	821	LOGSTR= data from the RACROUTE
DELV_USER_NAME	Char	20	823	842	User name.
DELV_UTK_ENCR	Yes/No	4	844	847	Is the UTOKEN associated with this user encrypted?
DELV_UTK_PRE19	Yes/No	4	849	852	Is this a pre-1.9 token?
DELV_UTK_VERPROF	Yes/No	4	854	857	Is the VERIFYX propagation flag set?
DELV_UTK_NJEUNUSR	Yes/No	4	859	862	Is this the NJE undefined user?
DELV_UTK_LOGUSR	Yes/No	4	864	867	Is UAUDIT specified for this user?
DELV_UTK_SPECIAL	Yes/No	4	869	872	Is this a SPECIAL user?
DELV_UTK_DEFAULT	Yes/No	4	874	877	Is this a default token?
DELV_UTK_UNKNUSR	Yes/No	4	879	882	Is this an undefined user?
DELV_UTK_ERROR	Yes/No	4	884	887	Is this user token in error?
DELV_UTK_TRUSTED	Yes/No	4	889	892	Is this user a part of the trusted computing base (TCB)?
DELV_UTK_SESSTYPE	Char	8	894	901	The session type of this session.
DELV_UTK_SURROGAT	Yes/No	4	903	906	Is this a surrogate user?
DELV_UTK_REMOTE	Yes/No	4	908	911	Is this a remote job?
DELV_UTK_PRIV	Yes/No	4	913	916	Is this a privileged user ID?
DELV_UTK_SECL	Char	8	918	925	The security label of the user.
DELV_UTK_EXECNODE	Char	8	927	934	The execution node of the work.
DELV_UTK_SUSER_ID	Char	8	936	943	The submitting user ID.
DELV_UTK_SNODE	Char	8	945	952	The submitting node.
DELV_UTK_SGRP_ID	Char	8	954	961	The submitting group name.
DELV_UTK_SPOE	Char	8	963	970	The port of entry.
DELV_UTK_SPCLASS	Char	8	972	979	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
DELV_UTK_USER_ID	Char	8	981	988	User ID associated with the record.
DELV_UTK_GRP_ID	Char	8	990	997	Group name associated with the record.
DELV_UTK_DFT_GRP	Yes/No	4	999	1002	Is a default group assigned?
DELV_UTK_DFT_SECL	Yes/No	4	1004	1007	Is a default security label assigned?
DELV_APPC_LINK	Char	16	1009	1024	Key to link together APPC records.
DELV_SPECIFIED	Char	1024	1026	2049	The keywords specified.
DELV_UTK_NETW	Char	8	2051	2058	The port of entry network name.
DELV_X500_SUBJECT	Char	255	2060	2314	Subject's name associated with this event.
DELV_X500_ISSUER	Char	255	2316	2570	Issuer's name associated with this event.
DELV_SERV_POENAME	Char	64	2572	2635	SERVAUTH resource or profile name.
DELV_RES_SECL	Char	8	2637	2644	Resource security label.
DELV_CTX_USER	Char	510	2646	3155	Authenticated user name.
DELV_CTX_REG	Char	255	3157	3411	Authenticated user registry name.
DELV_CTX_HOST	Char	128	3413	3540	Authenticated user host name.
DELV_CTX_MECH	Char	16	3542	3557	Authenticated user authentication mechanism object identifier (OID).
DELV_IDID_USER	Char	985	3559	4543	Authenticated distributed user name.
DELV_IDID_REG	Char	1021	4545	5565	Authenticated distributed user registry name.

Table 12. Event qualifiers for delete volume records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	The volume was successfully deleted.

The DEFINE record extension

Table 13 describes the format of a record that is created by the define resource operation.

The event qualifiers that can be associated with a DEFINE event are shown in Table 14.

Table 13. Format of the DEFINE record extension (event code 07)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
DEF_RES_NAME	Char	255	282	536	Old resource name.
DEF_LEVEL	Integer	3	538	540	The level of the resource.
DEF_VOL	Char	6	542	547	Volume of the resource.
DEF_CLASS	Char	8	549	556	Class name.
DEF_MODEL_NAME	Char	255	558	812	Name of the model profile.
DEF_MODEL_VOL	Char	6	814	819	Volser of the model profile.
DEF_OWN_ID	Char	8	821	828	Owner of the profile.
DEF_LOGSTR	Char	255	830	1084	LOGSTR= data from the RACROUTE
DEF_USER_NAME	Char	20	1086	1105	User name.
DEF_UTK_ENCR	Yes/No	4	1107	1110	Is the UTOKEN associated with this user encrypted?
DEF_UTK_PRE19	Yes/No	4	1112	1115	Is this a pre-1.9 token?
DEF_UTK_VERPROF	Yes/No	4	1117	1120	Is the VERIFYX propagation flag set?
DEF_UTK_NJEUNUSR	Yes/No	4	1122	1125	Is this the NJE undefined user?
DEF_UTK_LOGUSR	Yes/No	4	1127	1130	Is UAUDIT specified for this user?
DEF_UTK_SPECIAL	Yes/No	4	1132	1135	Is this a SPECIAL user?
DEF_UTK_DEFAULT	Yes/No	4	1137	1140	Is this a default token?
DEF_UTK_UNKNUSR	Yes/No	4	1142	1145	Is this an undefined user?
DEF_UTK_ERROR	Yes/No	4	1147	1150	Is this user token in error?
DEF_UTK_TRUSTED	Yes/No	4	1152	1155	Is this user a part of the trusted computing base (TCB)?
DEF_UTK_SESSTYPE	Char	8	1157	1164	The session type of this session.
DEF_UTK_SURROGAT	Yes/No	4	1166	1169	Is this a surrogate user?
DEF_UTK_REMOTE	Yes/No	4	1171	1174	Is this a remote job?
DEF_UTK_PRIV	Yes/No	4	1176	1179	Is this a privileged user ID?
DEF_UTK_SECL	Char	8	1181	1188	The security label of the user.
DEF_UTK_EXECNODE	Char	8	1190	1197	The execution node of the work.
DEF_UTK_SUSER_ID	Char	8	1199	1206	The submitting user ID.
DEF_UTK_SNODE	Char	8	1208	1215	The submitting node.
DEF_UTK_SGRP_ID	Char	8	1217	1224	The submitting group name.
DEF_UTK_SPOE	Char	8	1226	1233	The port of entry.
DEF_UTK_SPCLASS	Char	8	1235	1242	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
DEF_UTK_USER_ID	Char	8	1244	1251	User ID associated with the record.
DEF_UTK_GRP_ID	Char	8	1253	1260	Group name associated with the record.
DEF_UTK_DFT_GRP	Yes/No	4	1262	1265	Is a default group assigned?
DEF_UTK_DFT_SECL	Yes/No	4	1267	1270	Is a default security label assigned?
DEF_APPC_LINK	Char	16	1272	1287	Key to link together APPC records.
DEF_SPECIFIED	Char	1024	1289	2312	The keywords specified.
DEF_UTK_NETW	Char	8	2314	2321	The port of entry network name.
DEF_X500_SUBJECT	Char	255	2323	2577	Subject's name associated with this event.
DEF_X500_ISSUER	Char	255	2579	2833	Issuer's name associated with this event.
DEF_SERV_POENAME	Char	64	2835	2898	SERVAUTH resource or profile name.
DEF_RES_SECL	Char	8	2900	2907	Resource security label.
DEF_CTX_USER	Char	510	2909	3418	Authenticated user name.
DEF_CTX_REG	Char	255	3420	3674	Authenticated user registry name.
DEF_CTX_HOST	Char	128	3676	3803	Authenticated user host name.
DEF_CTX_MECH	Char	16	3805	3820	Authenticated user authentication mechanism object identifier (OID).
DEF_IDID_USER	Char	985	3822	4806	Authenticated distributed user name.
DEF_IDID_REG	Char	1021	4808	5828	Authenticated distributed user registry name.

Table 14. Event qualifiers for define resource records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful definition.
UNDGROUP	01	Undefined group.
USNINGRP	02	User not in group.
INSAUTH	03	Insufficient authority.
ALRDEFD	04	Resource already defined.
NOTRACF	05	User is not RACF-defined.
NOTPROT	06	Resource not protected.
WNOTPROT	07	Warning: Resource not protected.
WSECLM	08	Warning: security label missing.
WINSSECL	09	Warning: insufficient security label.
NOT2RACF	10	User in second qualifier is not RACF-defined.
INSSECL	11	Insufficient security label authority.
LESSSPEC	12	A less-specific profile exists with a different security label.

The ADDSD record extension

Table 15 describes the format of a record that is created by the ADDSD command.

The event qualifiers that can be associated with an ADDSD command are shown in Table 16.

Table 15. Format of the ADDSD record extension (event code 08)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
AD_OWN_ID	Char	8	282	289	Owner of the profile.
AD_USER_NAME	Char	20	291	310	User name.
AD_SECL	Char	8	312	319	The security label associated with the profile.
AD_UTK_ENCR	Yes/No	4	321	324	Is the UTOKEN associated with this user encrypted?
AD_UTK_PRE19	Yes/No	4	326	329	Is this a pre-1.9 token?
AD_UTK_VERPROF	Yes/No	4	331	334	Is the VERIFYX propagation flag set?
AD_UTK_NJEUNUSR	Yes/No	4	336	339	Is this the NJE undefined user?
AD_UTK_LOGUSR	Yes/No	4	341	344	Is UAUDIT specified for this user?
AD_UTK_SPECIAL	Yes/No	4	346	349	Is this a SPECIAL user?
AD_UTK_DEFAULT	Yes/No	4	351	354	Is this a default token?
AD_UTK_UNKNUSR	Yes/No	4	356	359	Is this an undefined user?
AD_UTK_ERROR	Yes/No	4	361	364	Is this user token in error?
AD_UTK_TRUSTED	Yes/No	4	366	369	Is this user a part of the trusted computing base (TCB)?
AD_UTK_SESSTYPE	Char	8	371	378	The session type of this session.
AD_UTK_SURROGAT	Yes/No	4	380	383	Is this a surrogate user?
AD_UTK_REMOTE	Yes/No	4	385	388	Is this a remote job?
AD_UTK_PRIV	Yes/No	4	390	393	Is this a privileged user ID?
AD_UTK_SECL	Char	8	395	402	The security label of the user.
AD_UTK_EXECNODE	Char	8	404	411	The execution node of the work.
AD_UTK_SUSER_ID	Char	8	413	420	The submitting user ID.
AD_UTK_SNODE	Char	8	422	429	The submitting node.
AD_UTK_SGRP_ID	Char	8	431	438	The submitting group name.
AD_UTK_SPOE	Char	8	440	447	The port of entry.
AD_UTK_SPCLASS	Char	8	449	456	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
AD_UTK_USER_ID	Char	8	458	465	User ID associated with the record.
AD_UTK_GRP_ID	Char	8	467	474	Group name associated with the record.
AD_UTK_DFT_GRP	Yes/No	4	476	479	Is a default group assigned?
AD_UTK_DFT_SECL	Yes/No	4	481	484	Is a default security label assigned?
AD_APPC_LINK	Char	16	486	501	Key to link together APPC records.
AD_SECL_LINK	Char	16	503	518	Key to link together the data sets affected by a change of security label and the command that caused the security label change.
AD_DS_NAME	Char	44	520	563	The data set name.
AD_SPECIFIED	Char	1024	565	1588	The keywords specified.
AD_FAILED	Char	1024	1590	2613	The keywords that failed.
AD_UTK_NETW	Char	8	2615	2622	The port of entry network name.
AD_X500_SUBJECT	Char	255	2624	2878	Subject's name associated with this event.
AD_X500_ISSUER	Char	255	2880	3134	Issuer's name associated with this event.
AD_SERV_POENAME	Char	64	3136	3199	SERVAUTH resource or profile name.
AD_CTX_USER	Char	510	3201	3710	Authenticated user name.
AD_CTX_REG	Char	255	3712	3966	Authenticated user registry name.
AD_CTX_HOST	Char	128	3968	4095	Authenticated user host name.
AD_CTX_MECH	Char	16	4097	4112	Authenticated user authentication mechanism object identifier (OID).
AD_IDID_USER	Char	985	4114	5098	Authenticated distributed user name.
AD_IDID_REG	Char	1021	5100	6120	Authenticated distributed user registry name.

Table 16. Event qualifiers for ADDSD command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.
SECLSUCC	03	Successful retrieval of data set names.
SECLFAIL	04	Error during retrieval of data set names.

The ADDGROUP record extension

Table 17 describes the format of a record that is created by the ADDGROUP command.

The event qualifiers that can be associated with an ADDGROUP command are shown in Table 18.

Table 17. Format of the ADDGROUP record extension (event code 09)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
AG_OWN_ID	Char	8	282	289	Owner of the profile.
AG_USER_NAME	Char	20	291	310	User name.
AG_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
AG_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
AG_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
AG_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
AG_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
AG_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
AG_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
AG_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
AG_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
AG_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
AG_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
AG_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
AG_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
AG_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
AG_UTK_SECL	Char	8	386	393	The security label of the user.
AG_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
AG_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
AG_UTK_SNODE	Char	8	413	420	The submitting node.
AG_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
AG_UTK_SPOE	Char	8	431	438	The port of entry.
AG_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
AG_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
AG_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
AG_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
AG_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
AG_APPC_LINK	Char	16	477	492	Key to link together APPC records.
AG_GRP_ID	Char	8	494	501	The group name.
AG_SPECIFIED	Char	1024	503	1526	The keywords specified.
AG_FAILED	Char	1024	1528	2551	The keywords that failed.
AG_UTK_NETW	Char	8	2553	2560	The port of entry network name.
AG_X500_SUBJECT	Char	255	2562	2816	Subject's name associated with this event.
AG_X500_ISSUER	Char	255	2818	3072	Issuer's name associated with this event.
AG_SERV_POENAME	Char	64	3074	3137	SERVAUTH resource or profile name.
AG_CTX_USER	Char	510	3139	3648	Authenticated user name.
AG_CTX_REG	Char	255	3650	3904	Authenticated user registry name.
AG_CTX_HOST	Char	128	3906	4033	Authenticated user host name.
AG_CTX_MECH	Char	16	4035	4050	Authenticated user authentication mechanism object identifier (OID).
AG_IDID_USER	Char	985	4052	5036	Authenticated distributed user name.
AG_IDID_REG	Char	1021	5038	6058	Authenticated distributed user registry name.

Table 18. Event qualifiers for ADDGROUP command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The ADDUSER record extension

Table 19 describes the format of a record that is created by the ADDUSER command.

The event qualifiers that can be associated with an ADDUSER command are shown in Table 20.

Table 19. Format of the ADDUSER record extension (event code 10)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
AU_OWN_ID	Char	8	282	289	Owner of the profile.
AU_USER_NAME	Char	20	291	310	User name.
AU_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
AU_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
AU_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
AU_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
AU_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
AU_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
AU_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
AU_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
AU_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
AU_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
AU_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
AU_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
AU_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
AU_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
AU_UTK_SECL	Char	8	386	393	The security label of the user.
AU_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
AU_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
AU_UTK_SNODE	Char	8	413	420	The submitting node.
AU_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
AU_UTK_SPOE	Char	8	431	438	The port of entry.
AU_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
AU_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
AU_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
AU_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
AU_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
AU_APPC_LINK	Char	16	477	492	Key to link together APPC records.
AU_NOAUTH_CLAUTH	Yes/No	4	494	497	Were violations detected because the user issuing the command lacked the CLAUTH authority in the user class?
AU_NOAUTH_GROUP	Yes/No	4	499	502	Were violations detected because the user issuing the command lacked the authority within the group?
AU_USER_ID	Char	8	504	511	The user ID.
AU_SPECIFIED	Char	1024	513	1536	The keywords specified.
AU_FAILED	Char	1024	1538	2561	The keywords that failed.
AU_IGNORED	Char	1024	2563	3586	The keywords ignored.
AU_UTK_NETW	Char	8	3588	3595	The port of entry network name.
AU_X500_SUBJECT	Char	255	3597	3851	Subject's name associated with this event.
AU_X500_ISSUER	Char	255	3853	4107	Issuer's name associated with this event.
AU_SERV_POENAME	Char	64	4109	4172	SERVAUTH resource or profile name.
AU_CTX_USER	Char	510	4174	4683	Authenticated user name.
AU_CTX_REG	Char	255	4685	4939	Authenticated user registry name.
AU_CTX_HOST	Char	128	4941	5068	Authenticated user host name.
AU_CTX_MECH	Char	16	5070	5085	Authenticated user authentication mechanism object identifier (OID).
AU_IDID_USER	Char	985	5087	6071	Authenticated distributed user name.
AU_IDID_REG	Char	1021	6073	7093	Authenticated distributed user registry name.

Table 20. Event qualifiers for ADDUSER command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The ALTDSD record extension

Table 21 describes the format of a record that is created by the ALTDSD command.

The event qualifiers that can be associated with an ALTDSD command are shown in Table 22.

Table 21. Format of the ALTDSD record extension (event code 11)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
ALD_OWN_ID	Char	8	282	289	Owner of the profile.
ALD_USER_NAME	Char	20	291	310	User name.
ALD_OLD_SECL	Char	8	312	319	The security label that is being deleted from the profile.
ALD_UTK_ENCR	Yes/No	4	321	324	Is the UTOKEN associated with this user encrypted?
ALD_UTK_PRE19	Yes/No	4	326	329	Is this a pre-1.9 token?
ALD_UTK_VERPROF	Yes/No	4	331	334	Is the VERIFYX propagation flag set?
ALD_UTK_NJEUNUSR	Yes/No	4	336	339	Is this the NJE undefined user?
ALD_UTK_LOGUSR	Yes/No	4	341	344	Is UAUDIT specified for this user?
ALD_UTK_SPECIAL	Yes/No	4	346	349	Is this a SPECIAL user?
ALD_UTK_DEFAULT	Yes/No	4	351	354	Is this a default token?
ALD_UTK_UNKNUSR	Yes/No	4	356	359	Is this an undefined user?
ALD_UTK_ERROR	Yes/No	4	361	364	Is this user token in error?
ALD_UTK_TRUSTED	Yes/No	4	366	369	Is this user a part of the trusted computing base (TCB)?
ALD_UTK_SESSTYPE	Char	8	371	378	The session type of this session.
ALD_UTK_SURROGAT	Yes/No	4	380	383	Is this a surrogate user?
ALD_UTK_REMOTE	Yes/No	4	385	388	Is this a remote job?
ALD_UTK_PRIV	Yes/No	4	390	393	Is this a privileged user ID?
ALD_UTK_SECL	Char	8	395	402	The security label of the user.
ALD_UTK_EXECNODE	Char	8	404	411	The execution node of the work.
ALD_UTK_SUSER_ID	Char	8	413	420	The submitting user ID.
ALD_UTK_SNODE	Char	8	422	429	The submitting node.
ALD_UTK_SGRP_ID	Char	8	431	438	The submitting group name.
ALD_UTK_SPOE	Char	8	440	447	The port of entry.
ALD_UTK_SPCLASS	Char	8	449	456	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
ALD_UTK_USER_ID	Char	8	458	465	User ID associated with the record.
ALD_UTK_GRP_ID	Char	8	467	474	Group name associated with the record.
ALD_UTK_DFT_GRP	Yes/No	4	476	479	Is a default group assigned?
ALD_UTK_DFT_SECL	Yes/No	4	481	484	Is a default security label assigned?
ALD_APPC_LINK	Char	16	486	501	Key to link together APPC records.
ALD_SECL_LINK	Char	16	503	518	Key to link together the data sets affected by a change of security label and the command that caused the security label change.
ALD_DS_NAME	Char	44	520	563	The data set name.
ALD_SPECIFIED	Char	1024	565	1588	The keywords specified.
ALD_FAILED	Char	1024	1590	2613	The keywords that failed.
ALD_IGNORED	Char	1024	2615	3638	The keywords ignored.
ALD_UTK_NETW	Char	8	3640	3647	The port of entry network name.
ALD_X500_SUBJECT	Char	255	3649	3903	Subject's name associated with this event.
ALD_X500_ISSUER	Char	255	3905	4159	Issuer's name associated with this event.
ALD_SERV_POENAME	Char	64	4161	4224	SERVAUTH resource or profile name.
ALD_CTX_USER	Char	510	4226	4735	Authenticated user name.
ALD_CTX_REG	Char	255	4737	4991	Authenticated user registry name.
ALD_CTX_HOST	Char	128	4993	5120	Authenticated user host name.
ALD_CTX_MECH	Char	16	5122	5137	Authenticated user authentication mechanism object identifier (OID).
ALD_IDID_USER	Char	985	5139	6123	Authenticated distributed user name.
ALD_IDID_REG	Char	1021	6125	7145	Authenticated distributed user registry name.

Table 22. Event qualifiers for ADDSD command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.
SECLSUCC	03	Successful retrieval of data set names.
SECLFAIL	04	Error during retrieval of data set names.

The ALTGROUP record extension

Table 23 describes the format of a record that is created by the ALTGROUP command.

The event qualifiers that can be associated with an ALTGROUP command are shown in Table 24.

Table 23. Format of the ALTGROUP record extension (event code 12)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
ALG_OWN_ID	Char	8	282	289	Owner of the profile.
ALG_USER_NAME	Char	20	291	310	User name.
ALG_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
ALG_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
ALG_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
ALG_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
ALG_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
ALG_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
ALG_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
ALG_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
ALG_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
ALG_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
ALG_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
ALG_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
ALG_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
ALG_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
ALG_UTK_SECL	Char	8	386	393	The security label of the user.
ALG_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
ALG_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
ALG_UTK_SNODE	Char	8	413	420	The submitting node.
ALG_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
ALG_UTK_SPOE	Char	8	431	438	The port of entry.
ALG_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
ALG_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
ALG_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
ALG_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
ALG_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
ALG_APPC_LINK	Char	16	477	492	Key to link together APPC records.
ALG_GRP_ID	Char	8	494	501	The group name.
ALG_SPECIFIED	Char	1024	503	1526	The keywords specified.
ALG_FAILED	Char	1024	1528	2551	The keywords that failed.
ALG_IGNORED	Char	1024	2553	3576	The keywords ignored.
ALG_UTK_NETW	Char	8	3578	3585	The port of entry network name.
ALG_X500_SUBJECT	Char	255	3587	3841	Subject's name associated with this event.
ALG_X500_ISSUER	Char	255	3843	4097	Issuer's name associated with this event.
ALG_SERV_POENAME	Char	64	4099	4162	SERVAUTH resource or profile name.
ALG_CTX_USER	Char	510	4164	4673	Authenticated user name.
ALG_CTX_REG	Char	255	4675	4929	Authenticated user registry name.
ALG_CTX_HOST	Char	128	4931	5058	Authenticated user host name.
ALG_CTX_MECH	Char	16	5060	5075	Authenticated user authentication mechanism object identifier (OID).
ALG_IDID_USER	Char	985	5077	6061	Authenticated distributed user name.
ALG_IDID_REG	Char	1021	6063	7083	Authenticated distributed user registry name.

Table 24. Event qualifiers for ALTGROUP command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The ALTUSER record extension

Table 25 describes the format of a record that is created by the ALTUSER command.

The event qualifiers that can be associated with an ALTUSER command are shown in Table 26.

Table 25. Format of the ALTUSER record extension (event code 13)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
ALU_OWN_ID	Char	8	282	289	Owner of the profile.
ALU_USER_NAME	Char	20	291	310	User name.
ALU_OLD_SECL	Char	8	312	319	The security label that is being deleted from the profile.
ALU_UTK_ENCR	Yes/No	4	321	324	Is the UTOKEN associated with this user encrypted?
ALU_UTK_PRE19	Yes/No	4	326	329	Is this a pre-1.9 token?
ALU_UTK_VERPROF	Yes/No	4	331	334	Is the VERIFYX propagation flag set?
ALU_UTK_NJEUNUSR	Yes/No	4	336	339	Is this the NJE undefined user?
ALU_UTK_LOGUSR	Yes/No	4	341	344	Is UAUDIT specified for this user?
ALU_UTK_SPECIAL	Yes/No	4	346	349	Is this a SPECIAL user?
ALU_UTK_DEFAULT	Yes/No	4	351	354	Is this a default token?
ALU_UTK_UNKNUSR	Yes/No	4	356	359	Is this an undefined user?
ALU_UTK_ERROR	Yes/No	4	361	364	Is this user token in error?
ALU_UTK_TRUSTED	Yes/No	4	366	369	Is this user a part of the trusted computing base (TCB)?
ALU_UTK_SESSTYPE	Char	8	371	378	The session type of this session.
ALU_UTK_SURROGAT	Yes/No	4	380	383	Is this a surrogate user?
ALU_UTK_REMOTE	Yes/No	4	385	388	Is this a remote job?
ALU_UTK_PRIV	Yes/No	4	390	393	Is this a privileged user ID?
ALU_UTK_SECL	Char	8	395	402	The security label of the user.
ALU_UTK_EXECNODE	Char	8	404	411	The execution node of the work.
ALU_UTK_SUSER_ID	Char	8	413	420	The submitting user ID.
ALU_UTK_SNODE	Char	8	422	429	The submitting node.
ALU_UTK_SGRP_ID	Char	8	431	438	The submitting group name.
ALU_UTK_SPOE	Char	8	440	447	The port of entry.
ALU_UTK_SPCLASS	Char	8	449	456	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
ALU_UTK_USER_ID	Char	8	458	465	User ID associated with the record.
ALU_UTK_GRP_ID	Char	8	467	474	Group name associated with the record.
ALU_UTK_DFT_GRP	Yes/No	4	476	479	Is a default group assigned?
ALU_UTK_DFT_SECL	Yes/No	4	481	484	Is a default security label assigned?
ALU_APPC_LINK	Char	16	486	501	Key to link together APPC records.
ALU_NOAUTH_CLAUTH	Yes/No	4	503	506	Were violations detected because the user issuing the command lacked the CLAUTH authority in the user class?
ALU_NOAUTH_GROUP	Yes/No	4	508	511	Were violations detected because the user issuing the command lacked the authority within the group?
ALU_NOAUTH_PROF	Yes/No	4	513	516	Were violations detected because the user issuing the command lacked authority to the profile?
ALU_USER_ID	Char	8	518	525	The user ID.
ALU_SPECIFIED	Char	1024	527	1550	The keywords specified.
ALU_FAILED	Char	1024	1552	2575	The keywords that failed.
ALU_IGNORED	Char	1024	2577	3600	The keywords ignored.
ALU_UTK_NETW	Char	8	3602	3609	The port of entry network name.
ALU_X500_SUBJECT	Char	255	3611	3865	Subject's name associated with this event.
ALU_X500_ISSUER	Char	255	3867	4121	Issuer's name associated with this event.
ALU_SERV_POENAME	Char	64	4123	4186	SERVAUTH resource or profile name.
ALU_CTX_USER	Char	510	4188	4697	Authenticated user name.
ALU_CTX_REG	Char	255	4699	4953	Authenticated user registry name.
ALU_CTX_HOST	Char	128	4955	5082	Authenticated user host name.
ALU_CTX_MECH	Char	16	5084	5099	Authenticated user authentication mechanism object identifier (OID).
ALU_IDID_USER	Char	985	5101	6085	Authenticated distributed user name.
ALU_IDID_REG	Char	1021	6087	7101	Authenticated distributed user registry name.

Table 26. Event qualifiers for ALTUSER command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The CONNECT record extension

Table 27 describes the format of a record that is created by the CONNECT command.

The event qualifiers that can be associated with a CONNECT command are shown in Table 28.

Table 27. Format of the CONNECT record extension (event code 14)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
CON_OWN_ID	Char	8	282	289	Owner of the profile.
CON_USER_NAME	Char	20	291	310	User name.
CON_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
CON_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
CON_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
CON_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
CON_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
CON_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
CON_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
CON_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
CON_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
CON_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
CON_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
CON_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
CON_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
CON_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
CON_UTK_SECL	Char	8	386	393	The security label of the user.
CON_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
CON_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
CON_UTK_SNODE	Char	8	413	420	The submitting node.
CON_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
CON_UTK_SPOE	Char	8	431	438	The port of entry.
CON_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
CON_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
CON_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
CON_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
CON_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
CON_APPC_LINK	Char	16	477	492	Key to link together APPC records.
CON_USER_ID	Char	8	494	501	The user ID that is being connected.
CON_SPECIFIED	Char	1024	503	1526	The keywords specified.
CON_FAILED	Char	1024	1528	2551	The keywords ignored.
CON_UTK_NETW	Char	8	2553	2560	The port of entry network name.
CON_X500_SUBJECT	Char	255	2562	2816	Subject's name associated with this event.
CON_X500_ISSUER	Char	255	2818	3072	Issuer's name associated with this event.
CON_SERV_POENAME	Char	64	3074	3137	SERVAUTH resource or profile name.
CON_CTX_USER	Char	510	3139	3648	Authenticated user name.
CON_CTX_REG	Char	255	3650	3904	Authenticated user registry name.
CON_CTX_HOST	Char	128	3906	4033	Authenticated user host name.
CON_CTX_MECH	Char	16	4035	4050	Authenticated user authentication mechanism object identifier (OID).
CON_IDID_USER	Char	985	4052	5036	Authenticated distributed user name.
CON_IDID_REG	Char	1021	5038	6058	Authenticated distributed user registry name.

Table 28. Event qualifiers for CONNECT command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The DELDSD record extension

Table 29 describes the format of a record that is created by the DELDSD command.

The event qualifiers that can be associated with a DELDSD command are shown in Table 30.

Table 29. Format of the DELDSD record extension (event code 15)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
DELD_OWN_ID	Char	8	282	289	Owner of the profile.
DELD_USER_NAME	Char	20	291	310	User name.
DELD_OLD_SECL	Char	8	312	319	The security label that is being deleted.
DELD_UTK_ENCR	Yes/No	4	321	324	Is the UTOKEN associated with this user encrypted?
DELD_UTK_PRE19	Yes/No	4	326	329	Is this a pre-1.9 token?
DELD_UTK_VERPROF	Yes/No	4	331	334	Is the VERIFYX propagation flag set?
DELD_UTK_NJEUNUSR	Yes/No	4	336	339	Is this the NJE undefined user?
DELD_UTK_LOGUSR	Yes/No	4	341	344	Is UAUDIT specified for this user?
DELD_UTK_SPECIAL	Yes/No	4	346	349	Is this a SPECIAL user?
DELD_UTK_DEFAULT	Yes/No	4	351	354	Is this a default token?
DELD_UTK_UNKNUSR	Yes/No	4	356	359	Is this an undefined user?
DELD_UTK_ERROR	Yes/No	4	361	364	Is this user token in error?
DELD_UTK_TRUSTED	Yes/No	4	366	369	Is this user a part of the trusted computing base (TCB)?
DELD_UTK_SESSTYPE	Char	8	371	378	The session type of this session.
DELD_UTK_SURROGAT	Yes/No	4	380	383	Is this a surrogate user?
DELD_UTK_REMOTE	Yes/No	4	385	388	Is this a remote job?
DELD_UTK_PRIV	Yes/No	4	390	393	Is this a privileged user ID?
DELD_UTK_SECL	Char	8	395	402	The security label of the user.
DELD_UTK_EXECNODE	Char	8	404	411	The execution node of the work.
DELD_UTK_SUSER_ID	Char	8	413	420	The submitting user ID.
DELD_UTK_SNODE	Char	8	422	429	The submitting node.
DELD_UTK_SGRP_ID	Char	8	431	438	The submitting group name.
DELD_UTK_SPOE	Char	8	440	447	The port of entry.
DELD_UTK_SPCLASS	Char	8	449	456	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
DELD_UTK_USER_ID	Char	8	458	465	User ID associated with the record.
DELD_UTK_GRP_ID	Char	8	467	474	Group name associated with the record.
DELD_UTK_DFT_GRP	Yes/No	4	476	479	Is a default group assigned?
DELD_UTK_DFT_SECL	Yes/No	4	481	484	Is a default security label assigned
DELD_APPC_LINK	Char	16	486	501	Key to link together APPC records.
DELD_SECL_LINK	Char	16	503	518	Key to link together the data sets affected by a change of security label and the command that caused the security label change.
DELD_DS_NAME	Char	44	520	563	The data set profile that is being deleted.
DELD_SPECIFIED	Char	1024	565	1588	The keywords specified.
DELD_FAILED	Char	1024	1590	2613	The keywords that failed.
DELD_UTK_NETW	Char	8	2615	2622	The port of entry network name.
DELD_X500_SUBJECT	Char	255	2624	2878	Subject's name associated with this event.
DELD_X500_ISSUER	Char	255	2880	3134	Issuer's name associated with this event.
DELD_SERV_POENAME	Char	64	3136	3199	SERVAUTH resource or profile name.
DELD_CTX_USER	Char	510	3201	3710	Authenticated user name.
DELD_CTX_REG	Char	255	3712	3966	Authenticated user registry name.
DELD_CTX_HOST	Char	128	3968	4095	Authenticated user host name.
DELD_CTX_MECH	Char	16	4097	4112	Authenticated user authentication mechanism object identifier (OID).
DELD_IDID_USER	Char	985	4114	5098	Authenticated distributed user name.
DELD_IDID_REG	Char	1021	5100	6120	Authenticated distributed user registry name.

Table 30. Event qualifiers for DELDSD command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.
SECLSUCC	03	Successful retrieval of data set names.
SECLFAIL	04	Error during retrieval of data set names.

The DELGROUP record extension

Table 31 describes the format of a record that is created by the DELGROUP command.

The event qualifiers that can be associated with a DELGROUP command are shown in Table 32.

Table 31. Format of the DELGROUP record extension (event code 16)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
DELG_OWN_ID	Char	8	282	289	Owner of the profile.
DELG_USER_NAME	Char	20	291	310	User name.
DELG_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
DELG_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
DELG_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
DELG_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
DELG_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
DELG_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
DELG_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
DELG_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
DELG_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
DELG_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
DELG_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
DELG_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
DELG_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
DELG_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
DELG_UTK_SECL	Char	8	386	393	The security label of the user.
DELG_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
DELG_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
DELG_UTK_SNODE	Char	8	413	420	The submitting node.
DELG_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
DELG_UTK_SPOE	Char	8	431	438	The port of entry.
DELG_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
DELG_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
DELG_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
DELG_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
DELG_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
DELG_APPC_LINK	Char	16	477	492	Key to link together APPC records.
DELG_GRP_ID	Char	8	494	501	The group that is being deleted.
DELG_SPECIFIED	Char	1024	503	1526	The keywords specified.
DELG_UTK_NETW	Char	8	1528	1535	The port of entry network name.
DELG_X500_SUBJECT	Char	255	1537	1791	Subject's name associated with this event.
DELG_X500_ISSUER	Char	255	1793	2047	Issuer's name associated with this event.
DELG_SERV_POENAME	Char	64	2049	2112	SERVAUTH resource or profile name.
DELG_CTX_USER	Char	510	2114	2623	Authenticated user name.
DELG_CTX_REG	Char	255	2625	2879	Authenticated user registry name.
DELG_CTX_HOST	Char	128	2881	3008	Authenticated user host name.
DELG_CTX_MECH	Char	16	3010	3025	Authenticated user authentication mechanism object identifier (OID).
DELG_IDID_USER	Char	985	3027	4011	Authenticated distributed user name.
DELG_IDID_REG	Char	1021	4013	5033	Authenticated distributed user registry name.

Table 32. Event qualifiers for DELGROUP commands records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The DELUSER record extension

Table 33 describes the format of a record that is created by the DELUSER command.

The event qualifiers that can be associated with a DELUSER command are shown in Table 34.

Table 33. Format of the DELUSER record extension (event code 17)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
DELU_OWN_ID	Char	8	282	289	Owner of the profile.
DELU_USER_NAME	Char	20	291	310	User name.
DELU_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
DELU_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
DELU_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
DELU_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
DELU_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
DELU_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
DELU_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
DELU_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
DELU_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
DELU_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
DELU_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
DELU_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
DELU_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
DELU_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
DELU_UTK_SECL	Char	8	386	393	The security label of the user.
DELU_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
DELU_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
DELU_UTK_SNODE	Char	8	413	420	The submitting node.
DELU_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
DELU_UTK_SPOE	Char	8	431	438	The port of entry.
DELU_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
DELU_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
DELU_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
DELU_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
DELU_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
DELU_APPC_LINK	Char	16	477	492	Key to link together APPC records.
DELU_USER_ID	Char	8	494	501	The user ID that is being deleted.
DELU_SPECIFIED	Char	1024	503	1526	The keywords specified.
DELU_UTK_NETW	Char	8	1528	1535	The port of entry network name.
DELU_X500_SUBJECT	Char	255	1537	1791	Subject's name associated with this event.
DELU_X500_ISSUER	Char	255	1793	2047	Issuer's name associated with this event.
DELU_SERV_POENAME	Char	64	2049	2112	SERVAUTH resource or profile name.
DELU_CTX_USER	Char	510	2114	2623	Authenticated user name.
DELU_CTX_REG	Char	255	2625	2879	Authenticated user registry name.
DELU_CTX_HOST	Char	128	2881	3008	Authenticated user host name.
DELU_CTX_MECH	Char	16	3010	3025	Authenticated user authentication mechanism object identifier (OID).
DELU_IDID_USER	Char	985	3027	4011	Authenticated distributed user name.
DELU_IDID_REG	Char	1021	4013	5033	Authenticated distributed user registry name.

Table 34. Event qualifiers for DELUSER command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The PASSWORD record extension

Table 35 describes the format of a record that is created by the PASSWORD command.

The event qualifiers that can be associated with a PASSWORD command are shown in Table 36.

Table 35. Format of the PASSWORD record extension (event code 18)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
PWD_OWN_ID	Char	8	282	289	Owner of the profile.
PWD_USER_NAME	Char	20	291	310	User name.
PWD_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
PWD_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
PWD_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
PWD_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
PWD_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
PWD_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
PWD_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
PWD_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
PWD_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
PWD_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
PWD_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
PWD_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
PWD_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
PWD_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
PWD_UTK_SECL	Char	8	386	393	The security label of the user.
PWD_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
PWD_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
PWD_UTK_SNODE	Char	8	413	420	The submitting node.
PWD_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
PWD_UTK_SPOE	Char	8	431	438	The port of entry.
PWD_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
PWD_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
PWD_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
PWD_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
PWD_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
PWD_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
PWD_SPECIFIED	Char	1024	494	1517	The keywords specified.
PWD_FAILED	Char	1024	1519	2542	The keywords that failed.
PWD_IGNORED	Char	1024	2544	3567	The keywords ignored.
PWD_UTK_NETW	Char	8	3569	3576	The port of entry network name.
PWD_X500_SUBJECT	Char	255	3578	3832	Subject's name associated with this event.
PWD_X500_ISSUER	Char	255	3834	4088	Issuer's name associated with this event.
PWD_SERV_POENAME	Char	64	4090	4153	SERVAUTH resource or profile name.
PWD_CTX_USER	Char	510	4155	4664	Authenticated user name.
PWD_CTX_REG	Char	255	4666	4920	Authenticated user registry name.
PWD_CTX_HOST	Char	128	4922	5049	Authenticated user host name.
PWD_CTX_MECH	Char	16	5051	5066	Authenticated user authentication mechanism object identifier (OID).
PWD_IDID_USER	Char	985	5068	6052	Authenticated distributed user name.
PWD_IDID_REG	Char	1021	6054	7074	Authenticated distributed user registry name.

Table 36. Event qualifiers for PASSWORD command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The PERMIT record extension

Table 37 describes the format of a record that is created by the PERMIT command.

The event qualifiers that can be associated with a PERMIT command are shown in Table 38.

Table 37. Format of the PERMIT record extension (event code 19)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
PERM_CLASS	Char	8	282	289	Class name.
PERM_OWN_ID	Char	8	291	298	Owner of the profile.
PERM_USER_NAME	Char	20	300	319	User name.
PERM_UTK_ENCR	Yes/No	4	321	324	Is the UTOKEN associated with this user encrypted?
PERM_UTK_PRE19	Yes/No	4	326	329	Is this a pre-1.9 token?
PERM_UTK_VERPROF	Yes/No	4	331	334	Is the VERIFYX propagation flag set?
PERM_UTK_NJEUNUSR	Yes/No	4	336	339	Is this the NJE undefined user?
PERM_UTK_LOGUSR	Yes/No	4	341	344	Is UAUDIT specified for this user?
PERM_UTK_SPECIAL	Yes/No	4	346	349	Is this a SPECIAL user?
PERM_UTK_DEFAULT	Yes/No	4	351	354	Is this a default token?
PERM_UTK_UNKNUSR	Yes/No	4	356	359	Is this an undefined user?
PERM_UTK_ERROR	Yes/No	4	361	364	Is this user token in error?
PERM_UTK_TRUSTED	Yes/No	4	366	369	Is this user a part of the trusted computing base (TCB)?
PERM_UTK_SESSTYPE	Char	8	371	378	The session type of this session.
PERM_UTK_SURROGAT	Yes/No	4	380	383	Is this a surrogate user?
PERM_UTK_REMOTE	Yes/No	4	385	388	Is this a remote job?
PERM_UTK_PRIV	Yes/No	4	390	393	Is this a privileged user ID?
PERM_UTK_SECL	Char	8	395	402	The security label of the user.
PERM_UTK_EXECNODE	Char	8	404	411	The execution node of the work.
PERM_UTK_SUSER_ID	Char	8	413	420	The submitting user ID.
PERM_UTK_SNODE	Char	8	422	429	The submitting node.
PERM_UTK_SGRP_ID	Char	8	431	438	The submitting group name.
PERM_UTK_SPOE	Char	8	440	447	The port of entry.
PERM_UTK_SPCLASS	Char	8	449	456	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
PERM_UTK_USER_ID	Char	8	458	465	User ID associated with the record.
PERM_UTK_GRP_ID	Char	8	467	474	Group name associated with the record.
PERM_UTK_DFT_GRP	Yes/No	4	476	479	Is a default group assigned?
PERM_UTK_DFT_SECL	Yes/No	4	481	484	Is a default security label assigned?
PERM_APPC_LINK	Char	16	486	501	Key to link together APPC records.
PERM_RES_NAME	Char	255	503	757	The resource name
PERM_SPECIFIED	Char	1024	759	1782	The keywords specified.
PERM_FAILED	Char	1024	1784	2807	The keywords that failed.
PERM_IGNORED	Char	1024	2809	3832	The keywords ignored.
PERM_UTK_NETW	Char	8	3834	3841	The port of entry network name.
PERM_X500_SUBJECT	Char	255	3843	4097	Subject's name associated with this event.
PERM_X500_ISSUER	Char	255	4099	4353	Issuer's name associated with this event.
PERM_SERV_POENAME	Char	64	4355	4418	SERVAUTH resource or profile name.
PERM_CTX_USER	Char	510	4420	4929	Authenticated user name.
PERM_CTX_REG	Char	255	4931	5185	Authenticated user registry name.
PERM_CTX_HOST	Char	128	5187	5314	Authenticated user host name.
PERM_CTX_MECH	Char	16	5316	5331	Authenticated user authentication mechanism object identifier (OID).
PERM_IDID_USER	Char	985	5333	6317	Authenticated distributed user name.
PERM_IDID_REG	Char	1021	6319	7339	Authenticated distributed user registry name.

Table 38. Event qualifiers for PERMIT command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The RALTER record extension

Table 39 describes the format of a record that is created by the RALTER command.

The event qualifiers that can be associated with a RALTER command are shown in Table 40.

Table 39. Format of the RALTER record extension (event code 20)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RALT_CLASS	Char	8	282	289	Class name.
RALT_OWN_ID	Char	8	291	298	Owner of the profile.
RALT_USER_NAME	Char	20	300	319	User name.
RALT_OLD_SECL	Char	8	321	328	The security label being deleted from the file.
RALT_UTK_ENCR	Yes/No	4	330	333	Is the UTOKEN associated with this user encrypted?
RALT_UTK_PRE19	Yes/No	4	335	338	Is this a pre-1.9 token?
RALT_UTK_VERPROF	Yes/No	4	340	343	Is the VERIFYX propagation flag set?
RALT_UTK_NJEUNUSR	Yes/No	4	345	348	Is this the NJE undefined user?
RALT_UTK_LOGUSR	Yes/No	4	350	353	Is UAUDIT specified for this user?
RALT_UTK_SPECIAL	Yes/No	4	355	358	Is this a SPECIAL user?
RALT_UTK_DEFAULT	Yes/No	4	360	363	Is this a default token?
RALT_UTK_UNKNUSR	Yes/No	4	365	368	Is this an undefined user?
RALT_UTK_ERROR	Yes/No	4	370	373	Is this user token in error?
RALT_UTK_TRUSTED	Yes/No	4	375	378	Is this user a part of the trusted computing base (TCB)?
RALT_UTK_SESSTYPE	Char	8	380	387	The session type of this session.
RALT_UTK_SURROGAT	Yes/No	4	389	392	Is this a surrogate user?
RALT_UTK_REMOTE	Yes/No	4	394	397	Is this a remote job?
RALT_UTK_PRIV	Yes/No	4	399	402	Is this a privileged user ID?
RALT_UTK_SECL	Char	8	404	411	The security label of the user.
RALT_UTK_EXECNODE	Char	8	413	420	The execution node of the work.
RALT_UTK_SUSER_ID	Char	8	422	429	The submitting user ID.
RALT_UTK_SNODE	Char	8	431	438	The submitting node.
RALT_UTK_SGRP_ID	Char	8	440	447	The submitting group name.
RALT_UTK_SPOE	Char	8	449	456	The port of entry.
RALT_UTK_SPCLASS	Char	8	458	465	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
RALT_UTK_USER_ID	Char	8	467	474	User ID associated with the record.
RALT_UTK_GRP_ID	Char	8	476	483	Group name associated with the record.
RALT_UTK_DFT_GRP	Yes/No	4	485	488	Is a default group assigned?
RALT_UTK_DFT_SECL	Yes/No	4	490	493	Is a default security label assigned?
RALT_APPC_LINK	Char	16	495	510	Key to link together APPC records.
RALT_RES_NAME	Char	255	512	766	The resource name.
RALT_SPECIFIED	Char	1024	768	1791	The keywords specified.
RALT_FAILED	Char	1024	1793	2816	The keywords that failed.
RALT_UTK_NETW	Char	8	2818	2825	The port of entry network name.
RALT_X500_SUBJECT	Char	255	2827	3081	Subject's name associated with this event.
RALT_X500_ISSUER	Char	255	3083	3337	Issuer's name associated with this event.
RALT_SERV_POENAME	Char	64	3339	3402	SERVAUTH resource or profile name.
RALT_CTX_USER	Char	510	3404	3913	Authenticated user name.
RALT_CTX_REG	Char	255	3915	4169	Authenticated user registry name.
RALT_CTX_HOST	Char	128	4171	4298	Authenticated user host name.
RALT_CTX_MECH	Char	16	4300	4315	Authenticated user authentication mechanism object identifier (OID).
RALT_IDID_USER	Char	985	4317	5301	Authenticated distributed user name.
RALT_IDID_REG	Char	1021	5303	6323	Authenticated distributed user registry name.

Table 40. Event qualifiers for RALTER command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The RDEFINE record extension

Table 41 describes the format of a record that is created by the RDEFINE command.

The event qualifiers that can be associated with an RDEFINE command are shown in Table 42.

Table 41. Format of the RDEFINE record extension (event code 21)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RDEF_CLASS	Char	8	282	289	Class name.
RDEF_OWN_ID	Char	8	291	298	Owner of the profile.
RDEF_USER_NAME	Char	20	300	319	User name.
RDEF_SECL	Char	8	321	328	The security label associated with the profile.
RDEF_UTK_ENCR	Yes/No	4	330	333	Is the UTOKEN associated with this user encrypted?
RDEF_UTK_PRE19	Yes/No	4	335	338	Is this a pre-1.9 token?
RDEF_UTK_VERPROF	Yes/No	4	340	343	Is the VERIFYX propagation flag set?
RDEF_UTK_NJEUNUSR	Yes/No	4	345	348	Is this the NJE undefined user?
RDEF_UTK_LOGUSR	Yes/No	4	350	353	Is UAUDIT specified for this user?
RDEF_UTK_SPECIAL	Yes/No	4	355	358	Is this a SPECIAL user?
RDEF_UTK_DEFAULT	Yes/No	4	360	363	Is this a default token?
RDEF_UTK_UNKNUSR	Yes/No	4	365	368	Is this an undefined user?
RDEF_UTK_ERROR	Yes/No	4	370	373	Is this user token in error?
RDEF_UTK_TRUSTED	Yes/No	4	375	378	Is this user a part of the trusted computing base (TCB)?
RDEF_UTK_SESSTYPE	Char	8	380	387	The session type of this session.
RDEF_UTK_SURROGAT	Yes/No	4	389	392	Is this a surrogate user?
RDEF_UTK_REMOTE	Yes/No	4	394	397	Is this a remote job?
RDEF_UTK_PRIV	Yes/No	4	399	402	Is this a privileged user ID?
RDEF_UTK_SECL	Char	8	404	411	The security label of the user.
RDEF_UTK_EXECNODE	Char	8	413	420	The execution node of the work.
RDEF_UTK_SUSER_ID	Char	8	422	429	The submitting user ID.
RDEF_UTK_SNODE	Char	8	431	438	The submitting node.
RDEF_UTK_SGRP_ID	Char	8	440	447	The submitting group name.
RDEF_UTK_SPOE	Char	8	449	456	The port of entry.
RDEF_UTK_SPCLASS	Char	8	458	465	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
RDEF_UTK_USER_ID	Char	8	467	474	User ID associated with the record.
RDEF_UTK_GRP_ID	Char	8	476	483	Group name associated with the record.
RDEF_UTK_DFT_GRP	Yes/No	4	485	488	Is a default group assigned?
RDEF_UTK_DFT_SECL	Yes/No	4	490	493	Is a default security label assigned?
RDEF_APPC_LINK	Char	16	495	510	Key to link together APPC records.
RDEF_RES_NAME	Char	255	512	766	The resource name.
RDEF_SPECIFIED	Char	1024	768	1791	The keywords specified.
RDEF_FAILED	Char	1024	1793	2816	The keywords that failed.
RDEF_UTK_NETW	Char	8	2818	2825	The port of entry network name.
RDEF_X500_SUBJECT	Char	255	2827	3081	Subject's name associated with this event.
RDEF_X500_ISSUER	Char	255	3083	3337	Issuer's name associated with this event.
RDEF_SERV_POENAME	Char	64	3339	3402	SERVAUTH resource or profile name.
RDEF_CTX_USER	Char	510	3404	3913	Authenticated user name.
RDEF_CTX_REG	Char	255	3915	4169	Authenticated user registry name.
RDEF_CTX_HOST	Char	128	4171	4298	Authenticated user host name.
RDEF_CTX_MECH	Char	16	4300	4315	Authenticated user authentication mechanism object identifier (OID).
RDEF_IDID_USER	Char	985	4317	5301	Authenticated distributed user name.
RDEF_IDID_REG	Char	1021	5303	6323	Authenticated distributed user registry name.

Table 42. Event qualifiers for RDEFINE command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The RDELETE record extension

Table 43 describes the format of a record that is created by the RDELETE command.

The event qualifiers that can be associated with an RDELETE command are shown in Table 44.

Table 43. Format of the RDELETE record extension (event code 22)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RDEL_CLASS	Char	8	282	289	Class name.
RDEL_OWN_ID	Char	8	291	298	Owner of the profile.
RDEL_USER_NAME	Char	20	300	319	User name.
RDEL_SECL	Char	8	321	328	The security label associated with the profile.
RDEL_UTK_ENCR	Yes/No	4	330	333	Is the UTOKEN associated with this user encrypted?
RDEL_UTK_PRE19	Yes/No	4	335	338	Is this a pre-1.9 token?
RDEL_UTK_VERPROF	Yes/No	4	340	343	Is the VERIFYX propagation flag set?
RDEL_UTK_NJEUNUSR	Yes/No	4	345	348	Is this the NJE undefined user?
RDEL_UTK_LOGUSR	Yes/No	4	350	353	Is UAUDIT specified for this user?
RDEL_UTK_SPECIAL	Yes/No	4	355	358	Is this a SPECIAL user?
RDEL_UTK_DEFAULT	Yes/No	4	360	363	Is this a default token?
RDEL_UTK_UNKNUSR	Yes/No	4	365	368	Is this an undefined user?
RDEL_UTK_ERROR	Yes/No	4	370	373	Is this user token in error?
RDEL_UTK_TRUSTED	Yes/No	4	375	378	Is this user a part of the trusted computing base (TCB)?
RDEL_UTK_SESSTYPE	Char	8	380	387	The session type of this session.
RDEL_UTK_SURROGAT	Yes/No	4	389	392	Is this a surrogate user?
RDEL_UTK_REMOTE	Yes/No	4	394	397	Is this a remote job?
RDEL_UTK_PRIV	Yes/No	4	399	402	Is this a privileged user ID?
RDEL_UTK_SECL	Char	8	404	411	The security label of the user.
RDEL_UTK_EXECNODE	Char	8	413	420	The execution node of the work.
RDEL_UTK_SUSER_ID	Char	8	422	429	The submitting user ID.
RDEL_UTK_SNODE	Char	8	431	438	The submitting node.
RDEL_UTK_SGRP_ID	Char	8	440	447	The submitting group name.
RDEL_UTK_SPOE	Char	8	449	456	The port of entry.
RDEL_UTK_SPCLASS	Char	8	458	465	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
RDEL_UTK_USER_ID	Char	8	467	474	User ID associated with the record.
RDEL_UTK_GRP_ID	Char	8	476	483	Group name associated with the record.
RDEL_UTK_DFT_GRP	Yes/No	4	485	488	Is a default group assigned?
RDEL_UTK_DFT_SECL	Yes/No	4	490	493	Is a default security label assigned?
RDEL_APPC_LINK	Char	16	495	510	Key to link together APPC records.
RDEL_RES_NAME	Char	255	512	766	The resource name.
RDEL_SPECIFIED	Char	1024	768	1791	The keywords specified.
RDEL_UTK_NETW	Char	8	1793	1800	The port of entry network name.
RDEL_X500_SUBJECT	Char	255	1802	2056	Subject's name associated with this event.
RDEL_X500_ISSUER	Char	255	2058	2312	Issuer's name associated with this event.
RDEL_SERV_POENAME	Char	64	2314	2377	SERVAUTH resource or profile name.
RDEL_CTX_USER	Char	510	2379	2888	Authenticated user name.
RDEL_CTX_REG	Char	255	2890	3144	Authenticated user registry name.
RDEL_CTX_HOST	Char	128	3146	3273	Authenticated user host name.
RDEL_CTX_MECH	Char	16	3275	3290	Authenticated user authentication mechanism object identifier (OID).
RDEL_IDID_USER	Char	985	3292	4276	Authenticated distributed user name.
RDEL_IDID_REG	Char	1021	4278	5298	Authenticated distributed user registry name.

Table 44. Event qualifiers for RDELETE command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The REMOVE record extension

Table 45 describes the format of a record that is created by the REMOVE command.

The event qualifiers that can be associated with a REMOVE command are shown in Table 46.

Table 45. Format of the REMOVE record extension (event code 23)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
REM_OWN_ID	Char	8	282	289	Owner of the profile.
REM_USER_NAME	Char	20	291	310	User name.
REM_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
REM_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
REM_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
REM_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
REM_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
REM_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
REM_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
REM_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
REM_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
REM_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
REM_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
REM_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
REM_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
REM_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
REM_UTK_SECL	Char	8	386	393	The security label of the user.
REM_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
REM_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
REM_UTK_SNODE	Char	8	413	420	The submitting node.
REM_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
REM_UTK_SPOE	Char	8	431	438	The port of entry.
REM_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
REM_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
REM_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
REM_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
REM_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
REM_APPC_LINK	Char	16	477	492	Key to link together APPC records.
REM_USER_ID	Char	8	494	501	The user ID.
REM_SPECIFIED	Char	1024	503	1526	The keywords specified.
REM_FAILED	Char	1024	1528	2551	The keywords that failed.
REM_UTK_NETW	Char	8	2553	2560	The port of entry network name.
REM_X500_SUBJECT	Char	255	2562	2816	Subject's name associated with this event.
REM_X500_ISSUER	Char	255	2818	3072	Issuer's name associated with this event.
REM_SERV_POENAME	Char	64	3074	3137	SERVAUTH resource or profile name.
REM_CTX_USER	Char	510	3139	3648	Authenticated user name.
REM_CTX_REG	Char	255	3650	3904	Authenticated user registry name.
REM_CTX_HOST	Char	128	3906	4033	Authenticated user host name.
REM_CTX_MECH	Char	16	4035	4050	Authenticated user authentication mechanism object identifier (OID).
REM_IDID_USER	Char	985	4052	5036	Authenticated distributed user name.
REM_IDID_REG	Char	1021	5038	6058	Authenticated distributed user registry name.

Table 46. Event qualifiers for REMOVE command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The SETROPTS record extension

Table 47 describes record format that is created by the SETROPTS command.

Table 48 shows the event qualifiers that can be associated with a SETROPTS command.

Table 47. Format of the SETROPTS record extension (event code 24)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
SETR_USER_NAME	Char	20	282	301	User name.
SETR_UTK_ENCR	Yes/No	4	303	306	Is the UTOKEN associated with this user encrypted?
SETR_UTK_PRE19	Yes/No	4	308	311	Is this a pre-1.9 token?
SETR_UTK_VERPROF	Yes/No	4	313	316	Is the VERIFYX propagation flag set?
SETR_UTK_NJEUNUSR	Yes/No	4	318	321	Is this the NJE undefined user?
SETR_UTK_LOGUSR	Yes/No	4	323	326	Is UAUDIT specified for this user?
SETR_UTK_SPECIAL	Yes/No	4	328	331	Is this a SPECIAL user?
SETR_UTK_DEFAULT	Yes/No	4	333	336	Is this a default token?
SETR_UTK_UNKNUSR	Yes/No	4	338	341	Is this an undefined user?
SETR_UTK_ERROR	Yes/No	4	343	346	Is this user token in error?
SETR_UTK_TRUSTED	Yes/No	4	348	351	Is this user a part of the trusted computing base (TCB)?
SETR_UTK_SESSTYPE	Char	8	353	360	The session type of this session.
SETR_UTK_SURROGAT	Yes/No	4	362	365	Is this a surrogate user?
SETR_UTK_REMOTE	Yes/No	4	367	370	Is this a remote job?
SETR_UTK_PRIV	Yes/No	4	372	375	Is this a privileged user ID?
SETR_UTK_SECL	Char	8	377	384	The security label of the user.
SETR_UTK_EXECNODE	Char	8	386	393	The execution node of the work.
SETR_UTK_SUSER_ID	Char	8	395	402	The submitting user ID.
SETR_UTK_SNODE	Char	8	404	411	The submitting node.
SETR_UTK_SGRP_ID	Char	8	413	420	The submitting group name.
SETR_UTK_SPOE	Char	8	422	429	The port of entry.
SETR_UTK_SPCLASS	Char	8	431	438	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
SETR_UTK_USER_ID	Char	8	440	447	User ID associated with the record.
SETR_UTK_GRP_ID	Char	8	449	456	Group name associated with the record.
SETR_UTK_DFT_GRP	Yes/No	4	458	461	Is a default group assigned?
SETR_UTK_DFT_SECL	Yes/No	4	463	466	Is a default security label assigned?
SETR_APPC_LINK	Char	16	468	483	Key to link together APPC records.
SETR_SPECIFIED	Char	1024	485	1508	The keywords specified.
SETR_FAILED	Char	1024	1510	2533	The keywords that failed.
SETR_UTK_NETW	Char	8	2535	2542	The port of entry network name.
SETR_X500_SUBJECT	Char	255	2544	2798	Subject's name associated with this event.
SETR_X500_ISSUER	Char	255	2800	3054	Issuer's name associated with this event.
SETR_SERV_POENAME	Char	64	3056	3119	SERVAUTH resource or profile name.
SETR_CTX_USER	Char	510	3121	3630	Authenticated user name.
SETR_CTX_REG	Char	255	3632	3886	Authenticated user registry name.
SETR_CTX_HOST	Char	128	3888	4015	Authenticated user host name.
SETR_CTX_MECH	Char	16	4017	4032	Authenticated user authentication mechanism object identifier (OID).
SETR_IDID_USER	Char	985	4034	5018	Authenticated distributed user name.
SETR_IDID_REG	Char	1021	5020	6040	Authenticated distributed user registry name.

Table 48. Event qualifiers for SETROPTS command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The RVARY record extension

Table 49 describes the format of a record that is created by the RVARY command.

The event qualifiers that can be associated with an RVARY command are shown in Table 50.

Table 49. Format of the RVARY record extension (event code 25)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RVAR_USER_NAME	Char	20	282	301	User name.
RVAR_UTK_ENCR	Yes/No	4	303	306	Is the UTOKEN associated with this user encrypted?
RVAR_UTK_PRE19	Yes/No	4	308	311	Is this a pre-1.9 token?
RVAR_UTK_VERPROF	Yes/No	4	313	316	Is the VERIFYX propagation flag set?
RVAR_UTK_NJEUNUSR	Yes/No	4	318	321	Is this the NJE undefined user?
RVAR_UTK_LOGUSR	Yes/No	4	323	326	Is UAUDIT specified for this user?
RVAR_UTK_SPECIAL	Yes/No	4	328	331	Is this a SPECIAL user?
RVAR_UTK_DEFAULT	Yes/No	4	333	336	Is this a default token?
RVAR_UTK_UNKNUSR	Yes/No	4	338	341	Is this an undefined user?
RVAR_UTK_ERROR	Yes/No	4	343	346	Is this user token in error?
RVAR_UTK_TRUSTED	Yes/No	4	348	351	Is this user a part of the trusted computing base (TCB)?
RVAR_UTK_SESSTYPE	Char	8	353	360	The session type of this session.
RVAR_UTK_SURROGAT	Yes/No	4	362	365	Is this a surrogate user?
RVAR_UTK_REMOTE	Yes/No	4	367	370	Is this a remote job?
RVAR_UTK_PRIV	Yes/No	4	372	375	Is this a privileged user ID?
RVAR_UTK_SECL	Char	8	377	384	The security label of the user.
RVAR_UTK_EXECNODE	Char	8	386	393	The execution node of the work.
RVAR_UTK_SUSER_ID	Char	8	395	402	The submitting user ID.
RVAR_UTK_SNODE	Char	8	404	411	The submitting node.
RVAR_UTK_SGRP_ID	Char	8	413	420	The submitting group name.
RVAR_UTK_SPOE	Char	8	422	429	The port of entry.
RVAR_UTK_SPCLASS	Char	8	431	438	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
RVAR_UTK_USER_ID	Char	8	440	447	User ID associated with the record.
RVAR_UTK_GRP_ID	Char	8	449	456	Group name associated with the record.
RVAR_UTK_DFT_GRP	Yes/No	4	458	461	Is a default group assigned?
RVAR_UTK_DFT_SECL	Yes/No	4	463	466	Is a default security label l assigned?
RVAR_APPC_LINK	Char	16	468	483	Key to link together APPC records.
RVAR_SPECIFIED	Char	1024	485	1508	The keywords specified.
RVAR_FAILED	Char	1024	1510	2533	The keywords that failed.
RVAR_UTK_NETW	Char	8	2535	2542	The port of entry network name.
RVAR_X500_SUBJECT	Char	255	2544	2798	Subject's name associated with this event.
RVAR_X500_ISSUER	Char	255	2800	3054	Issuer's name associated with this event.
RVAR_SERV_POENAME	Char	64	3056	3119	SERVAUTH resource or profile name.
RVAR_CTX_USER	Char	510	3121	3630	Authenticated user name.
RVAR_CTX_REG	Char	255	3632	3886	Authenticated user registry name.
RVAR_CTX_HOST	Char	128	3888	4015	Authenticated user host name.
RVAR_CTX_MECH	Char	16	4017	4032	Authenticated user authentication mechanism object identifier (OID).
RVAR_IDID_USER	Char	985	4034	5018	Authenticated distributed user name.
RVAR_IDID_REG	Char	1021	5020	6040	Authenticated distributed user registry name.

Table 50. Event qualifiers for RVARY command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	No violations detected.
INSAUTH	01	Insufficient authority.
KEYWVIOL	02	Keyword violation.

The APPCLU record extension

Table 51 describes the format of a record that is created by the auditing of an APPCLU resource.

The event qualifiers that can be associated with an APPCLU (APPC session establishment) event are shown in Table 52.

Table 51. Format of the APPCLU record extension (event code 26)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
APPC_RES_NAME	Char	255	282	536	Resource name.
APPC_CLASS	Char	8	538	545	Class name.
APPC_TYPE	Char	8	547	554	Type of resource data. Valid values are `RESOURCE` if `ACC_NAME` is a generic resource name, and `PROFILE` if `ACC_NAME` is a generic profile.
APPC_NAME	Char	246	556	801	Resource or profile name.
APPC_OWN_ID	Char	8	803	810	Name of the profile owner.
APPC_USER_NAME	Char	20	812	831	User name.
APPC_UTK_ENCR	Yes/No	4	833	836	Is the UTOKEN associated with this user encrypted?
APPC_UTK_PRE19	Yes/No	4	838	841	Is this a pre-1.9 token?
APPC_UTK_VERPROF	Yes/No	4	843	846	Is the VERIFYX propagation flag set?
APPC_UTK_NJEUNUSR	Yes/No	4	848	851	Is this the NJE undefined user?
APPC_UTK_LOGUSR	Yes/No	4	853	856	Is UAUDIT specified for this user?
APPC_UTK_SPECIAL	Yes/No	4	858	861	Is this a SPECIAL user?
APPC_UTK_DEFAULT	Yes/No	4	863	866	Is this a default token?
APPC_UTK_UNKNUSR	Yes/No	4	868	871	Is this an undefined user?
APPC_UTK_ERROR	Yes/No	4	873	876	Is this user token in error?
APPC_UTK_TRUSTED	Yes/No	4	878	881	Is this user a part of the trusted computing base (TCB)?
APPC_UTK_SESSTYPE	Char	8	883	890	The session type of this session.
APPC_UTK_SURROGAT	Yes/No	4	892	895	Is this a surrogate user?
APPC_UTK_REMOTE	Yes/No	4	897	900	Is this a remote job?
APPC_UTK_PRIV	Yes/No	4	902	905	Is this a privileged user ID?
APPC_UTK_SECL	Char	8	907	914	The security label of the user.
APPC_UTK_EXECNODE	Char	8	916	923	The execution node of the work.
APPC_UTK_SUSER_ID	Char	8	925	932	The submitting user ID.
APPC_UTK_SNODE	Char	8	934	941	The submitting node.
APPC_UTK_SGRP_ID	Char	8	943	950	The submitting group name.
APPC_UTK_SPOE	Char	8	952	959	The port of entry.
APPC_UTK_SPCLASS	Char	8	961	968	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
APPC_UTK_USER_ID	Char	8	970	977	User ID associated with the record.
APPC_UTK_GRP_ID	Char	8	979	986	Group name associated with the record.
APPC_UTK_DFT_GRP	Yes/No	4	988	991	Is a default group assigned?
APPC_UTK_DFT_SECL	Yes/No	4	993	996	Is a default security label assigned?
APPC_APPC_LINK	Char	16	998	1013	Key to link together APPC records.
APPC_UTK_NETW	Char	8	1015	1022	The port of entry network name.
APPC_X500_SUBJECT	Char	255	1024	1278	Subject's name associated with this event.
APPC_X500_ISSUER	Char	255	1280	1534	Issuer's name associated with this event.
APPC_SERV_POENAME	Char	64	1536	1599	SERVAUTH resource or profile name.
APPC_CTX_USER	Char	510	1601	2110	Authenticated user name.
APPC_CTX_REG	Char	255	2112	2366	Authenticated user registry name.
APPC_CTX_HOST	Char	128	2368	2495	Authenticated user host name.
APPC_CTX_MECH	Char	16	2497	2512	Authenticated user authentication mechanism object identifier (OID).
APPC_IDID_USER	Char	985	2514	3498	Authenticated distributed user name.
APPC_IDID_REG	Char	1021	3500	4520	Authenticated distributed user registry name.

Table 52. Event qualifiers for APPC session establishment records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Partner verification OK.
NOVERIFY	01	Session established without verification.
LKEYEXPR	02	Local key expires in less than 5 days.
REVOKED	03	Partner LU access has been revoked.
NOMATCH	04	Partner LU key does not match this LU key.
TRMSECUR	05	Session terminated for security reasons.
NOSESKEY	06	Required session key not defined.
LUATTACK	07	Possible security attack by partner LU.
NOPRTKEY	08	Session key not defined for the partner LU.
NOKEY	09	Session key not defined for this LU.
SNAERROR	10	SNA security-related session
PROFCHNG	11	Profile changed during verification.
SKEYEXPR	12	Expired session key error.

The general event record extension

Table 53 describes the format of a record that is created by a general event.

The event qualifiers that can be associated with a general event are determined by the installation. These event codes are unloaded as integer values.

Table 53. Format of the general event record extension (event code 27)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
GEN_CLASS	Char	8	282	289	Class name.
GEN_LOGSTR	Char	255	291	545	LOGSTR= data from the RACROUTE
GEN_USER_NAME	Char	20	547	566	User name.
GEN_UTK_ENCR	Yes/No	4	568	571	Is the UTOKEN associated with this user encrypted?
GEN_UTK_PRE19	Yes/No	4	573	576	Is this a pre-1.9 token?
GEN_UTK_VERPROF	Yes/No	4	578	581	Is the VERIFYX propagation flag set?
GEN_UTK_NJEUNUSR	Yes/No	4	583	586	Is this the NJE undefined user?
GEN_UTK_LOGUSR	Yes/No	4	588	591	Is UAUDIT specified for this user?
GEN_UTK_SPECIAL	Yes/No	4	593	596	Is this a SPECIAL user?
GEN_UTK_DEFAULT	Yes/No	4	598	601	Is this a default token?
GEN_UTK_UNKNUSR	Yes/No	4	603	606	Is this an undefined user?
GEN_UTK_ERROR	Yes/No	4	608	611	Is this user token in error?
GEN_UTK_TRUSTED	Yes/No	4	613	616	Is this user a part of the trusted computing base (TCB)?
GEN_UTK_SESSTYPE	Char	8	618	625	The session type of this session.
GEN_UTK_SURROGAT	Yes/No	4	627	630	Is this a surrogate user?
GEN_UTK_REMOTE	Yes/No	4	632	635	Is this a remote job?
GEN_UTK_PRIV	Yes/No	4	637	640	Is this a privileged user ID?
GEN_UTK_SECL	Char	8	642	649	The security label of the user.
GEN_UTK_EXECNODE	Char	8	651	658	The execution node of the work.
GEN_UTK_SUSER_ID	Char	8	660	667	The submitting user ID.
GEN_UTK_SNODE	Char	8	669	676	The submitting node.
GEN_UTK_SGRP_ID	Char	8	678	685	The submitting group name.
GEN_UTK_SPOE	Char	8	687	694	The port of entry.
GEN_UTK_SPCLASS	Char	8	696	703	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
GEN_UTK_USER_ID	Char	8	705	712	User ID associated with the record.
GEN_UTK_GRP_ID	Char	8	714	721	Group name associated with the record.
GEN_UTK_DFT_GRP	Yes/No	4	723	726	Is a default group assigned?
GEN_UTK_DFT_SECL	Yes/No	4	728	731	Is a default security label assigned?
GEN_APPC_LINK	Char	16	733	748	Key to link together GENERAL records.
GEN_UTK_NETW	Char	8	750	757	The port of entry network name.
GEN_X500_SUBJECT	Char	255	759	1013	Subject's name associated with this event.
GEN_X500_ISSUER	Char	255	1015	1269	Issuer's name associated with this event.
GEN_SERV_POENAME	Char	64	1271	1334	SERVAUTH resource or profile name.
GEN_CTX_USER	Char	510	1336	1845	Authenticated user name.
GEN_CTX_REG	Char	255	1847	2101	Authenticated user registry name.
GEN_CTX_HOST	Char	128	2103	2230	Authenticated user host name.
GEN_CTX_MECH	Char	16	2232	2247	Authenticated user authentication mechanism object identifier (OID).
GEN_IDID_USER	Char	985	2249	3233	Authenticated distributed user name.
GEN_IDID_REG	Char	1021	3235	4255	Authenticated distributed user registry name.

The directory search record extension

Table 54 describes the format of a record that is created by a directory search event.

The event qualifiers that can be associated with a directory search event are shown in Table 55.

Table 54. Format of the directory search record extension (event code 28)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
DSCH_CLASS	Char	8	282	289	Class name.
DSCH_USER_NAME	Char	20	291	310	The name associated with the user ID.
DSCH_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
DSCH_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
DSCH_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
DSCH_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
DSCH_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
DSCH_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
DSCH_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
DSCH_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
DSCH_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
DSCH_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
DSCH_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
DSCH_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
DSCH_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
DSCH_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
DSCH_UTK_SECL	Char	8	386	393	The security label of the user.
DSCH_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
DSCH_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
DSCH_UTK_SNODE	Char	8	413	420	The submitting node.
DSCH_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
DSCH_UTK_SPOE	Char	8	431	438	The port of entry.
DSCH_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
DSCH_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
DSCH_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
DSCH_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
DSCH_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
DSCH_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
DSCH_AUDIT_CODE	Char	11	494	504	Audit function code.
DSCH_OLD_REAL_UID	Integer	10	506	515	Old real z/OS® UNIX user identifier (UID).
DSCH_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
DSCH_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
DSCH_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
DSCH_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
DSCH_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
DSCH_PATH_NAME	Char	1023	572	1594	The requested path name.
DSCH_FILE_ID	Char	32	1596	1627	File ID.
DSCH_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
DSCH_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
DSCH_REQUEST_READ	Yes/No	4	1651	1654	Did the requested access include read?
DSCH_REQUEST_WRITE	Yes/No	4	1656	1659	Did the requested access include write?
DSCH_REQUEST_EXEC	Yes/No	4	1661	1664	Did the requested access include EXECUTE?
DSCH_REQUEST_DSRCH	Yes/No	4	1666	1669	Did the requested access include directory search?
DSCH_ACCESS_TYPE	Char	8	1671	1678	What bits were used in granting the access? Valid values are `ACLERROR`, `ACLGROUP`, `ACLUSER`, `FSACCESS`, `GROUP`, `NO`, `OTHER`, `OWNER`, and `RSTD`.
DSCH_ALLOWED_READ	Yes/No	4	1680	1683	Was read access allowed?
DSCH_ALLOWED_WRITE	Yes/No	4	1685	1688	Was write access allowed?
DSCH_ALLOWED_EXEC	Yes/No	4	1690	1693	Was execute or search access allowed?
DSCH_REQUEST_PATH2	Char	1023	1695	2717	Second requested path name.
DSCH_SERVICE_CODE	Char	11	2719	2729	The service that was being processed. This is set only when the DSCH_AUDIT_CODE is `LOOKUP`.
DSCH_HFS_DS_NAME	Char	44	2731	2774	Data set name for the mounted file system.
DSCH_SYMLINK	Char	1023	2776	3798	The content of SYMLINK.
DSCH_FILE_NAME	Char	256	3800	4055	The file name that is being checked.
DSCH_PATH_TYPE	Char	4	4057	4060	Type of the requested path name. Valid values are `OLD` and `NEW`.
DSCH_FILEPOOL	Char	8	4062	4069	SFS filepool containing the BFS file.
DSCH_FILESPACE	Char	8	4071	4078	SFS filespace containing the BFS file.
DSCH_INODE	Integer	10	4080	4089	Inode (file serial number).
DSCH_SCID	Integer	10	4091	4100	File SCID.
DSCH_DCE_LINK	Char	16	4102	4117	Link to connect DCE records that originate from a single DCE request.
DSCH_AUTH_TYPE	Char	13	4119	4131	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
DSCH_DFLT_PROCESS	Yes/No	4	4133	4136	Default z/OS UNIX security environment in effect.
DSCH_UTK_NETW	CHAR	8	4138	4145	The port of entry network name.
DSCH_X500_SUBJECT	Char	255	4147	4401	Subject's name associated with this event.
DSCH_X500_ISSUER	Char	255	4403	4657	Issuer's name associated with this event.
DSCH_SECL	Char	8	4659	4666	Security label of the resource.
DSCH_SERV_POENAME	Char	64	4668	4731	SERVAUTH resource or profile name.
DSCH_CTX_USER	Char	510	4733	5242	Authenticated user name.
DSCH_CTX_REG	Char	255	5244	5498	Authenticated user registry name.
DSCH_CTX_HOST	Char	128	5500	5627	Authenticated user host name.
DSCH_CTX_MECH	Char	16	5629	5644	Authenticated user authentication mechanism object identifier (OID).
DSCH_IDID_USER	Char	985	5646	6630	Authenticated distributed user name.
DSCH_IDID_REG	Char	1021	6632	7652	Authenticated distributed user registry name.

Table 55. Event qualifiers for directory search records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Access allowed.
NOTAUTH	01	Not authorized to search the directory.
INSSECL	02	Insufficient security label.

The check directory access record extension

Table 56 describes the format of a record that is created by checking access to a directory.

The event qualifiers that can be associated with a directory search event are shown in Table 57.

Table 56. Format of the check directory access record extension (event code 29)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
DACC_CLASS	Char	8	282	289	Class name.
DACC_USER_NAME	Char	20	291	310	The name associated with the user ID.
DACC_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
DACC_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
DACC_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
DACC_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
DACC_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
DACC_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
DACC_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
DACC_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
DACC_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
DACC_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
DACC_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
DACC_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
DACC_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
DACC_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
DACC_UTK_SECL	Char	8	386	393	The security label of the user.
DACC_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
DACC_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
DACC_UTK_SNODE	Char	8	413	420	The submitting node.
DACC_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
DACC_UTK_SPOE	Char	8	431	438	The port of entry.
DACC_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
DACC_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
DACC_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
DACC_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
DACC_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
DACC_APPC_LINK	Char	16	477	492	Key to link together APPC records.
DACC_AUDIT_CODE	Char	11	494	504	Audit function code.
DACC_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
DACC_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
DACC_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
DACC_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
DACC_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
DACC_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
DACC_PATH_NAME	Char	1023	572	1594	The requested path name.
DACC_FILE_ID	Char	32	1596	1627	File ID.
DACC_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
DACC_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
DACC_REQUEST_READ	Yes/No	4	1651	1654	Did the requested access include read?
DACC_REQUEST_WRITE	Yes/No	4	1656	1659	Did the requested access include write?
DACC_REQUEST_EXEC	Yes/No	4	1661	1664	Did the requested access include execute?
DACC_REQUEST_DSRCH	Yes/No	4	1666	1669	Did the requested access include directory search?
DACC_ACCESS_TYPE	Char	8	1671	1678	What bits were used in granting the access? Valid values are `OWNER`, `GROUP`, `OTHER`, `ACLUSER`, `ACLGROUP`, `ACLERROR`, `RSTD`, and `NO`.
DACC_ALLOWED_READ	Yes/No	4	1680	1683	Was read access allowed?
DACC_ALLOWED_WRITE	Yes/No	4	1685	1688	Was write access allowed?
DACC_ALLOWED_EXEC	Yes/No	4	1690	1693	Was execute access allowed?
DACC_REQUEST_PATH2	Char	1023	1695	2717	Second requested path name.
DACC_SYMLINK	Char	1023	2719	3741	The content of SYMLINK.
DACC_FILE_NAME	Char	256	3743	3998	The file name that is being checked.
DACC_PATH_TYPE	Char	4	4000	4003	Type of the requested path name. Valid values are `OLD` and `NEW`.
DACC_FILEPOOL	Char	8	4005	4012	SFS filepool containing the BFS file.
DACC_FILESPACE	Char	8	4014	4021	SFS filespace containing the BFS file.
DACC_INODE	Integer	10	4023	4032	Inode (file serial number).
DACC_SCID	Integer	10	4034	4043	File SCID.
DACC_DCE_LINK	Char	16	4045	4060	Link to connect DCE records that originate from a single DCE request.
DACC_AUTH_TYPE	Char	13	4062	4074	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
DACC_DFLT_PROCESS	Yes/No	4	4076	4079	Default z/OS UNIX security environment in effect.
DACC_UTK_NETW	Char	8	4081	4088	The port of entry network name.
DACC_X500_SUBJECT	Char	255	4090	4344	Subject's name associated with this event.
DACC_X500_ISSUER	Char	255	4346	4600	Issuer's name associated with this event.
DACC_SECL	Char	8	4602	4609	Security label of the resource.
DACC_SERV_POENAME	Char	64	4611	4674	SERVAUTH resource or profile name.
DACC_CTX_USER	Char	510	4676	5185	Authenticated user name.
DACC_CTX_REG	Char	255	5187	5441	Authenticated user registry name.
DACC_CTX_HOST	Char	128	5443	5570	Authenticated user host name.
DACC_CTX_MECH	Char	16	5572	5587	Authenticated user authentication mechanism object identifier (OID).
DACC_IDID_USER	Char	985	5589	6573	Authenticated distributed user name.
DACC_IDID_REG	Char	1021	6575	7595	Authenticated distributed user registry name.

Table 57. Event qualifiers for check directory records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Access allowed.
NOTAUTH	01	Not authorized to the directory.
INSSECL	02	Insufficient security label.

The check file access record extension

Table 58 describes the format of a record that is created by checking access to a file.

The event qualifiers that can be associated with a check file access event are shown in Table 59.

Table 58. Format of the check file access record extension (event code 30)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
FACC_CLASS	Char	8	282	289	Class name.
FACC_USER_NAME	Char	20	291	310	The name associated with the user ID.
FACC_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
FACC_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
FACC_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
FACC_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
FACC_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
FACC_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
FACC_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
FACC_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
FACC_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
FACC_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
FACC_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
FACC_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
FACC_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
FACC_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
FACC_UTK_SECL	Char	8	386	393	The security label of the user.
FACC_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
FACC_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
FACC_UTK_SNODE	Char	8	413	420	The submitting node.
FACC_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
FACC_UTK_SPOE	Char	8	431	438	The port of entry.
FACC_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
FACC_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
FACC_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
FACC_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
FACC_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
FACC_APPC_LINK	Char	16	477	492	Key to link together APPC records.
FACC_AUDIT_CODE	Char	11	494	504	Audit function code.
FACC_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
FACC_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
FACC_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
FACC_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
FACC_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
FACC_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
FACC_PATH_NAME	Char	1023	572	1594	The requested path name.
FACC_FILE_ID	Char	32	1596	1627	File ID.
FACC_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
FACC_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
FACC_REQUEST_READ	Yes/No	4	1651	1654	Did the requested access include read?
FACC_REQUEST_WRITE	Yes/No	4	1656	1659	Did the requested access include write?
FACC_REQUEST_EXEC	Yes/No	4	1661	1664	Did the requested access include EXECUTE?
FACC_REQUEST_DSRCH	Yes/No	4	1666	1669	Did the requested access include directory search?
FACC_ACCESS_TYPE	Char	8	1671	1678	What bits were used in granting the access? Valid values are `OWNER`, `GROUP`, `OTHER`, `ACLUSER`, `ACLGROUP`, `ACLERROR`, `RSTD`, and `NO`.
FACC_ALLOWED_READ	Yes/No	4	1680	1683	Was read access allowed?
FACC_ALLOWED_WRITE	Yes/No	4	1685	1688	Was write access allowed?
FACC_ALLOWED_EXEC	Yes/No	4	1690	1693	Was execute access allowed?
FACC_REQUEST_PATH2	Char	1023	1695	2717	Second requested path name.
FACC_FILE_NAME	Char	256	2719	2974	The file name that is being checked.
FACC_PATH_TYPE	Char	4	2976	2979	Type of the requested path name. Valid values are `OLD` and `NEW`.
FACC_FILEPOOL	Char	8	2981	2988	SFS filepool containing the BFS file.
FACC_FILESPACE	Char	8	2990	2997	SFS filespace containing the BFS file.
FACC_INODE	Integer	10	2999	3008	Inode (file serial number).
FACC_SCID	Integer	10	3010	3019	File SCID.
FACC_DCE_LINK	Char	16	3021	3036	Link to connect DCE records that originate from a single DCE request.
FACC_AUTH_TYPE	Char	13	3038	3050	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
FACC_DFLT_PROCESS	Yes/No	4	3052	3055	Default z/OS UNIX security environment in effect.
FACC_UTK_NETW	Char	8	3057	3064	The port of entry network name.
FACC_X500_SUBJECT	Char	255	3066	3320	Subject's name associated with this event.
FACC_X500_ISSUER	Char	255	3322	3576	Issuer's name associated with this event.
FACC_SECL	Char	8	3578	3585	Security label of the resource.
FACC_SERV_POENAME	Char	64	3587	3650	SERVAUTH resource or profile name.
FACC_CTX_USER	Char	510	3652	4161	Authenticated user name.
FACC_CTX_REG	Char	255	4163	4417	Authenticated user registry name.
FACC_CTX_HOST	Char	128	4419	4546	Authenticated user host name.
FACC_CTX_MECH	Char	16	4548	4563	Authenticated user authentication mechanism object identifier (OID).
FACC_IDID_USER	Char	985	4565	5549	Authenticated distributed user name.
FACC_IDID_REG	Char	1021	5551	6571	Authenticated distributed user registry name.

Table 59. Event qualifiers for check file access records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Access allowed.
NOTAUTH	01	Not authorized to the file.
INSSECL	02	Insufficient security label.

The change audit record extension

Table 60 describes the format of a record that is created by checking access to a file.

The event qualifiers that can be associated with a directory search event are shown in Table 61.

Table 60. Format of the change audit record extension (event code 31)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
CAUD_CLASS	Char	8	282	289	Class name.
CAUD_USER_NAME	Char	20	291	310	The name associated with the user ID.
CAUD_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
CAUD_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
CAUD_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
CAUD_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
CAUD_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
CAUD_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
CAUD_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
CAUD_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
CAUD_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
CAUD_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
CAUD_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
CAUD_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
CAUD_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
CAUD_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
CAUD_UTK_SECL	Char	8	386	393	The security label of the user.
CAUD_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
CAUD_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
CAUD_UTK_SNODE	Char	8	413	420	The submitting node.
CAUD_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
CAUD_UTK_SPOE	Char	8	431	438	The port of entry.
CAUD_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
CAUD_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
CAUD_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
CAUD_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
CAUD_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
CAUD_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
CAUD_AUDIT_CODE	Char	11	494	504	Audit function code.
CAUD_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
CAUD_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
CAUD_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
CAUD_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
CAUD_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
CAUD_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
CAUD_PATH_NAME	Char	1023	572	1594	The requested path name.
CAUD_FILE_ID	Char	32	1596	1627	File ID.
CAUD_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
CAUD_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
CAUD_REQUEST_READ	Char	8	1651	1658	What audit options are requested for a READ operation? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_REQUEST_WRITE	Char	8	1660	1667	What audit options are requested for a WRITE operation? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_REQUEST_EXEC	Char	8	1669	1676	What audit options are requested for an EXECUTE operation? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_UOLD_READ	Char	8	1678	1685	What were the previous user audit options for READ actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_UOLD_WRITE	Char	8	1687	1694	What were the previous user audit options for WRITE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_UOLD_EXEC	Char	8	1696	1703	What were the previous user audit options for EXECUTE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_AOLD_READ	Char	8	1705	1712	What were the previous auditor audit options for READ actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_AOLD_WRITE	Char	8	1714	1721	What were the previous auditor audit options for WRITE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_AOLD_EXEC	Char	8	1723	1730	What were the previous auditor audit options for EXECUTE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_UNEW_READ	Char	8	1732	1739	What are the new user audit options for READ actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_UNEW_WRITE	Char	8	1741	1748	What are the new user audit options for WRITE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_UNEW_EXEC	Char	8	1750	1757	What are the new user audit options for EXECUTE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_ANEW_READ	Char	8	1759	1766	What are the new auditor audit options for READ actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_ANEW_WRITE	Char	8	1768	1775	What are the new auditor audit options for WRITE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_ANEW_EXEC	Char	8	1777	1784	What are the new auditor audit options for EXECUTE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
CAUD_FILEPOOL	Char	8	1786	1793	SFS filepool containing the BFS file.
CAUD_FILESPACE	Char	8	1795	1802	SFS filespace containing the BFS file.
CAUD_INODE	Integer	10	1804	1813	Inode (file serial number).
CAUD_SCID	Integer	10	1815	1824	File SCID.
CAUD_DCE_LINK	Char	16	1826	1841	Link to connect DCE records that originate from a single DCE request.
CAUD_AUTH_TYPE	Char	13	1843	1855	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
CAUD_DFLT_PROCESS	Yes/No	4	1857	1860	Default z/OS UNIX security environment in effect.
CAUD_UTK_NETW	Char	8	1862	1869	The port of entry network name.
CAUD_X500_SUBJECT	Char	255	1871	2125	Subject's name associated with this event.
CAUD_X500_ISSUER	Char	255	2127	2381	Issuer's name associated with this event.
CAUD_SECL	Char	8	2383	2390	Security label of the resource.
CAUD_SERV_POENAME	Char	64	2392	2455	SERVAUTH resource or profile name.
CAUD_CTX_USER	Char	510	2457	2966	Authenticated user name.
CAUD_CTX_REG	Char	255	2968	3222	Authenticated user registry name.
CAUD_CTX_HOST	Char	128	3224	3351	Authenticated user host name.
CAUD_CTX_MECH	Char	16	3353	3368	Authenticated user authentication mechanism object identifier (OID).
CAUD_IDID_USER	Char	985	3370	4354	Authenticated distributed user name.
CAUD_IDID_REG	Char	1021	4556	5376	Authenticated distributed user registry name.

Table 61. Event qualifiers for change audit records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	File's audit options changed.
NOTAUTHU	01	Not authorized to change the user audit options on the specified file.
NOTAUTHA	02	Not authorized to change the auditor audit options on the specified file.
INSSECL	03	Insufficient security label.

The change directory record extension

Table 62 describes the format of a record that is created by changing directories.

The event qualifiers that can be associated with a directory search event are shown in Table 63.

Table 62. Format of the change directory record extension (event code 32)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
CDIR_CLASS	Char	8	282	289	Class name.
CDIR_USER_NAME	Char	20	291	310	The name associated with the user ID.
CDIR_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
CDIR_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
CDIR_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
CDIR_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
CDIR_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
CDIR_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
CDIR_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
CDIR_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
CDIR_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
CDIR_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
CDIR_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
CDIR_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
CDIR_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
CDIR_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
CDIR_UTK_SECL	Char	8	386	393	The security label of the user.
CDIR_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
CDIR_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
CDIR_UTK_SNODE	Char	8	413	420	The submitting node.
CDIR_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
CDIR_UTK_SPOE	Char	8	431	438	The port of entry.
CDIR_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
CDIR_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
CDIR_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
CDIR_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
CDIR_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
CDIR_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
CDIR_AUDIT_CODE	Char	11	494	504	Audit function code.
CDIR_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
CDIR_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
CDIR_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
CDIR_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
CDIR_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
CDIR_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
CDIR_PATH_NAME	Char	1023	572	1594	The requested path name.
CDIR_FILE_ID	Char	32	1596	1627	File ID.
CDIR_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
CDIR_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
CDIR_DCE_LINK	Char	16	1651	1666	Link to connect DCE records that originate from a single DCE request.
CDIR_AUTH_TYPE	Char	13	1668	1680	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
CDIR_DFLT_PROCESS	Yes/No	4	1682	1685	Default z/OS UNIX security environment in effect.
CDIR_UTK_NETW	Char	8	1687	1694	The port of entry network name.
CDIR_X500_SUBJECT	Char	255	1696	1950	Subject's name associated with this event.
CDIR_X500_ISSUER	Char	255	1952	2206	Issuer's name associated with this event.
CDIR_SERV_POENAME	Char	64	2208	2271	SERVAUTH resource or profile name.
CDIR_CTX_USER	Char	510	2273	2782	Authenticated user name.
CDIR_CTX_REG	Char	255	2784	3038	Authenticated user registry name.
CDIR_CTX_HOST	Char	128	3040	3167	Authenticated user host name.
CDIR_CTX_MECH	Char	16	3169	3184	Authenticated user authentication mechanism object identifier (OID).
CDIR_IDID_USER	Char	985	3186	4170	Authenticated distributed user name.
CDIR_IDID_REG	Char	1021	4172	5192	Authenticated distributed user registry name.

Table 63. Event qualifiers for change directory records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Current working directory changed. Failures are logged as directory search events.

The change file mode record extension

Table 64 describes the format of a record that is created by changing the access mode of a file.

The event qualifiers that can be associated with changing a file mode event are shown in Table 65.

Table 64. Format of the change file mode record extension (event code 33)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
CMOD_CLASS	Char	8	282	289	Class name.
CMOD_USER_NAME	Char	20	291	310	The name associated with the user ID.
CMOD_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
CMOD_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
CMOD_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
CMOD_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
CMOD_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
CMOD_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
CMOD_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
CMOD_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
CMOD_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
CMOD_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
CMOD_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
CMOD_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
CMOD_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
CMOD_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
CMOD_UTK_SECL	Char	8	386	393	The security label of the user.
CMOD_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
CMOD_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
CMOD_UTK_SNODE	Char	8	413	420	The submitting node.
CMOD_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
CMOD_UTK_SPOE	Char	8	431	438	The port of entry.
CMOD_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
CMOD_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
CMOD_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
CMOD_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
CMOD_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
CMOD_APPC_LINK	Char	16	477	492	Key to link together APPC records.
CMOD_AUDIT_CODE	Char	11	494	504	Audit function code.
CMOD_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
CMOD_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
CMOD_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
CMOD_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
CMOD_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
CMOD_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
CMOD_PATH_NAME	Char	1023	572	1594	The requested path name.
CMOD_FILE_ID	Char	32	1596	1627	File ID.
CMOD_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
CMOD_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
CMOD_OLD_S_ISGID	Yes/No	4	1651	1654	Was the S_ISGID bit requested on for this file?
CMOD_OLD_S_ISUID	Yes/No	4	1656	1659	Was the S_ISUID bit requested on for this file?
CMOD_OLD_S_ISVTX	Yes/No	4	1661	1664	Was the S_ISVTX bit requested on for this file?
CMOD_OLD_OWN_READ	Yes/No	4	1666	1669	Was the owner READ bit on for this file?
CMOD_OLD_OWN_WRITE	Yes/No	4	1671	1674	Was the owner WRITE bit on for this file?
CMOD_OLD_OWN_EXEC	Yes/No	4	1676	1679	Was the owner EXECUTE bit on for this file?
CMOD_OLD_GRP_READ	Yes/No	4	1681	1684	Was the group READ bit on for this file?
CMOD_OLD_GRP_WRITE	Yes/No	4	1686	1689	Was the group WRITE bit on for this file?
CMOD_OLD_GRP_EXEC	Yes/No	4	1691	1694	Was the group EXECUTE bit on for this file?
CMOD_OLD_OTH_READ	Yes/No	4	1696	1699	Was the other READ bit on for this file?
CMOD_OLD_OTH_WRITE	Yes/No	4	1701	1704	Was the other WRITE bit on for this file?
CMOD_OLD_OTH_EXEC	Yes/No	4	1706	1709	Was the other EXECUTE bit on for this file?
CMOD_NEW_S_ISGID	Yes/No	4	1711	1714	Is the S_ISGID bit requested on for this file?
CMOD_NEW_S_ISUID	Yes/No	4	1716	1719	Is the S_ISUID bit requested on for this file?
CMOD_NEW_S_ISVTX	Yes/No	4	1721	1724	Is the S_ISVTX bit requested on for this file?
CMOD_NEW_OWN_READ	Yes/No	4	1726	1729	Is the owner READ bit on for this file?
CMOD_NEW_OWN_WRITE	Yes/No	4	1731	1734	Is the owner WRITE bit on for this file?
CMOD_NEW_OWN_EXEC	Yes/No	4	1736	1739	Is the owner EXECUTE bit on for this file?
CMOD_NEW_GRP_READ	Yes/No	4	1741	1744	Is the group READ bit on for this file?
CMOD_NEW_GRP_WRITE	Yes/No	4	1746	1749	Is the group WRITE bit on for this file?
CMOD_NEW_GRP_EXEC	Yes/No	4	1751	1754	Is the group EXECUTE bit on for this file?
CMOD_NEW_OTH_READ	Yes/No	4	1756	1759	Is the other READ bit on for this file?
CMOD_NEW_OTH_WRITE	Yes/No	4	1761	1764	Is the other WRITE bit on for this file?
CMOD_NEW_OTH_EXEC	Yes/No	4	1766	1769	Is the other EXECUTE bit on for this file?
CMOD_REQ_S_ISGID	Yes/No	4	1771	1774	Was the S_ISGID bit requested on for this file?
CMOD_REQ_S_ISUID	Yes/No	4	1776	1779	Was the S_ISUID bit requested on for this file?
CMOD_REQ_S_ISVTX	Yes/No	4	1781	1784	Was the S_ISVTX bit requested on for this file?
CMOD_REQ_OWN_READ	Yes/No	4	1786	1789	Was the owner READ bit requested on for this file?
CMOD_REQ_OWN_WRITE	Yes/No	4	1791	1794	Was the owner WRITE bit requested on for this file?
CMOD_REQ_OWN_EXEC	Yes/No	4	1796	1799	Was the owner EXECUTE bit requested on for this file?
CMOD_REQ_GRP_READ	Yes/No	4	1801	1804	Was the group READ bit requested on for this file?
CMOD_REQ_GRP_WRITE	Yes/No	4	1806	1809	Was the group WRITE bit requested on for this file?
CMOD_REQ_GRP_EXEC	Yes/No	4	1811	1814	Was the group EXECUTE bit requested on for this file?
CMOD_REQ_OTH_READ	Yes/No	4	1816	1819	Was the other READ bit requested on for this file?
CMOD_REQ_OTH_WRITE	Yes/No	4	1821	1824	Was the other WRITE bit requested on for this file?
CMOD_REQ_OTH_EXEC	Yes/No	4	1826	1829	Was the other EXECUTE bit requested on for this file?
CMOD_FILEPOOL	Char	8	1831	1838	SFS filepool containing the BFS file.
CMOD_FILESPACE	Char	8	1840	1847	SFS filespace containing the BFS file.
CMOD_INODE	Integer	10	1849	1858	Inode (file serial number).
CMOD_SCID	Integer	10	1860	1869	File SCID.
CMOD_DCE_LINK	Char	16	1871	1886	Link to connect DCE records that originate from a single DCE request.
CMOD_AUTH_TYPE	Char	13	1888	1900	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
CMOD_DFLT_PROCESS	Yes/No	4	1902	1905	Default z/OS UNIX security environment in effect.
CMOD_UTK_NETW	Char	8	1907	1914	The port of entry network name.
CMOD_X500_SUBJECT	Char	255	1916	2170	Subject's name associated with this event.
CMOD_X500_ISSUER	Char	255	2172	2426	Issuer's name associated with this event.
CMOD_SECL	Char	8	2428	2435	Security label of the resource.
CMOD_SERV_POENAME	Char	64	2437	2500	SERVAUTH resource or profile name.
CMOD_CTX_USER	Char	510	2502	3011	Authenticated user name.
CMOD_CTX_REG	Char	255	3013	3267	Authenticated user registry name.
CMOD_CTX_HOST	Char	128	3269	3396	Authenticated user host name.
CMOD_CTX_MECH	Char	16	3398	3413	Authenticated user authentication mechanism object identifier (OID).
CMOD_IDID_USER	Char	985	3415	4399	Authenticated distributed user name.
CMOD_IDID_REG	Char	1021	4401	5421	Authenticated distributed user registry name.

Table 65. Event qualifiers for change file mode records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	File's mode changed.
NOTAUTH	01	Not authorized to change the file's mode.
INSSECL	02	Insufficient security label.

The change file ownership record extension

Table 66 describes the format of a record that is created by changing the ownership of a file.

The event qualifiers that can be associated with changing a file's ownership are shown in Table 67.

Table 66. Format of the change file ownership record extension (event code 34)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
COWN_CLASS	Char	8	282	289	Class name.
COWN_USER_NAME	Char	20	291	310	The name associated with the user ID.
COWN_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
COWN_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
COWN_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
COWN_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
COWN_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
COWN_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
COWN_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
COWN_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
COWN_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
COWN_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
COWN_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
COWN_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
COWN_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
COWN_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
COWN_UTK_SECL	Char	8	386	393	The security label of the user.
COWN_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
COWN_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
COWN_UTK_SNODE	Char	8	413	420	The submitting node.
COWN_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
COWN_UTK_SPOE	Char	8	431	438	The port of entry.
COWN_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
COWN_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
COWN_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
COWN_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
COWN_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
COWN_APPC_LINK	Char	16	477	492	Key to link together APPC records.
COWN_AUDIT_CODE	Char	11	494	504	Audit function code.
COWN_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
COWN_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
COWN_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
COWN_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
COWN_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
COWN_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
COWN_PATH_NAME	Char	1023	572	1594	The requested path name.
COWN_FILE_ID	Char	32	1596	1627	File ID.
COWN_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
COWN_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
COWN_UID	Integer	10	1651	1660	The z/OS UNIX user identifier (UID) input parameter.
COWN_GID	Integer	10	1662	1671	The z/OS UNIX group identifier (GID) input parameter.
COWN_FILEPOOL	Char	8	1673	1680	SFS filepool containing the BFS file.
COWN_FILESPACE	Char	8	1682	1689	SFS filespace containing the BFS file.
COWN_INODE	Integer	10	1691	1700	Inode (file serial number).
COWN_SCID	Integer	10	1702	1711	File SCID.
COWN_DCE_LINK	Char	16	1713	1728	Link to connect DCE records that originate from a single DCE request.
COWN_AUTH_TYPE	Char	13	1730	1742	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
COWN_DFLT_PROCESS	Yes/No	4	1744	1747	Default z/OS UNIX security environment in effect.
COWN_UTK_NETW	Char	8	1749	1756	The port of entry network name.
COWN_X500_SUBJECT	Char	255	1758	2012	Subject's name associated with this event.
COWN_X500_ISSUER	Char	255	2014	2268	Issuer's name associated with this event.
COWN_SECL	Char	8	2270	2277	Security label of the resource.
COWN_SERV_POENAME	Char	64	2279	2342	SERVAUTH resource or profile name.
COWN_CTX_USER	Char	510	2344	2853	Authenticated user name.
COWN_CTX_REG	Char	255	2855	3109	Authenticated user registry name.
COWN_CTX_HOST	Char	128	3111	3238	Authenticated user host name.
COWN_CTX_MECH	Char	16	3240	3255	Authenticated user authentication mechanism object identifier (OID).
COWN_IDID_USER	Char	985	3257	4241	Authenticated distributed user name.
COWN_IDID_REG	Char	1021	4243	5263	Authenticated distributed user registry name.

Table 67. Event qualifiers for change file ownership records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	File's ownership changed.
NOTAUTH	01	Not authorized to change the file's ownership.
INSSECL	02	Insufficient security label.

The clear SETID bits record extension

Table 68 describes the format of a record that is created by clearing the SETID bits of a file.

The event qualifier that can be associated with clearing a file's SETID bits is shown in Table 69.

Table 68. Format of the clear SETID bits record extension (event code 35)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
CSID_CLASS	Char	8	282	289	Class name.
CSID_USER_NAME	Char	20	291	310	The name associated with the user ID.
CSID_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
CSID_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
CSID_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
CSID_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
CSID_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
CSID_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
CSID_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
CSID_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
CSID_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
CSID_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
CSID_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
CSID_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
CSID_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
CSID_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
CSID_UTK_SECL	Char	8	386	393	The security label of the user.
CSID_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
CSID_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
CSID_UTK_SNODE	Char	8	413	420	The submitting node.
CSID_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
CSID_UTK_SPOE	Char	8	431	438	The port of entry.
CSID_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
CSID_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
CSID_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
CSID_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
CSID_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
CSID_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
CSID_AUDIT_CODE	Char	11	494	504	Audit function code.
CSID_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
CSID_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
CSID_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
CSID_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
CSID_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
CSID_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
CSID_PATH_NAME	Char	1023	572	1594	The requested path name.
CSID_FILE_ID	Char	32	1596	1627	File ID.
CSID_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
CSID_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
CSID_OLD_S_ISGID	Yes/No	4	1651	1654	Was the S_ISGID bit requested on for this file?
CSID_OLD_S_ISUID	Yes/No	4	1656	1659	Was the S_ISUID bit requested on for this file?
CSID_OLD_S_ISVTX	Yes/No	4	1661	1664	Was the S_ISVTX bit requested on for this file?
CSID_OLD_OWN_READ	Yes/No	4	1666	1669	Was the owner READ bit on for this file?
CSID_OLD_OWN_WRITE	Yes/No	4	1671	1674	Was the owner WRITE bit on for this file?
CSID_OLD_OWN_EXEC	Yes/No	4	1676	1679	Was the owner EXECUTE bit on for this file?
CSID_OLD_GRP_READ	Yes/No	4	1681	1684	Was the group READ bit on for this file?
CSID_OLD_GRP_WRITE	Yes/No	4	1686	1689	Was the group WRITE bit on for this file?
CSID_OLD_GRP_EXEC	Yes/No	4	1691	1694	Was the group EXECUTE bit on for this file?
CSID_OLD_OTH_READ	Yes/No	4	1696	1699	Was the other READ bit on for this file?
CSID_OLD_OTH_WRITE	Yes/No	4	1701	1704	Was the other WRITE bit on for this file?
CSID_OLD_OTH_EXEC	Yes/No	4	1706	1709	Was the other EXECUTE bit on for this file?
CSID_NEW_S_ISGID	Yes/No	4	1711	1714	Is the S_ISGID bit requested on for this file?
CSID_NEW_S_ISUID	Yes/No	4	1716	1719	Is the S_ISUID bit requested on for this file?
CSID_NEW_S_ISVTX	Yes/No	4	1721	1724	Is the S_ISVTX bit requested on for this file?
CSID_NEW_OWN_READ	Yes/No	4	1726	1729	Is the owner READ bit on for this file?
CSID_NEW_OWN_WRITE	Yes/No	4	1731	1734	Is the owner WRITE bit on for this file?
CSID_NEW_OWN_EXEC	Yes/No	4	1736	1739	Is the owner EXECUTE bit on for this file?
CSID_NEW_GRP_READ	Yes/No	4	1741	1744	Is the group READ bit on for this file?
CSID_NEW_GRP_WRITE	Yes/No	4	1746	1749	Is the group WRITE bit on for this file?
CSID_NEW_GRP_EXEC	Yes/No	4	1751	1754	Is the group EXECUTE bit on for this file?
CSID_NEW_OTH_READ	Yes/No	4	1756	1759	Is the other READ bit on for this file?
CSID_NEW_OTH_WRITE	Yes/No	4	1761	1764	Is the other WRITE bit on for this file?
CSID_NEW_OTH_EXEC	Yes/No	4	1766	1769	Is the other EXECUTE bit on for this file?
CSID_DFLT_PROCESS	Yes/No	4	1771	1774	Default z/OS UNIX security environment in effect.
CSID_UTK_NETW	Char	8	1776	1783	The port of entry network name.
CSID_X500_SUBJECT	Char	255	1785	2039	Subject's name associated with this event.
CSID_X500_ISSUER	Char	255	2041	2295	Issuer's name associated with this event.
CSID_SERV_POENAME	Char	64	2297	2360	SERVAUTH resource or profile name.
CSID_CTX_USER	Char	510	2362	2871	Authenticated user name.
CSID_CTX_REG	Char	255	2873	3127	Authenticated user registry name.
CSID_CTX_HOST	Char	128	3129	3256	Authenticated user host name.
CSID_CTX_MECH	Char	16	3258	3273	Authenticated user authentication mechanism object identifier (OID).
CSID_IDID_USER	Char	985	3275	4259	Authenticated distributed user name.
CSID_IDID_REG	Char	1021	4261	5281	Authenticated distributed user registry name.

Table 69. Event qualifiers for clear SETID records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	S_ISUID, S_ISGID, and S_ISVTX changed. There are no failure cases for this event.

The EXEC SETUID/SETGID record extension

Table 70 describes the format of a record that is created by the execution of an EXEC SETUID or SETGID.

The event qualifier that can be associated with the execution of EXEC SETUID or EXEC SETGID is shown in Table 71.

Table 70. Format of the EXEC with SETUID/SETGID record extension (event code 36)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
ESID_CLASS	Char	8	282	289	Class name.
ESID_USER_NAME	Char	20	291	310	The name associated with the user ID.
ESID_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
ESID_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
ESID_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
ESID_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
ESID_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
ESID_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
ESID_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
ESID_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
ESID_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
ESID_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
ESID_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
ESID_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
ESID_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
ESID_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
ESID_UTK_SECL	Char	8	386	393	The security label of the user.
ESID_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
ESID_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
ESID_UTK_SNODE	Char	8	413	420	The submitting node.
ESID_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
ESID_UTK_SPOE	Char	8	431	438	The port of entry.
ESID_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
ESID_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
ESID_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
ESID_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
ESID_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
ESID_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
ESID_AUDIT_CODE	Char	11	494	504	Audit function code.
ESID_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
ESID_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
ESID_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
ESID_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
ESID_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
ESID_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
ESID_NEW_REAL_UID	Integer	10	572	581	New real z/OS UNIX user identifier (UID).
ESID_NEW_EFF_UID	Integer	10	583	592	New effective z/OS UNIX user identifier (UID).
ESID_NEW_SAVED_UID	Integer	10	594	603	New saved z/OS UNIX user identifier (UID).
ESID_NEW_REAL_GID	Integer	10	605	614	New real z/OS UNIX group identifier (GID).
ESID_NEW_EFF_GID	Integer	10	616	625	New effective z/OS UNIX group identifier (GID).
ESID_NEW_SAVED_GID	Integer	10	627	636	New saved z/OS UNIX group identifier (GID).
ESID_UID	Integer	10	638	647	The z/OS UNIX user identifier (UID) input parameter.
ESID_GID	Integer	10	649	658	The z/OS UNIX group identifier (GID) input parameter.
ESID_DFLT_PROCESS	Yes/No	4	660	663	Default z/OS UNIX security environment in effect.
ESID_UTK_NETW	Char	8	665	672	The port of entry network name.
ESID_X500_SUBJECT	Char	255	674	928	Subject's name associated with this event.
ESID_X500_ISSUER	Char	255	930	1184	Issuer's name associated with this event.
ESID_SERV_POENAME	Char	64	1186	1249	SERVAUTH resource or profile name.
ESID_CTX_USER	Char	510	1251	1760	Authenticated user name.
ESID_CTX_REG	Char	255	1762	2016	Authenticated user registry name.
ESID_CTX_HOST	Char	128	2018	2145	Authenticated user host name.
ESID_CTX_MECH	Char	16	2147	2162	Authenticated user authentication mechanism object identifier (OID).
ESID_IDID_USER	Char	985	2164	3148	Authenticated distributed user name.
ESID_IDID_REG	Char	1021	3150	4170	Authenticated distributed user registry name.

Table 71. Event qualifiers for EXEC with SETID/SETGID records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	z/OS UNIX user identifier (UID) or z/OS UNIX group identifier (GID) changed. There are no failure cases for this event.

The GETPSENT record extension

Table 72 describes the format of a record that is created by the GETPSENT service.

The event qualifiers that can be associated with the GETPSENT service are shown in Table 73.

Table 72. Format of the GETPSENT record extension (event code 37)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
GPST_CLASS	Char	8	282	289	Class name.
GPST_USER_NAME	Char	20	291	310	The name associated with the user ID.
GPST_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
GPST_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
GPST_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
GPST_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
GPST_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
GPST_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
GPST_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
GPST_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
GPST_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
GPST_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
GPST_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
GPST_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
GPST_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
GPST_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
GPST_UTK_SECL	Char	8	386	393	The security label of the user.
GPST_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
GPST_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
GPST_UTK_SNODE	Char	8	413	420	The submitting node.
GPST_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
GPST_UTK_SPOE	Char	8	431	438	The port of entry.
GPST_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
GPST_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
GPST_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
GPST_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
GPST_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
GPST_APPC_LINK	Char	16	477	492	Key to link together APPC records.
GPST_AUDIT_CODE	Char	11	494	504	Audit function code.
GPST_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
GPST_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
GPST_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
GPST_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
GPST_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
GPST_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
GPST_TGT_REAL_UID	Integer	10	572	581	Target real z/OS UNIX user identifier (UID).
GPST_TGT_EFF_UID	Integer	10	583	592	Target effective z/OS UNIX user identifier (UID).
GPST_TGT_SAV_UID	Integer	10	594	603	Target saved z/OS UNIX user identifier (UID).
GPST_TGT_PID	Integer	10	605	614	Target process ID.
GPST_DFLT_PROCESS	Yes/No	4	616	619	Default z/OS UNIX security environment in effect.
GPST_UTK_NETW	Char	8	621	628	The port of entry network name.
GPST_X500_SUBJECT	Char	255	630	884	Subject's name associated with this event.
GPST_X500_ISSUER	Char	255	886	1140	Issuer's name associated with this event.
GPST_SERV_POENAME	Char	64	1142	1205	SERVAUTH resource or profile name.
GPST_CTX_USER	Char	510	1207	1716	Authenticated user name.
GPST_CTX_REG	Char	255	1718	1972	Authenticated user registry name.
GPST_CTX_HOST	Char	128	1974	2101	Authenticated user host name.
GPST_CTX_MECH	Char	16	2103	2118	Authenticated user authentication mechanism object identifier (OID).
GPST_IDID_USER	Char	985	2120	3104	Authenticated distributed user name.
GPST_IDID_REG	Char	1021	3106	4126	Authenticated distributed user registry name.

Table 73. Event qualifiers for GETPSENT records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	GETPSENT was successful.
NOTAUTH	01	Not authorized to the specified process.

The initialize z/OS UNIX record extension

Table 74 describes the format of a record that is created when a z/OS UNIX process is initialized.

The event qualifiers that can be associated with the initiation of a z/OS UNIX process are shown in Table 75.

Table 74. Format of the initialize z/OS UNIX process record extension (event code 38)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
IOEP_CLASS	Char	8	282	289	Class name.
IOEP_USER_NAME	Char	20	291	310	The name associated with the user ID.
IOEP_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
IOEP_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
IOEP_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
IOEP_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
IOEP_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
IOEP_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
IOEP_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
IOEP_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
IOEP_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
IOEP_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
IOEP_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
IOEP_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
IOEP_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
IOEP_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
IOEP_UTK_SECL	Char	8	386	393	The security label of the user.
IOEP_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
IOEP_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
IOEP_UTK_SNODE	Char	8	413	420	The submitting node.
IOEP_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
IOEP_UTK_SPOE	Char	8	431	438	The port of entry.
IOEP_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
IOEP_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
IOEP_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
IOEP_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
IOEP_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
IOEP_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
IOEP_AUDIT_CODE	Char	11	494	504	Audit function code.
IOEP_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
IOEP_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
IOEP_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
IOEP_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
IOEP_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
IOEP_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
IOEP_DFLT_PROCESS	Yes/No	4	572	575	Default z/OS UNIX security environment in effect.
IOEP_UTK_NETW	Char	8	577	584	The port of entry network name.
IOEP_X500_SUBJECT	Char	255	586	840	Subject's name associated with this event.
IOEP_X500_ISSUER	Char	255	842	1096	Issuer's name associated with this event.
IOEP_SERV_POENAME	Char	64	1098	1161	SERVAUTH resource or profile name.
IOEP_CTX_USER	Char	510	1163	1672	Authenticated user name.
IOEP_CTX_REG	Char	255	1674	1928	Authenticated user registry name.
IOEP_CTX_HOST	Char	128	1930	2057	Authenticated user host name.
IOEP_CTX_MECH	Char	16	2059	2074	Authenticated user authentication mechanism object identifier (OID).
IOEP_IDID_USER	Char	985	2076	3060	Authenticated distributed user name.
IOEP_IDID_REG	Char	1021	3062	4082	Authenticated distributed user registry name.

Table 75. Event qualifiers for initialize z/OS UNIX process records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Process successfully initialized.
NOTDFND	01	User not defined as a z/OS UNIX user. The OMVS segment or the user profile was missing.
NOUID	02	Incompletely defined user ID. There was no z/OS UNIX user identifier (UID) in profile.
NOGID	03	User's current group has no z/OS UNIX group identifier (GID).

The z/OS UNIX process completion record

Table 76 describes the format of a record that is created when a z/OS UNIX process completes.

The event qualifier that can be associated with the completion of a z/OS UNIX process is shown in Table 77.

Table 76. Format of the z/OS UNIX process complete record extension (event code 39)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
TOEP_CLASS	Char	8	282	289	Class name.
TOEP_USER_NAME	Char	20	291	310	The name associated with the user ID.
TOEP_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
TOEP_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
TOEP_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
TOEP_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
TOEP_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
TOEP_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
TOEP_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
TOEP_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
TOEP_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
TOEP_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
TOEP_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
TOEP_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
TOEP_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
TOEP_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
TOEP_UTK_SECL	Char	8	386	393	The security label of the user.
TOEP_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
TOEP_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
TOEP_UTK_SNODE	Char	8	413	420	The submitting node.
TOEP_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
TOEP_UTK_SPOE	Char	8	431	438	The port of entry.
TOEP_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
TOEP_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
TOEP_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
TOEP_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
TOEP_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
TOEP_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
TOEP_AUDIT_CODE	Char	11	494	504	Audit function code.
TOEP_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
TOEP_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
TOEP_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
TOEP_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
TOEP_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
TOEP_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
TOEP_DFLT_PROCESS	Yes/No	4	572	575	Default z/OS UNIX security environment in effect.
TOEP_UTK_NETW	Char	8	577	584	The port of entry network name.
TOEP_X500_SUBJECT	Char	255	586	840	Subject's name associated with this event.
TOEP_X500_ISSUER	Char	255	842	1096	Issuer's name associated with this event.
TOEP_SERV_POENAME	Char	64	1098	1161	SERVAUTH resource or profile name.
TOEP_CTX_USER	Char	510	1163	1672	Authenticated user name.
TOEP_CTX_REG	Char	255	1674	1928	Authenticated user registry name.
TOEP_CTX_HOST	Char	128	1930	2057	Authenticated user host name.
TOEP_CTX_MECH	Char	16	2059	2074	Authenticated user authentication mechanism object identifier (OID).
TOEP_IDID_USER	Char	985	2076	3060	Authenticated distributed user name.
TOEP_IDID_REG	Char	1021	3062	4082	Authenticated distributed user registry name.

Table 77. Event qualifiers for z/OS UNIX process complete records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Process complete. There are no failure cases for this event.

The KILL record extension

Table 78 describes the format of a record that is created by the termination with extreme prejudice of a process.

The event qualifiers that can be associated with the killing of a process are shown in Table 79.

Table 78. Format of the KILL process record extension (event code 40)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
KILL_CLASS	Char	8	282	289	Class name.
KILL_USER_NAME	Char	20	291	310	The name associated with the user ID.
KILL_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
KILL_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
KILL_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
KILL_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
KILL_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
KILL_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
KILL_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
KILL_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
KILL_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
KILL_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
KILL_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
KILL_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
KILL_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
KILL_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
KILL_UTK_SECL	Char	8	386	393	The security label of the user.
KILL_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
KILL_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
KILL_UTK_SNODE	Char	8	413	420	The submitting node.
KILL_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
KILL_UTK_SPOE	Char	8	431	438	The port of entry.
KILL_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
KILL_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
KILL_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
KILL_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
KILL_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
KILL_APPC_LINK	Char	16	477	492	Key to link together APPC records.
KILL_AUDIT_CODE	Char	11	494	504	Audit function code.
KILL_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
KILL_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
KILL_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
KILL_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
KILL_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
KILL_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
KILL_TGT_REAL_UID	Integer	10	572	581	Target real z/OS UNIX user identifier (UID).
KILL_TGT_EFF_UID	Integer	10	583	592	Target effective z/OS UNIX user identifier (UID).
KILL_TGT_SAV_UID	Integer	10	594	603	Target saved z/OS UNIX user identifier (UID).
KILL_TGT_PID	Integer	10	605	614	Target process ID.
KILL_SIGNAL_CODE	Integer	10	616	625	Kill signal code.
KILL_DFLT_PROCESS	Yes/No	4	627	630	Default z/OS UNIX security environment in effect.
KILL_UTK_NETW	Char	8	632	639	The port of entry network name.
KILL_X500_SUBJECT	Char	255	641	895	Subject's name associated with this event.
KILL_X500_ISSUER	Char	255	897	1151	Issuer's name associated with this event.
KILL_SECL	Char	8	1153	1160	Security label of the resource.
KILL_SERV_POENAME	Char	64	1162	1225	SERVAUTH resource or profile name.
KILL_CTX_USER	Char	510	1227	1736	Authenticated user name.
KILL_CTX_REG	Char	255	1738	1992	Authenticated user registry name.
KILL_CTX_HOST	Char	128	1994	2121	Authenticated user host name.
KILL_CTX_MECH	Char	16	2123	2138	Authenticated user authentication mechanism object identifier (OID).
KILL_IDID_USER	Char	985	2140	3124	Authenticated distributed user name.
KILL_IDID_REG	Char	1021	3126	4146	Authenticated distributed user registry name.

Table 79. Event qualifiers for KILL records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Process terminated.
NOTAUTH	01	Not authorized to kill the specified process.
INSSECL	02	Insufficient security label.

The LINK record extension

Table 80 describes the format of a record that is created by a LINK operation.

The event qualifier that can be associated with a LINK event is shown in Table 81.

Table 80. Format of the LINK record extension (event code 41)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
LINK_CLASS	Char	8	282	289	Class name.
LINK_USER_NAME	Char	20	291	310	The name associated with the user ID.
LINK_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
LINK_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
LINK_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
LINK_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
LINK_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
LINK_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
LINK_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
LINK_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
LINK_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
LINK_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
LINK_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
LINK_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
LINK_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
LINK_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
LINK_UTK_SECL	Char	8	386	393	The security label of the user.
LINK_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
LINK_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
LINK_UTK_SNODE	Char	8	413	420	The submitting node.
LINK_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
LINK_UTK_SPOE	Char	8	431	438	The port of entry.
LINK_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
LINK_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
LINK_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
LINK_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
LINK_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
LINK_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
LINK_AUDIT_CODE	Char	11	494	504	Audit function code.
LINK_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
LINK_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
LINK_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
LINK_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
LINK_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
LINK_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
LINK_PATH_NAME	Char	1023	572	1594	The requested path name.
LINK_FILE_ID	Char	32	1596	1627	File ID.
LINK_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
LINK_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
LINK_REQUEST_PATH2	Char	1023	1651	2673	Second requested path name.
LINK_PATH_TYPE	Char	4	2675	2678	Type of the requested path name. Valid values are `OLD` and `NEW`.
LINK_FILEPOOL	Char	8	2680	2687	SFS filepool containing the BFS file.
LINK_FILESPACE	Char	8	2689	2696	SFS filespace containing the BFS filespace.
LINK_INODE	Integer	10	2698	2707	Inode (file serial number).
LINK_SCID	Integer	10	2709	2718	File SCID.
LINK_DCE_LINK	Char	16	2720	2735	Link to connect DCE records that originate from a single DCE request.
LINK_AUTH_TYPE	Char	13	2737	2749	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
LINK_DFLT_PROCESS	Yes/No	4	2751	2754	Default z/OS UNIX security environment in effect.
LINK_UTK_NETW	Char	8	2756	2763	The port of entry network name.
LINK_X500_SUBJECT	Char	255	2765	3019	Subject's name associated with this event.
LINK_X500_ISSUER	Char	255	3021	3275	Issuer's name associated with this event.
LINK_SERV_POENAME	Char	64	3277	3340	SERVAUTH resource or profile name.
LINK_CTX_USER	Char	510	3342	3851	Authenticated user name.
LINK_CTX_REG	Char	255	3853	4107	Authenticated user registry name.
LINK_CTX_HOST	Char	128	4109	4236	Authenticated user host name.
LINK_CTX_MECH	Char	16	4238	4253	Authenticated user authentication mechanism object identifier (OID).
LINK_IDID_USER	Char	985	4255	5239	Authenticated distributed user name.
LINK_IDID_REG	Char	1021	5241	6261	Authenticated distributed user registry name.

Table 81. Event qualifiers for LINK records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	New link created. There are no failure cases for this event.

The MKDIR record extension

Table 82 describes the format of a record that is created by making a directory.

The event qualifier that can be associated with making a directory is shown in Table 83.

Table 82. Format of the MKDIR record extension (event code 42)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
MDIR_CLASS	Char	8	282	289	Class name.
MDIR_USER_NAME	Char	20	291	310	The name associated with the user ID.
MDIR_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
MDIR_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
MDIR_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
MDIR_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
MDIR_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
MDIR_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
MDIR_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
MDIR_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
MDIR_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
MDIR_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
MDIR_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
MDIR_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
MDIR_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
MDIR_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
MDIR_UTK_SECL	Char	8	386	393	The security label of the user.
MDIR_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
MDIR_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
MDIR_UTK_SNODE	Char	8	413	420	The submitting node.
MDIR_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
MDIR_UTK_SPOE	Char	8	431	438	The port of entry.
MDIR_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
MDIR_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
MDIR_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
MDIR_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
MDIR_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
MDIR_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
MDIR_AUDIT_CODE	Char	11	494	504	Audit function code.
MDIR_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
MDIR_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
MDIR_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
MDIR_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
MDIR_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
MDIR_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
MDIR_PATH_NAME	Char	1023	572	1594	The requested path name.
MDIR_FILE_ID	Char	32	1596	1627	File ID.
MDIR_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
MDIR_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
MDIR_OLD_S_ISGID	Yes/No	4	1651	1654	Was the S_ISGID bit requested on for this file?
MDIR_OLD_S_ISUID	Yes/No	4	1656	1659	Was the S_ISUID bit requested on for this file?
MDIR_OLD_S_ISVTX	Yes/No	4	1661	1664	Was the S_ISVTX bit requested on for this file?
MDIR_OLD_OWN_READ	Yes/No	4	1666	1669	Was the owner READ bit on for this file?
MDIR_OLD_OWN_WRITE	Yes/No	4	1671	1674	Was the owner WRITE bit on for this file?
MDIR_OLD_OWN_EXEC	Yes/No	4	1676	1679	Was the owner EXECUTE bit on for this file?
MDIR_OLD_GRP_READ	Yes/No	4	1681	1684	Was the group READ bit on for this file?
MDIR_OLD_GRP_WRITE	Yes/No	4	1686	1689	Was the group WRITE bit on for this file?
MDIR_OLD_GRP_EXEC	Yes/No	4	1691	1694	Was the group EXECUTE bit on for this file?
MDIR_OLD_OTH_READ	Yes/No	4	1696	1699	Was the other READ bit on for this file?
MDIR_OLD_OTH_WRITE	Yes/No	4	1701	1704	Was the other WRITE bit on for this file?
MDIR_OLD_OTH_EXEC	Yes/No	4	1706	1709	Was the other EXECUTE bit on for this file?
MDIR_NEW_S_ISGID	Yes/No	4	1711	1714	Is the S_ISGID bit requested on for this file?
MDIR_NEW_S_ISUID	Yes/No	4	1716	1719	Is the S_ISUID bit requested on for this file?
MDIR_NEW_S_ISVTX	Yes/No	4	1721	1724	Is the S_ISVTX bit requested on for this file?
MDIR_NEW_OWN_READ	Yes/No	4	1726	1729	Is the owner READ bit on for this file?
MDIR_NEW_OWN_WRITE	Yes/No	4	1731	1734	Is the owner WRITE bit on for this file?
MDIR_NEW_OWN_EXEC	Yes/No	4	1736	1739	Is the owner EXECUTE bit on for this file?
MDIR_NEW_GRP_READ	Yes/No	4	1741	1744	Is the group READ bit on for this file?
MDIR_NEW_GRP_WRITE	Yes/No	4	1746	1749	Is the group WRITE bit on for this file?
MDIR_NEW_GRP_EXEC	Yes/No	4	1751	1754	Is the group EXECUTE bit on for this file?
MDIR_NEW_OTH_READ	Yes/No	4	1756	1759	Is the other READ bit on for this file?
MDIR_NEW_OTH_WRITE	Yes/No	4	1761	1764	Is the other WRITE bit on for this file?
MDIR_NEW_OTH_EXEC	Yes/No	4	1766	1769	Is the other EXECUTE bit on for this file?
MDIR_UNEW_READ	Char	8	1771	1778	What are the new user audit options for READ actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MDIR_UNEW_WRITE	Char	8	1780	1787	What are the new user audit options for WRITE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MDIR_UNEW_EXEC	Char	8	1789	1796	What are the new user audit options for EXECUTE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MDIR_ANEW_READ	Char	8	1798	1805	What are the new auditor audit options for READ actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MDIR_ANEW_WRITE	Char	8	1807	1814	What are the new auditor audit options for WRITE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MDIR_ANEW_EXEC	Char	8	1816	1823	What are the new auditor audit options for EXECUTE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MDIR_REQ_S_ISGID	Yes/No	4	1825	1828	Was the S_ISGID bit requested on for this file?
MDIR_REQ_S_ISUID	Yes/No	4	1830	1833	Was the S_ISUID bit requested on for this file?
MDIR_REQ_S_ISVTX	Yes/No	4	1835	1838	Was the S_ISVTX bit requested on for this file?
MDIR_REQ_OWN_READ	Yes/No	4	1840	1843	Was the owner READ bit requested on for this file?
MDIR_REQ_OWN_WRITE	Yes/No	4	1845	1848	Was the owner WRITE bit requested on for this file?
MDIR_REQ_OWN_EXEC	Yes/No	4	1850	1853	Was the owner EXECUTE bit requested on for this file?
MDIR_REQ_GRP_READ	Yes/No	4	1855	1858	Was the group READ bit requested on for this file?
MDIR_REQ_GRP_WRITE	Yes/No	4	1860	1863	Was the group WRITE bit requested on for this file?
MDIR_REQ_GRP_EXEC	Yes/No	4	1865	1868	Was the group EXECUTE bit requested on for this file?
MDIR_REQ_OTH_READ	Yes/No	4	1870	1873	Was the other READ bit requested on for this file?
MDIR_REQ_OTH_WRITE	Yes/No	4	1875	1878	Was the other WRITE bit requested on for this file?
MDIR_REQ_OTH_EXEC	Yes/No	4	1880	1883	Was the other EXECUTE bit requested on for this file?
MDIR_FILEPOOL	Char	8	1885	1892	SFS filepool containing the BFS file.
MDIR_FILESPACE	Char	8	1894	1901	SFS filespace containing the BFS file.
MDIR_INODE	Integer	10	1903	1912	Inode (file serial number).
MDIR_SCID	Integer	10	1914	1923	File SCID.
MDIR_DFLT_PROCESS	Yes/No	4	1925	1928	Default z/OS UNIX security environment in effect.
MDIR_UTK_NETW	Char	8	1930	1937	The port of entry network name.
MDIR_X500_SUBJECT	Char	255	1939	2193	Subject's name associated with this event.
MDIR_X500_ISSUER	Char	255	2195	2449	Issuer's name associated with this event.
MDIR_SECL	Char	8	2451	2458	Security label of the resource.
MDIR_SERV_POENAME	Char	64	2460	2523	SERVAUTH resource or profile name.
MDIR_CTX_USER	Char	510	2525	3034	Authenticated user name.
MDIR_CTX_REG	Char	255	3036	3290	Authenticated user registry name.
MDIR_CTX_HOST	Char	128	3292	3419	Authenticated user host name.
MDIR_CTX_MECH	Char	16	3421	3436	Authenticated user authentication mechanism object identifier (OID).
MDIR_IDID_USER	Char	985	3438	4422	Authenticated distributed user name.
MDIR_IDID_REG	Char	1021	4424	5444	Authenticated distributed user registry name.

Table 83. Event qualifiers for MKDIR records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Directory created. There are no failure cases for this event.

The MKNOD record extension

Table 84 describes the format of a record that is created by making a node.

The event qualifier that can be associated with making a node is shown in Table 85.

The event qualifier that can be associated with the mounting of a file system event is shown in Table 87.

Table 84. Format of the MKNOD record extension (event code 43)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
MNOD_CLASS	Char	8	282	289	Class name.
MNOD_USER_NAME	Char	20	291	310	The name associated with the user ID.
MNOD_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
MNOD_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
MNOD_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
MNOD_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
MNOD_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
MNOD_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
MNOD_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
MNOD_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
MNOD_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
MNOD_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
MNOD_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
MNOD_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
MNOD_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
MNOD_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
MNOD_UTK_SECL	Char	8	386	393	The security label of the user.
MNOD_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
MNOD_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
MNOD_UTK_SNODE	Char	8	413	420	The submitting node.
MNOD_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
MNOD_UTK_SPOE	Char	8	431	438	The port of entry.
MNOD_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
MNOD_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
MNOD_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
MNOD_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
MNOD_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
MNOD_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
MNOD_AUDIT_CODE	Char	11	494	504	Audit function code.
MNOD_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
MNOD_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
MNOD_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
MNOD_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
MNOD_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
MNOD_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
MNOD_PATH_NAME	Char	1023	572	1594	The requested path name.
MNOD_FILE_ID	Char	32	1596	1627	File ID.
MNOD_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
MNOD_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
MNOD_OLD_S_ISGID	Yes/No	4	1651	1654	Was the S_ISGID bit requested on for this file?
MNOD_OLD_S_ISUID	Yes/No	4	1656	1659	Was the S_ISUID bit requested on for this file?
MNOD_OLD_S_ISVTX	Yes/No	4	1661	1664	Was the S_ISVTX bit requested on for this file?
MNOD_OLD_OWN_READ	Yes/No	4	1666	1669	Was the owner READ bit on for this file?
MNOD_OLD_OWN_WRITE	Yes/No	4	1671	1674	Was the owner WRITE bit on for this file?
MNOD_OLD_OWN_EXEC	Yes/No	4	1676	1679	Was the owner EXECUTE bit on for this file?
MNOD_OLD_GRP_READ	Yes/No	4	1681	1684	Was the group READ bit on for this file?
MNOD_OLD_GRP_WRITE	Yes/No	4	1686	1689	Was the group WRITE bit on for this file?
MNOD_OLD_GRP_EXEC	Yes/No	4	1691	1694	Was the group EXECUTE bit on for this file?
MNOD_OLD_OTH_READ	Yes/No	4	1696	1699	Was the other READ bit on for this file?
MNOD_OLD_OTH_WRITE	Yes/No	4	1701	1704	Was the other WRITE bit on for this file?
MNOD_OLD_OTH_EXEC	Yes/No	4	1706	1709	Was the other EXECUTE bit on for this file?
MNOD_NEW_S_ISGID	Yes/No	4	1711	1714	Is the S_ISGID bit requested on for this file?
MNOD_NEW_S_ISUID	Yes/No	4	1716	1719	Is the S_ISUID bit requested on for this file?
MNOD_NEW_S_ISVTX	Yes/No	4	1721	1724	Is the S_ISVTX bit requested on for this file?
MNOD_NEW_OWN_READ	Yes/No	4	1726	1729	Is the owner READ bit on for this file?
MNOD_NEW_OWN_WRITE	Yes/No	4	1731	1734	Is the owner WRITE bit on for this file?
MNOD_NEW_OWN_EXEC	Yes/No	4	1736	1739	Is the owner EXECUTE bit on for this file?
MNOD_NEW_GRP_READ	Yes/No	4	1741	1744	Is the group READ bit on for this file?
MNOD_NEW_GRP_WRITE	Yes/No	4	1746	1749	Is the group WRITE bit on for this file?
MNOD_NEW_GRP_EXEC	Yes/No	4	1751	1754	Is the group EXECUTE bit on for this file?
MNOD_NEW_OTH_READ	Yes/No	4	1756	1759	Is the other READ bit on for this file?
MNOD_NEW_OTH_WRITE	Yes/No	4	1761	1764	Is the other WRITE bit on for this file?
MNOD_NEW_OTH_EXEC	Yes/No	4	1766	1769	Is the other EXECUTE bit on for this file?
MNOD_UNEW_READ	Char	8	1771	1778	What are the new user audit options for READ actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MNOD_UNEW_WRITE	Char	8	1780	1787	What are the new user audit options for WRITE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MNOD_UNEW_EXEC	Char	8	1789	1796	What are the new user audit options for EXECUTE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MNOD_ANEW_READ	Char	8	1798	1805	What are the new auditor audit options for READ actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MNOD_ANEW_WRITE	Char	8	1807	1814	What are the new auditor audit options for WRITE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MNOD_ANEW_EXEC	Char	8	1816	1823	What are the new auditor audit options for EXECUTE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
MNOD_REQ_S_ISGID	Yes/No	4	1825	1828	Was the S_ISGID bit requested on for this file?
MNOD_REQ_S_ISUID	Yes/No	4	1830	1833	Was the S_ISUID bit requested on for this file?
MNOD_REQ_S_ISVTX	Yes/No	4	1835	1838	Was the S_ISVTX bit requested on for this file?
MNOD_REQ_OWN_READ	Yes/No	4	1840	1843	Was the owner READ bit requested on for this file?
MNOD_REQ_OWN_WRITE	Yes/No	4	1845	1848	Was the owner WRITE bit requested on for this file?
MNOD_REQ_OWN_EXEC	Yes/No	4	1850	1853	Was the owner EXECUTE bit requested on for this file?
MNOD_REQ_GRP_READ	Yes/No	4	1855	1858	Was the group READ bit requested on for this file?
MNOD_REQ_GRP_WRITE	Yes/No	4	1860	1863	Was the group WRITE bit requested on for this file?
MNOD_REQ_GRP_EXEC	Yes/No	4	1865	1868	Was the group EXECUTE bit requested on for this file?
MNOD_REQ_OTH_READ	Yes/No	4	1870	1873	Was the other READ bit requested on for this file?
MNOD_REQ_OTH_WRITE	Yes/No	4	1875	1878	Was the other WRITE bit requested on for this file?
MNOD_REQ_OTH_EXEC	Yes/No	4	1880	1883	Was the other EXECUTE bit requested on for this file?
MNOD_FILEPOOL	Char	8	1885	1892	SFS filepool containing the BFS file.
MNOD_FILESPACE	Char	8	1894	1901	SFS filespace containing the BFS file.
MNOD_INODE	Integer	10	1903	1912	Inode (file serial number).
MNOD_SCID	Integer	10	1914	1923	File SCID.
MNOD_DFLT_PROCESS	Yes/No	4	1925	1928	Default z/OS UNIX security environment in effect.
MNOD_UTK_NETW	Char	8	1930	1937	The port of entry network name.
MNOD_X500_SUBJECT	Char	255	1939	2193	Subject's name associated with this event.
MNOD_X500_ISSUER	Char	255	2195	2449	Issuer's name associated with this event.
MNOD_SECL	Char	8	2451	2458	Security label of the resource.
MNOD_SERV_POENAME	Char	64	2460	2523	SERVAUTH resource or profile name.
MNOD_CTX_USER	Char	510	2525	3034	Authenticated user name.
MNOD_CTX_REG	Char	255	3036	3290	Authenticated user registry name.
MNOD_CTX_HOST	Char	128	3292	3419	Authenticated user host name.
MNOD_CTX_MECH	Char	16	3421	3436	Authenticated user authentication mechanism object identifier (OID).
MNOD_IDID_USER	Char	985	3438	4422	Authenticated distributed user name.
MNOD_IDID_REG	Char	1021	4424	5444	Authenticated distributed user registry name.

Table 85. Event qualifiers for MKNOD records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Node created. There are no failure cases for this event.

The mount file system record extension

Table 86 describes the format of a record that is created by mounting a file system.

The event qualifier that can be associated with the mounting of a file system event is shown in Table 87.

Table 86. Format of the mount file system record extension (event code 44)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
MFS_CLASS	Char	8	282	289	Class name.
MFS_USER_NAME	Char	20	291	310	The name associated with the user ID.
MFS_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
MFS_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
MFS_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
MFS_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
MFS_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
MFS_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
MFS_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
MFS_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
MFS_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
MFS_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
MFS_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
MFS_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
MFS_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
MFS_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
MFS_UTK_SECL	Char	8	386	393	The security label of the user.
MFS_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
MFS_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
MFS_UTK_SNODE	Char	8	413	420	The submitting node.
MFS_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
MFS_UTK_SPOE	Char	8	431	438	The port of entry.
MFS_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
MFS_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
MFS_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
MFS_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
MFS_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
MFS_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
MFS_AUDIT_CODE	Char	11	494	504	Audit function code.
MFS_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
MFS_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
MFS_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
MFS_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
MFS_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
MFS_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
MFS_PATH_NAME	Char	1023	572	1594	The requested path name.
MFS_FILE_ID	Char	32	1596	1627	File ID.
MFS_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
MFS_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
MFS_HFS_DS_NAME	Char	44	1651	1694	data set name for the mounted file system.
MFS_DCE_LINK	Char	16	1696	1711	Link to connect DCE records that originate from a single DCE request.
MFS_AUTH_TYPE	Char	13	1713	1725	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
MFS_DFLT_PROCESS	Yes/No	4	1727	1730	Default z/OS UNIX security environment in effect.
MFS_UTK_NETW	Char	8	1732	1739	The port of entry network name.
MFS_X500_SUBJECT	Char	255	1741	1995	Subject's name associated with this event.
MFS_X500_ISSUER	Char	255	1997	2251	Issuer's name associated with this event.
MFS_SERV_POENAME	Char	64	2253	2316	SERVAUTH resource or profile name.
MFS_CTX_USER	Char	510	2318	2827	Authenticated user name.
MFS_CTX_REG	Char	255	2829	3083	Authenticated user registry name.
MFS_CTX_HOST	Char	128	3085	3212	Authenticated user host name.
MFS_CTX_MECH	Char	16	3214	3229	Authenticated user authentication mechanism object identifier (OID).
MFS_IDID_USER	Char	985	3231	4215	Authenticated distributed user name.
MFS_IDID_REG	Char	1021	4217	5237	Authenticated distributed user registry name.

Table 87. Event qualifiers for mount file system records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	File system mounted. There are no failure cases for this event.

The OPENFILE record extension

Table 88 describes the format of a record that is created by opening a file.

The event qualifier that can be associated with opening a file is shown in Table 89.

Table 88. Format of the OPENFILE record extension (event code 45)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
OPEN_CLASS	Char	8	282	289	Class name.
OPEN_USER_NAME	Char	20	291	310	The name associated with the user ID.
OPEN_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
OPEN_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
OPEN_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
OPEN_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
OPEN_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
OPEN_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
OPEN_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
OPEN_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
OPEN_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
OPEN_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
OPEN_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
OPEN_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
OPEN_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
OPEN_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
OPEN_UTK_SECL	Char	8	386	393	The security label of the user.
OPEN_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
OPEN_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
OPEN_UTK_SNODE	Char	8	413	420	The submitting node.
OPEN_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
OPEN_UTK_SPOE	Char	8	431	438	The port of entry.
OPEN_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
OPEN_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
OPEN_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
OPEN_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
OPEN_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
OPEN_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
OPEN_AUDIT_CODE	Char	11	494	504	Audit function code.
OPEN_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
OPEN_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
OPEN_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
OPEN_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
OPEN_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
OPEN_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
OPEN_PATH_NAME	Char	1023	572	1594	The requested path name.
OPEN_FILE_ID	Char	32	1596	1627	File ID.
OPEN_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
OPEN_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
OPEN_OLD_S_ISGID	Yes/No	4	1651	1654	Was the S_ISGID bit requested on for this file?
OPEN_OLD_S_ISUID	Yes/No	4	1656	1659	Was the S_ISUID bit requested on for this file?
OPEN_OLD_S_ISVTX	Yes/No	4	1661	1664	Was the S_ISVTX bit requested on for this file?
OPEN_OLD_OWN_READ	Yes/No	4	1666	1669	Was the owner READ bit on for this file?
OPEN_OLD_OWN_WRITE	Yes/No	4	1671	1674	Was the owner WRITE bit on for this file?
OPEN_OLD_OWN_EXEC	Yes/No	4	1676	1679	Was the owner EXECUTE bit on for this file?
OPEN_OLD_GRP_READ	Yes/No	4	1681	1684	Was the group READ bit on for this file?
OPEN_OLD_GRP_WRITE	Yes/No	4	1686	1689	Was the group WRITE bit on for this file?
OPEN_OLD_GRP_EXEC	Yes/No	4	1691	1694	Was the group EXECUTE bit on for this file?
OPEN_OLD_OTH_READ	Yes/No	4	1696	1699	Was the other READ bit on for this file?
OPEN_OLD_OTH_WRITE	Yes/No	4	1701	1704	Was the other WRITE bit on for this file?
OPEN_OLD_OTH_EXEC	Yes/No	4	1706	1709	Was the other EXECUTE bit on for this file?
OPEN_NEW_S_ISGID	Yes/No	4	1711	1714	Is the S_ISGID bit requested on for this file?
OPEN_NEW_S_ISUID	Yes/No	4	1716	1719	Is the S_ISUID bit requested on for this file?
OPEN_NEW_S_ISVTX	Yes/No	4	1721	1724	Is the S_ISVTX bit requested on for this file?
OPEN_NEW_OWN_READ	Yes/No	4	1726	1729	Is the owner READ bit on for this file?
OPEN_NEW_OWN_WRITE	Yes/No	4	1731	1734	Is the owner WRITE bit on for this file?
OPEN_NEW_OWN_EXEC	Yes/No	4	1736	1739	Is the owner EXECUTE bit on for this file?
OPEN_NEW_GRP_READ	Yes/No	4	1741	1744	Is the group READ bit on for this file?
OPEN_NEW_GRP_WRITE	Yes/No	4	1746	1749	Is the group WRITE bit on for this file?
OPEN_NEW_GRP_EXEC	Yes/No	4	1751	1754	Is the group EXECUTE bit on for this file?
OPEN_NEW_OTH_READ	Yes/No	4	1756	1759	Is the other READ bit on for this file?
OPEN_NEW_OTH_WRITE	Yes/No	4	1761	1764	Is the other WRITE bit on for this file?
OPEN_NEW_OTH_EXEC	Yes/No	4	1766	1769	Is the other EXECUTE bit on for this file?
OPEN_UNEW_READ	Char	8	1771	1778	What are the new user audit options for READ actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
OPEN_UNEW_WRITE	Char	8	1780	1787	What are the new user audit options for WRITE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
OPEN_UNEW_EXEC	Char	8	1789	1796	What are the new user audit options for EXECUTE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
OPEN_ANEW_READ	Char	8	1798	1805	What are the new auditor audit options for READ actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
OPEN_ANEW_WRITE	Char	8	1807	1814	What are the new auditor audit options for WRITE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
OPEN_ANEW_EXEC	Char	8	1816	1823	What are the new auditor audit options for EXECUTE actions? Valid values are `NONE`, `SUCCESS`, `FAIL`, and `ALL`.
OPEN_REQ_S_ISGID	Yes/No	4	1825	1828	Was the S_ISGID bit requested on for this file?
OPEN_REQ_S_ISUID	Yes/No	4	1830	1833	Was the S_ISUID bit requested on for this file?
OPEN_REQ_S_ISVTX	Yes/No	4	1835	1838	Was the S_ISVTX bit requested on for this file?
OPEN_REQ_OWN_READ	Yes/No	4	1840	1843	Was the owner READ bit requested on for this file?
OPEN_REQ_OWN_WRITE	Yes/No	4	1845	1848	Was the owner WRITE bit requested on for this file?
OPEN_REQ_OWN_EXEC	Yes/No	4	1850	1853	Was the owner EXECUTE bit requested on for this file?
OPEN_REQ_GRP_READ	Yes/No	4	1855	1858	Was the group READ bit requested on for this file?
OPEN_REQ_GRP_WRITE	Yes/No	4	1860	1863	Was the group WRITE bit requested on for this file?
OPEN_REQ_GRP_EXEC	Yes/No	4	1865	1868	Was the group EXECUTE bit requested on for this file?
OPEN_REQ_OTH_READ	Yes/No	4	1870	1873	Was the other READ bit requested on for this file?
OPEN_REQ_OTH_WRITE	Yes/No	4	1875	1878	Was the other WRITE bit requested on for this file?
OPEN_REQ_OTH_EXEC	Yes/No	4	1880	1883	Was the other EXECUTE bit requested on for this file?
OPEN_FILEPOOL	Char	8	1885	1892	SFS filepool containing the BFS file.
OPEN_FILESPACE	Char	8	1894	1901	SFS filespace containing the BFS file.
OPEN_INODE	Integer	10	1903	1912	Inode (file serial number).
OPEN_SCID	Integer	10	1914	1923	File SCID.
OPEN_DFLT_PROCESS	Yes/No	4	1925	1928	Default z/OS UNIX security environment in effect.
OPEN_UTK_NETW	Char	8	1930	1937	The port of entry network name.
OPEN_X500_SUBJECT	Char	255	1939	2193	Subject's name associated with this event.
OPEN_X500_ISSUER	Char	255	2195	2449	Issuer's name associated with this event.
OPEN_SECL	Char	8	2451	2458	Security label of the resource.
OPEN_SERV_POENAME	Char	64	2460	2523	SERVAUTH resource or profile name.
OPEN_CTX_USER	Char	510	2525	3034	Authenticated user name.
OPEN_CTX_REG	Char	255	3036	3290	Authenticated user registry name.
OPEN_CTX_HOST	Char	128	3292	3419	Authenticated user host name.
OPEN_CTX_MECH	Char	16	3421	3436	Authenticated user authentication mechanism object identifier (OID).
OPEN_IDID_USER	Char	985	3438	4422	Authenticated distributed user name.
OPEN_IDID_REG	Char	1021	4424	5444	Authenticated distributed user registry name.

Table 89. Event qualifiers for OPENFILE records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	File created. There are no failure cases for this event.

The PTRACE record extension

Table 90 describes the format of a record that is created by the tracing of a process.

The event qualifiers that can be associated with the tracing of a process are shown in Table 91.

Table 90. Format of the PTRACE record extension (event code 46)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
PTRC_CLASS	Char	8	282	289	Class name.
PTRC_USER_NAME	Char	20	291	310	The name associated with the user ID.
PTRC_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
PTRC_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
PTRC_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
PTRC_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
PTRC_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
PTRC_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
PTRC_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
PTRC_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
PTRC_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
PTRC_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
PTRC_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
PTRC_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
PTRC_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
PTRC_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
PTRC_UTK_SECL	Char	8	386	393	The security label of the user.
PTRC_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
PTRC_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
PTRC_UTK_SNODE	Char	8	413	420	The submitting node.
PTRC_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
PTRC_UTK_SPOE	Char	8	431	438	The port of entry.
PTRC_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
PTRC_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
PTRC_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
PTRC_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
PTRC_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
PTRC_APPC_LINK	Char	16	477	492	Key to link together APPC records.
PTRC_AUDIT_CODE	Char	11	494	504	Audit function code.
PTRC_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
PTRC_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
PTRC_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
PTRC_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
PTRC_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
PTRC_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
PTRC_TGT_REAL_UID	Integer	10	572	581	Target real z/OS UNIX user identifier (UID).
PTRC_TGT_EFF_UID	Integer	10	583	592	Target effective z/OS UNIX user identifier (UID).
PTRC_TGT_SAVED_UID	Integer	10	594	603	Target saved z/OS UNIX user identifier (UID).
PTRC_TGT_REAL_GID	Integer	10	605	614	Target real z/OS UNIX group identifier (GID).
PTRC_TGT_EFF_GID	Integer	10	616	625	Target effective z/OS UNIX group identifier (GID).
PTRC_TGT_SAVED_GID	Integer	10	627	636	Target saved z/OS UNIX group identifier (GID).
PTRC_TGT_PID	Integer	10	638	647	Target process ID.
PTRC_DFLT_PROCESS	Yes/No	4	649	652	Default z/OS UNIX security environment in effect.
PTRC_UTK_NETW	Char	8	654	661	The port of entry network name.
PTRC_X500_SUBJECT	Char	255	663	917	Subject's name associated with this event.
PTRC_X500_ISSUER	Char	255	919	1173	Issuer's name associated with this event.
PTRC_SECL	Char	8	1175	1182	Security label of the resource.
PTRC_SERV_POENAME	Char	64	1184	1247	SERVAUTH resource or profile name.
PTRC_CTX_USER	Char	510	1249	1758	Authenticated user name.
PTRC_CTX_REG	Char	255	1760	2014	Authenticated user registry name.
PTRC_CTX_HOST	Char	128	2016	2143	Authenticated user host name.
PTRC_CTX_MECH	Char	16	2145	2160	Authenticated user authentication mechanism object identifier (OID).
PTRC_IDID_USER	Char	985	2162	3146	Authenticated distributed user name.
PTRC_IDID_REG	Char	1021	3148	4168	Authenticated distributed user registry name.

Table 91. Event qualifiers for PTRACE records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Access allowed.
NOTAUTH	01	Not authorized to trace the specified process.
INSSECL	02	Insufficient security label.

The rename file record extension

Table 80 describes the format of a record that is created by a rename operation.

The event qualifier that can be associated with a file rename event is shown in Table 93.

Table 92. Format of the rename file record extension (event code 47)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RENF_CLASS	Char	8	282	289	Class name.
RENF_USER_NAME	Char	20	291	310	The name associated with the user ID.
RENF_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
RENF_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
RENF_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
RENF_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
RENF_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
RENF_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
RENF_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
RENF_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
RENF_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
RENF_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
RENF_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
RENF_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
RENF_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
RENF_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
RENF_UTK_SECL	Char	8	386	393	The security label of the user.
RENF_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
RENF_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
RENF_UTK_SNODE	Char	8	413	420	The submitting node.
RENF_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
RENF_UTK_SPOE	Char	8	431	438	The port of entry.
RENF_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
RENF_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
RENF_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
RENF_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
RENF_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
RENF_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
RENF_AUDIT_CODE	Char	11	494	504	Audit function code.
RENF_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
RENF_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
RENF_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
RENF_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
RENF_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
RENF_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
RENF_PATH_NAME	Char	1023	572	1594	The requested path name.
RENF_FILE_ID	Char	32	1596	1627	File ID.
RENF_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
RENF_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
RENF_PATH2	Char	1023	1651	2673	Second requested path name.
RENF_FILE_ID2	Char	32	2675	2706	Second requested file ID.
RENF_OWNER_UID	Integer	10	2708	2717	z/OS UNIX user identifier (UID) of the owner of the deleted file.
RENF_OWNER_GID	Integer	10	2719	2728	z/OS UNIX group identifier (GID) of the owner of the deleted file.
RENF_PATH_TYPE	Char	4	2730	2733	Type of the requested path name. Valid values are `OLD` and `NEW`.
RENF_LAST_DELETED	Yes/No	4	2735	2738	Was the last link deleted?
RENF_FILEPOOL	Char	8	2740	2747	SFS filepool containing the BFS file.
RENF_FILESPACE	Char	8	2749	2756	SFS filespace containing the BFS file.
RENF_INODE	Integer	10	2758	2767	Inode (file serial number).
RENF_SCID	Integer	10	2769	2778	File SCID.
RENF_FILEPOOL2	Char	8	2780	2787	SFS filepool containing the second BFS file.
RENF_FILESPACE2	Char	8	2789	2796	SFS filespace containing the second BFS file.
RENF_INODE2	Integer	10	2798	2807	Second Inode (file serial number).
RENF_SCID2	Integer	10	2809	2818	Second file SCID.
RENF_DCE_LINK	Char	16	2820	2835	Link to connect DCE records that originate from a single DCE request.
RENF_AUTH_TYPE	Char	13	2837	2849	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
RENF_DFLT_PROCESS	Yes/No	4	2851	2854	Default z/OS UNIX security environment in effect.
RENF_UTK_NETW	Char	8	2856	2863	The port of entry network name.
RENF_X500_SUBJECT	Char	255	2865	3119	Subject's name associated with this event.
RENF_X500_ISSUER	Char	255	3121	3375	Issuer's name associated with this event.
RENF_SERV_POENAME	Char	64	3377	3440	SERVAUTH resource or profile name.
RENF_CTX_USER	Char	510	3442	3951	Authenticated user name.
RENF_CTX_REG	Char	255	3953	4207	Authenticated user registry name.
RENF_CTX_HOST	Char	128	4209	4336	Authenticated user host name.
RENF_CTX_MECH	Char	16	4338	4353	Authenticated user authentication mechanism object identifier (OID).
RENF_IDID_USER	Char	985	4355	5339	Authenticated distributed user name.
RENF_IDID_REG	Char	1021	5341	6361	Authenticated distributed user registry name.

Table 93. Event qualifiers for rename file records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	File renamed. There are no failure cases for this event.

The RMDIR record extension

Table 94 describes the format of a record that is created by removing a directory.

The event qualifier that can be associated with removing a directory is shown in Table 95.

Table 94. Format of the RMDIR record extension (event code 48)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RDIR_CLASS	Char	8	282	289	Class name.
RDIR_USER_NAME	Char	20	291	310	The name associated with the user ID.
RDIR_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
RDIR_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
RDIR_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
RDIR_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
RDIR_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
RDIR_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
RDIR_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
RDIR_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
RDIR_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
RDIR_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
RDIR_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
RDIR_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
RDIR_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
RDIR_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
RDIR_UTK_SECL	Char	8	386	393	The security label of the user.
RDIR_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
RDIR_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
RDIR_UTK_SNODE	Char	8	413	420	The submitting node.
RDIR_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
RDIR_UTK_SPOE	Char	8	431	438	The port of entry.
RDIR_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
RDIR_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
RDIR_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
RDIR_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
RDIR_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
RDIR_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
RDIR_AUDIT_CODE	Char	11	494	504	Audit function code.
RDIR_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
RDIR_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
RDIR_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
RDIR_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
RDIR_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
RDIR_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
RDIR_PATH_NAME	Char	1023	572	1594	The requested path name.
RDIR_FILE_ID	Char	32	1596	1627	File ID.
RDIR_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
RDIR_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
RDIR_FILEPOOL	Char	8	1651	1658	SFS filepool containing the BFS file.
RDIR_FILESPACE	Char	8	1660	1667	SFS filespace containing the BFS file.
RDIR_INODE	Integer	10	1669	1678	Inode (file serial number).
RDIR_SCID	Integer	10	1680	1689	File SCID.
RDIR_DCE_LINK	Char	16	1691	1706	Link to connect DCE records that originate from a single DCE request.
RDIR_AUTH_TYPE	Char	13	1708	1720	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
RDIR_DFLT_PROCESS	Yes/No	4	1722	1725	Default z/OS UNIX security environment in effect.
RDIR_UTK_NETW	Char	8	1727	1734	The port of entry network name.
RDIR_X500_SUBJECT	Char	255	1736	1990	Subject's name associated with this event.
RDIR_X500_ISSUER	Char	255	1992	2246	Issuer's name associated with this event.
RDIR_SERV_POENAME	Char	64	2248	2311	SERVAUTH resource or profile name.
RDIR_CTX_USER	Char	510	2313	2822	Authenticated user name.
RDIR_CTX_REG	Char	255	2824	3078	Authenticated user registry name.
RDIR_CTX_HOST	Char	128	3080	3207	Authenticated user host name.
RDIR_CTX_MECH	Char	16	3209	3224	Authenticated user authentication mechanism object identifier (OID).
RDIR_IDID_USER	Char	985	3226	4210	Authenticated distributed user name.
RDIR_IDID_REG	Char	1021	4212	5232	Authenticated distributed user registry name.

Table 95. Event qualifiers for RMDIR records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Directory removed. There are no failure cases for this event.

The SETEGID record extension

Table 96 describes the format of a record that is created by the setting of an effective z/OS UNIX group identifier (GID).

The event qualifiers that can be associated with setting the effective z/OS UNIX group identifier (GID) are shown in Table 97.

Table 96. Format of the SETEGID record extension (event code 49)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
SEGI_CLASS	Char	8	282	289	Class name.
SEGI_USER_NAME	Char	20	291	310	The name associated with the user ID.
SEGI_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
SEGI_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
SEGI_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
SEGI_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
SEGI_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
SEGI_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
SEGI_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
SEGI_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
SEGI_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
SEGI_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
SEGI_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
SEGI_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
SEGI_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
SEGI_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
SEGI_UTK_SECL	Char	8	386	393	The security label of the user.
SEGI_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
SEGI_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
SEGI_UTK_SNODE	Char	8	413	420	The submitting node.
SEGI_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
SEGI_UTK_SPOE	Char	8	431	438	The port of entry.
SEGI_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
SEGI_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
SEGI_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
SEGI_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
SEGI_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
SEGI_APPC_LINK	Char	16	477	492	Key to link together APPC records.
SEGI_AUDIT_CODE	Char	11	494	504	Audit function code.
SEGI_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
SEGI_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
SEGI_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
SEGI_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
SEGI_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
SEGI_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
SEGI_NEW_REAL_GID	Integer	10	572	581	New real z/OS UNIX group identifier (GID).
SEGI_NEW_EFF_GID	Integer	10	583	592	New effective z/OS UNIX group identifier (GID).
SEGI_NEW_SAVED_GID	Integer	10	594	603	New saved z/OS UNIX group identifier (GID).
SEGI_GID	Integer	10	605	614	The z/OS UNIX group identifier (GID) input parameter.
SEGI_DFLT_PROCESS	Yes/No	4	616	619	Default z/OS UNIX security environment in effect.
SEGI_UTK_NETW	Char	8	621	628	The port of entry network name.
SEGI_X500_SUBJECT	Char	255	630	884	Subject's name associated with this event.
SEGI_X500_ISSUER	Char	255	886	1140	Issuer's name associated with this event.
SEGI_SERV_POENAME	Char	64	1142	1205	SERVAUTH resource or profile name.
SEGI_CTX_USER	Char	510	1207	1716	Authenticated user name.
SEGI_CTX_REG	Char	255	1718	1972	Authenticated user registry name.
SEGI_CTX_HOST	Char	128	1974	2101	Authenticated user host name.
SEGI_CTX_MECH	Char	16	2103	2118	Authenticated user authentication mechanism object identifier (OID).
SEGI_IDID_USER	Char	985	2120	3104	Authenticated distributed user name.
SEGI_IDID_REG	Char	1021	3106	4126	Authenticated distributed user registry name.

Table 97. Event qualifiers for SETEGID records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful change of effective z/OS UNIX group identifier (GID).
NOTAUTH	01	Not authorized to set the effective z/OS UNIX group identifier (GID).

The SETEUID record extension

Table 98 describes the format of a record that is created by the setting of an effective z/OS UNIX user identifier (UID).

The event qualifiers that can be associated with setting the effective z/OS UNIX user identifier (UID) are shown in Table 99.

Table 98. Format of the SETEUID record extension (event code 50)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
SEUI_CLASS	Char	8	282	289	Class name.
SEUI_USER_NAME	Char	20	291	310	The name associated with the user ID.
SEUI_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
SEUI_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
SEUI_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
SEUI_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
SEUI_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
SEUI_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
SEUI_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
SEUI_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
SEUI_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
SEUI_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
SEUI_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
SEUI_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
SEUI_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
SEUI_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
SEUI_UTK_SECL	Char	8	386	393	The security label of the user.
SEUI_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
SEUI_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
SEUI_UTK_SNODE	Char	8	413	420	The submitting node.
SEUI_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
SEUI_UTK_SPOE	Char	8	431	438	The port of entry.
SEUI_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
SEUI_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
SEUI_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
SEUI_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
SEUI_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
SEUI_APPC_LINK	Char	16	477	492	Key to link together APPC records.
SEUI_AUDIT_CODE	Char	11	494	504	Audit function code.
SEUI_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
SEUI_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
SEUI_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
SEUI_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
SEUI_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
SEUI_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
SEUI_NEW_REAL_UID	Integer	10	572	581	New real z/OS UNIX user identifier (UID).
SEUI_NEW_EFF_UID	Integer	10	583	592	New effective z/OS UNIX user identifier (UID).
SEUI_NEW_SAVED_UID	Integer	10	594	603	New saved z/OS UNIX user identifier (UID).
SEUI_UID	Integer	10	605	614	The z/OS UNIX user identifier (UID) input parameter.
SEUI_DFLT_PROCESS	Yes/No	4	616	619	Default z/OS UNIX security environment in effect.
SEUI_UTK_NETW	Char	8	621	628	The port of entry network name.
SEUI_X500_SUBJECT	Char	255	630	884	Subject's name associated with this event.
SEUI_X500_ISSUER	Char	255	886	1140	Issuer's name associated with this event.
SEUI_SERV_POENAME	Char	64	1142	1205	SERVAUTH resource or profile name.
SEUI_CTX_USER	Char	510	1207	1716	Authenticated user name.
SEUI_CTX_REG	Char	255	1718	1972	Authenticated user registry name.
SEUI_CTX_HOST	Char	128	1974	2101	Authenticated user host name.
SEUI_CTX_MECH	Char	16	2103	2118	Authenticated user authentication mechanism object identifier (OID).
SEUI_IDID_USER	Char	985	2120	3104	Authenticated distributed user name.
SEUI_IDID_REG	Char	1021	3106	4126	Authenticated distributed user registry name.

Table 99. Event qualifiers for SETEUID records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful change of z/OS UNIX user identifiers (UIDs).
NOTAUTH	01	Not authorized to set the effective z/OS UNIX user identifier (UID).

The SETGID record extension

Table 100 describes the format of a record that is created by the setting of a z/OS UNIX group identifier (GID).

The event qualifiers that can be associated with setting the z/OS UNIX group identifier (GID) are shown in Table 101.

Table 100. Format of the SETGID record extension (event code 51)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
SGI_CLASS	Char	8	282	289	Class name.
SGI_USER_NAME	Char	20	291	310	The name associated with the user ID.
SGI_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
SGI_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
SGI_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
SGI_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
SGI_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
SGI_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
SGI_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
SGI_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
SGI_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
SGI_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
SGI_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
SGI_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
SGI_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
SGI_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
SGI_UTK_SECL	Char	8	386	393	The security label of the user.
SGI_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
SGI_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
SGI_UTK_SNODE	Char	8	413	420	The submitting node.
SGI_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
SGI_UTK_SPOE	Char	8	431	438	The port of entry.
SGI_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
SGI_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
SGI_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
SGI_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
SGI_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
SGI_APPC_LINK	Char	16	477	492	Key to link together APPC records.
SGI_AUDIT_CODE	Char	11	494	504	Audit function code.
SGI_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
SGI_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
SGI_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
SGI_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
SGI_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
SGI_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
SGI_NEW_REAL_GID	Integer	10	572	581	New real z/OS UNIX group identifier (GID).
SGI_NEW_EFF_GID	Integer	10	583	592	New effective z/OS UNIX group identifier (GID).
SGI_NEW_SAVED_GID	Integer	10	594	603	New saved z/OS UNIX group identifier (GID).
SGI_GID	Integer	10	605	614	The z/OS UNIX group identifier (GID) input parameter.
SGI_DFLT_PROCESS	Yes/No	4	616	619	Default z/OS UNIX security environment in effect.
SGI_UTK_NETW	Char	8	621	628	The port of entry network name.
SGI_X500_SUBJECT	Char	255	630	884	Subject's name associated with this event.
SGI_X500_ISSUER	Char	255	886	1140	Issuer's name associated with this event.
SGI_SERV_POENAME	Char	64	1142	1205	SERVAUTH resource or profile name.
SGI_CTX_USER	Char	510	1207	1716	Authenticated user name.
SGI_CTX_REG	Char	255	1718	1972	Authenticated user registry name.
SGI_CTX_HOST	Char	128	1974	2101	Authenticated user host name.
SGI_CTX_MECH	Char	16	2103	2118	Authenticated user authentication mechanism object identifier (OID).
SGI_IDID_USER	Char	985	2120	3104	Authenticated distributed user name.
SGI_IDID_REG	Char	1021	3106	4126	Authenticated distributed user registry name.

Table 101. Event qualifiers for SETGID records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful change of z/OS UNIX group identifier (GID).
NOTAUTH	01	Not authorized to set the z/OS UNIX group identifier (GID).

The SETUID record extension

Table 102 describes the format of a record that is created by the setting of a z/OS UNIX user identifier (UID).

The event qualifiers that can be associated with setting the effective z/OS UNIX user identifier (UID) are shown in Table 103.

Table 102. Format of the SETUID record extension (event code 52)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
SUI_CLASS	Char	8	282	289	Class name.
SUI_USER_NAME	Char	20	291	310	The name associated with the user ID.
SUI_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
SUI_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
SUI_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
SUI_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
SUI_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
SUI_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
SUI_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
SUI_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
SUI_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
SUI_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
SUI_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
SUI_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
SUI_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
SUI_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
SUI_UTK_SECL	Char	8	386	393	The security label of the user.
SUI_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
SUI_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
SUI_UTK_SNODE	Char	8	413	420	The submitting node.
SUI_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
SUI_UTK_SPOE	Char	8	431	438	The port of entry.
SUI_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
SUI_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
SUI_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
SUI_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
SUI_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
SUI_APPC_LINK	Char	16	477	492	Key to link together APPC records.
SUI_AUDIT_CODE	Char	11	494	504	Audit function code.
SUI_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
SUI_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
SUI_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
SUI_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
SUI_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
SUI_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
SUI_NEW_REAL_UID	Integer	10	572	581	New real z/OS UNIX user identifier (UID).
SUI_NEW_EFF_UID	Integer	10	583	592	New effective z/OS UNIX user identifier (UID).
SUI_NEW_SAVED_UID	Integer	10	594	603	New saved z/OS UNIX user identifier (UID).
SUI_UID	Integer	10	605	614	The z/OS UNIX user identifier (UID) input parameter.
SUI_DFLT_PROCESS	Yes/No	4	616	619	Default z/OS UNIX security environment in effect.
SUI_UTK_NETW	Char	8	621	628	The port of entry network name.
SUI_X500_SUBJECT	Char	255	630	884	Subject's name associated with this event.
SUI_X500_ISSUER	Char	255	886	1140	Issuer's name associated with this event.
SUI_SERV_POENAME	Char	64	1142	1205	SERVAUTH resource or profile name.
SUI_CTX_USER	Char	510	1207	1716	Authenticated user name.
SUI_CTX_REG	Char	255	1718	1972	Authenticated user registry name.
SUI_CTX_HOST	Char	128	1974	2101	Authenticated user host name.
SUI_CTX_MECH	Char	16	2103	2118	Authenticated user authentication mechanism object identifier (OID).
SUI_IDID_USER	Char	985	2120	3104	Authenticated distributed user name.
SUI_IDID_REG	Char	1021	3106	4126	Authenticated distributed user registry name.

Table 103. Event qualifiers for SETUID records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful change of z/OS UNIX user identifier (UID).
NOTAUTH	01	Not authorized to set the z/OS UNIX user identifier (UID).

The SYMLINK record extension

Table 104 describes the format of a record that is created by a SYMLINK operation.

The event qualifier that can be associated with a SYMLINK event is shown in Table 105.

Table 104. Format of the SYMLINK record extension (event code 53)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
SYML_CLASS	Char	8	282	289	Class name.
SYML_USER_NAME	Char	20	291	310	The name associated with the user ID.
SYML_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
SYML_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
SYML_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
SYML_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
SYML_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
SYML_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
SYML_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
SYML_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
SYML_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
SYML_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
SYML_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
SYML_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
SYML_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
SYML_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
SYML_UTK_SECL	Char	8	386	393	The security label of the user.
SYML_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
SYML_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
SYML_UTK_SNODE	Char	8	413	420	The submitting node.
SYML_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
SYML_UTK_SPOE	Char	8	431	438	The port of entry.
SYML_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
SYML_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
SYML_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
SYML_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
SYML_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
SYML_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
SYML_AUDIT_CODE	Char	11	494	504	Audit function code.
SYML_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
SYML_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
SYML_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
SYML_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
SYML_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
SYML_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
SYML_PATH_NAME	Char	1023	572	1594	The requested path name.
SYML_FILE_ID	Char	32	1596	1627	File ID.
SYML_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
SYML_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
SYML_SYMLINK_DATA	Char	1023	1651	2673	Content of SYMLINK.
SYML_FILEPOOL	Char	8	2675	2682	SFS filepool containing the BFS file.
SYML_FILESPACE	Char	8	2684	2691	SFS filespace containing the BFS file.
SYML_INODE	Integer	10	2693	2702	Inode (file serial number).
SYML_SCID	Integer	10	2704	2713	File SCID.
SYML_DFLT_PROCESS	Char	1	2715	2715	Default z/OS UNIX security environment in effect.
SYML_UTK_NETW	Char	8	2720	2727	The port of entry network name.
SYML_X500_SUBJECT	Char	255	2729	2983	Subject's name associated with this event.
SYML_X500_ISSUER	Char	255	2985	3239	Issuer's name associated with this event.
SYML_SECL	Char	8	3241	3248	Security label of the resource.
SYML_SERV_POENAME	Char	64	3250	3313	SERVAUTH resource or profile name.
SYML_CTX_USER	Char	510	3315	3824	Authenticated user name.
SYML_CTX_REG	Char	255	3826	4080	Authenticated user registry name.
SYML_CTX_HOST	Char	128	4082	4209	Authenticated user host name.
SYML_CTX_MECH	Char	16	4211	4226	Authenticated user authentication mechanism object identifier (OID).
SYML_IDID_USER	Char	985	4228	5212	Authenticated distributed user name.
SYML_IDID_REG	Char	1021	5214	6234	Authenticated distributed user registry name.

Table 105. Event qualifiers for SYMLINK records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful SYMLINK. There are no failure cases for this event.

The UNLINK record extension

Table 106 describes the format of a record that is created by an UNLINK operation.

The event qualifier that can be associated with an UNLINK event is shown in Table 107.

Table 106. Format of the UNLINK record extension (event code 54)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
UNL_CLASS	Char	8	282	289	Class name.
UNL_USER_NAME	Char	20	291	310	The name associated with the user ID.
UNL_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
UNL_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
UNL_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
UNL_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
UNL_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
UNL_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
UNL_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
UNL_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
UNL_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
UNL_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
UNL_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
UNL_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
UNL_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
UNL_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
UNL_UTK_SECL	Char	8	386	393	The security label of the user.
UNL_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
UNL_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
UNL_UTK_SNODE	Char	8	413	420	The submitting node.
UNL_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
UNL_UTK_SPOE	Char	8	431	438	The port of entry.
UNL_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
UNL_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
UNL_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
UNL_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
UNL_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
UNL_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
UNL_AUDIT_CODE	Char	11	494	504	Audit function code.
UNL_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
UNL_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
UNL_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
UNL_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
UNL_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
UNL_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
UNL_PATH_NAME	Char	1023	572	1594	The requested path name.
UNL_FILE_ID	Char	32	1596	1627	File ID.
UNL_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
UNL_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
UNL_LAST_DELETED	Yes/No	4	1651	1654	Was the last link deleted?
UNL_FILEPOOL	Char	8	1656	1663	SFS filepool containing the BFS file.
UNL_FILESPACE	Char	8	1665	1672	SFS filespace containing the BFS file.
UNL_INODE	Integer	10	1674	1683	Inode (file serial number).
UNL_SCID	Integer	10	1685	1694	File SCID.
UNL_DCE_LINK	Char	16	1696	1711	Link to connect DCE records that originate from a single DCE request.
UNL_AUTH_TYPE	Char	13	1713	1725	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
UNL_DFLT_PROCESS	Yes/No	4	1727	1730	Default z/OS UNIX security environment in effect.
UNL_UTK_NETW	Char	8	1732	1739	The port of entry network name.
UNL_X500_SUBJECT	Char	255	1741	1995	Subject's name associated with this event.
UNL_X500_ISSUER	Char	255	1997	2251	Issuer's name associated with this event.
UNL_SERV_POENAME	Char	64	2253	2316	SERVAUTH resource or profile name.
UNL_CTX_USER	Char	510	2318	2827	Authenticated user name.
UNL_CTX_REG	Char	255	2829	3083	Authenticated user registry name.
UNL_CTX_HOST	Char	128	3085	3212	Authenticated user host name.
UNL_CTX_MECH	Char	16	3214	3229	Authenticated user authentication mechanism object identifier (OID).
UNL_IDID_USER	Char	985	3231	4215	Authenticated distributed user name.
UNL_IDID_REG	Char	1021	4217	5237	Authenticated distributed user registry name.

Table 107. Event qualifiers for UNLINK records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful UNLINK. Failures are logged as check access event types.

The unmount file system record extension

Table 108 describes the format of a record that is created unmounting a file system.

The event qualifier that can be associated with the unmounting of a file system is shown in Table 109.

Table 108. Format of the unmount file system record extension (event code 55)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
UFS_CLASS	Char	8	282	289	Class name.
UFS_USER_NAME	Char	20	291	310	The name associated with the user ID.
UFS_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
UFS_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
UFS_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
UFS_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
UFS_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
UFS_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
UFS_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
UFS_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
UFS_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
UFS_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
UFS_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
UFS_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
UFS_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
UFS_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
UFS_UTK_SECL	Char	8	386	393	The security label of the user.
UFS_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
UFS_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
UFS_UTK_SNODE	Char	8	413	420	The submitting node.
UFS_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
UFS_UTK_SPOE	Char	8	431	438	The port of entry.
UFS_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
UFS_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
UFS_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
UFS_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
UFS_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
UFS_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
UFS_AUDIT_CODE	Char	11	494	504	Audit function code.
UFS_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
UFS_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
UFS_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
UFS_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
UFS_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
UFS_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
UFS_PATH_NAME	Char	1023	572	1594	The requested path name.
UFS_FILE_ID	Char	32	1596	1627	File ID.
UFS_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
UFS_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
UFS_HFS_DS_NAME	Char	44	1651	1694	Data set name for the mounted file system.
UFS_DCE_LINK	Char	16	1696	1711	Link to connect DCE records that originate from a single DCE request.
UFS_AUTH_TYPE	Char	13	1713	1725	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
UFS_DFLT_PROCESS	Yes/No	4	1727	1730	Default z/OS UNIX security environment in effect.
UFS_UTK_NETW	Char	8	1732	1739	The port of entry network name.
UFS_X500_SUBJECT	Char	255	1741	1995	Subject's name associated with this event.
UFS_X500_ISSUER	Char	255	1997	2251	Issuer's name associated with this event.
UFS_SERV_POENAME	Char	64	2253	2316	SERVAUTH resource or profile name.
UFS_CTX_USER	Char	510	2318	2827	Authenticated user name.
UFS_CTX_REG	Char	255	2829	3083	Authenticated user registry name.
UFS_CTX_HOST	Char	128	3085	3212	Authenticated user host name.
UFS_CTX_MECH	Char	16	3214	3229	Authenticated user authentication mechanism object identifier (OID).
UFS_IDID_USER	Char	985	3231	4215	Authenticated distributed user name.
UFS_IDID_REG	Char	1021	4217	5237	Authenticated distributed user registry name.

Table 109. Event qualifiers for unmount file system records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Unmount successful. Failures are logged as CKPRIV events.

The check file owner record extension

Table 110 describes the format of a record that is created by checking the owner of a file.

The event qualifiers that can be associated with checking a file's owner are shown in Table 111.

Table 110. Format of the check file owner record extension (event code 56)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
CFOW_CLASS	Char	8	282	289	Class name.
CFOW_USER_NAME	Char	20	291	310	The name associated with the user ID.
CFOW_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
CFOW_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
CFOW_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
CFOW_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
CFOW_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
CFOW_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
CFOW_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
CFOW_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
CFOW_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
CFOW_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
CFOW_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
CFOW_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
CFOW_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
CFOW_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
CFOW_UTK_SECL	Char	8	386	393	The security label of the user.
CFOW_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
CFOW_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
CFOW_UTK_SNODE	Char	8	413	420	The submitting node.
CFOW_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
CFOW_UTK_SPOE	Char	8	431	438	The port of entry.
CFOW_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
CFOW_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
CFOW_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
CFOW_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
CFOW_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
CFOW_APPC_LINK	Char	16	477	492	Key to link together APPC records.
CFOW_AUDIT_CODE	Char	11	494	504	Audit function code.
CFOW_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
CFOW_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
CFOW_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
CFOW_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
CFOW_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
CFOW_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
CFOW_PATH_NAME	Char	1023	572	1594	The requested path name.
CFOW_FILE_ID	Char	32	1596	1627	File ID.
CFOW_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
CFOW_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
CFOW_FILEPOOL	Char	8	1651	1658	SFS filepool containing the BFS file.
CFOW_FILESPACE	Char	8	1660	1667	SFS filespace containing the BFS file.
CFOW_INODE	Integer	10	1669	1678	Inode (file serial number).
CFOW_SCID	Integer	10.	1680	1689	File SCID.
CFOW_DCE_LINK	Char	16	1691	1706	Link to connect DCE records that originate from a single DCE request.
CFOW_AUTH_TYPE	Char	13	1708	1720	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
CFOW_DFLT_PROCESS	Yes/No	4	1722	1725	Default z/OS UNIX security environment in effect.
CFOW_UTK_NETW	Char	8	1727	1734	The port of entry network name.
CFOW_X500_SUBJECT	Char	255	1736	1990	Subject's name associated with this event.
CFOW_X500_ISSUER	Char	255	1992	2246	Issuer's name associated with this event.
CFOW_SECL	Char	8	2248	2255	Security label of the resource.
CFOW_SERV_POENAME	Char	64	2257	2320	SERVAUTH resource or profile name.
CFOW_CTX_USER	Char	510	2322	2831	Authenticated user name.
CFOW_CTX_REG	Char	255	2833	3087	Authenticated user registry name.
CFOW_CTX_HOST	Char	128	3089	3216	Authenticated user host name.
CFOW_CTX_MECH	Char	16	3218	3233	Authenticated user authentication mechanism object identifier (OID).
CFOW_IDID_USER	Char	985	3235	4219	Authenticated distributed user name.
CFOW_IDID_REG	Char	1021	4221	5241	Authenticated distributed user registry name.

Table 111. Event qualifiers for check file owner records
Event qualifier	Event qualifier number	Event description
OWNER	00	The user is the owner.
NOTOWNER	01	The user is not the owner.
INSSECL	02	Insufficient security label.

The check privilege record extension

Table 112 describes the format of a record that is created by checking a user's privileges.

The event qualifiers that can be associated with checking a user's privileges are shown in Table 113.

Table 112. Format of the check privileges record extension (event code 57)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
CPRV_CLASS	Char	8	282	289	Class name.
CPRV_USER_NAME	Char	20	291	310	The name associated with the user ID.
CPRV_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
CPRV_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
CPRV_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
CPRV_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
CPRV_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
CPRV_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
CPRV_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
CPRV_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
CPRV_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
CPRV_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
CPRV_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
CPRV_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
CPRV_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
CPRV_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
CPRV_UTK_SECL	Char	8	386	393	The security label of the user.
CPRV_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
CPRV_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
CPRV_UTK_SNODE	Char	8	413	420	The submitting node.
CPRV_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
CPRV_UTK_SPOE	Char	8	431	438	The port of entry.
CPRV_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
CPRV_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
CPRV_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
CPRV_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
CPRV_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
CPRV_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
CPRV_AUDIT_CODE	Char	11	494	504	Audit function code.
CPRV_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
CPRV_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
CPRV_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
CPRV_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
CPRV_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
CPRV_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
CPRV_DCE_LINK	Char	16	572	587	Link to connect DCE records that originate from a single DCE request.
CPRV_AUTH_TYPE	Char	13	589	601	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
CPRV_DFLT_PROCESS	Yes/No	4	603	606	Default z/OS UNIX security environment in effect.
CPRV_UTK_NETW	Char	8	608	615	The port of entry network name.
CPRV_X500_SUBJECT	Char	255	617	871	Subject's name associated with this event.
CPRV_X500_ISSUER	Char	255	873	1127	Issuer's name associated with this event.
CPRV_SERV_POENAME	Char	64	1129	1192	SERVAUTH resource or profile name.
CPRV_CTX_USER	Char	510	1194	1703	Authenticated user name.
CPRV_CTX_REG	Char	255	1705	1959	Authenticated user registry name.
CPRV_CTX_HOST	Char	128	1961	2088	Authenticated user host name.
CPRV_CTX_MECH	Char	16	2090	2105	Authenticated user authentication mechanism object identifier (OID).
CPRV_IDID_USER	Char	985	2107	3091	Authenticated distributed user name.
CPRV_IDID_REG	Char	1021	3093	4113	Authenticated distributed user registry name.

Table 113. Event qualifiers for check privileges records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	User is authorized.
NOTAUTH	01	The user is not authorized to the function.

The open subsidiary TTY record extension

Table 114 describes the format of a record that is created by the opening of a subsidiary TTY.

The event qualifiers that can be associated with open subsidiary TTY records are shown in Table 115.

Table 114. Format of the open subsidiary TTY record extension (event code 58)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
OSTY_CLASS	Char	8	282	289	Class name.
OSTY_USER_NAME	Char	20	291	310	The name associated with the user ID.
OSTY_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
OSTY_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
OSTY_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
OSTY_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
OSTY_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
OSTY_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
OSTY_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
OSTY_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
OSTY_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
OSTY_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
OSTY_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
OSTY_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
OSTY_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
OSTY_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
OSTY_UTK_SECL	Char	8	386	393	The security label of the user.
OSTY_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
OSTY_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
OSTY_UTK_SNODE	Char	8	413	420	The submitting node.
OSTY_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
OSTY_UTK_SPOE	Char	8	431	438	The port of entry.
OSTY_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
OSTY_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
OSTY_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
OSTY_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
OSTY_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
OSTY_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
OSTY_AUDIT_CODE	Char	11	494	504	Audit function code.
OSTY_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
OSTY_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
OSTY_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
OSTY_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
OSTY_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
OSTY_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
OSTY_TGT_REAL_UID	Integer	10	572	581	Target real z/OS UNIX user identifier (UID).
OSTY_TGT_EFF_UID	Integer	10	583	592	Target effective z/OS UNIX user identifier (UID).
OSTY_TGT_SAV_UID	Integer	10	594	603	Target saved z/OS UNIX user identifier (UID).
OSTY_TGT_PID	Integer	10	605	614	Target process ID.
OSTY_DFLT_PROCESS	Yes/No	4	616	619	Default z/OS UNIX security environment in effect.
OSTY_UTK_NETW	Char	8	621	628	The port of entry network name.
OSTY_X500_SUBJECT	Char	255	630	884	Subject's name associated with this event.
OSTY_X500_ISSUER	Char	255	886	1140	Issuer's name associated with this event.
OSTY_SERV_POENAME	Char	64	1142	1205	SERVAUTH resource or profile name.
OSTY_CTX_USER	Char	510	1207	1716	Authenticated user name.
OSTY_CTX_REG	Char	255	1718	1972	Authenticated user registry name.
OSTY_CTX_HOST	Char	128	1974	2101	Authenticated user host name.
OSTY_CTX_MECH	Char	16	2103	2118	Authenticated user authentication mechanism object identifier (OID).
OSTY_IDID_USER	Char	985	2120	3104	Authenticated distributed user name.
OSTY_IDID_REG	Char	1021	3106	4126	Authenticated distributed user registry name.

Table 115. Event qualifiers for open subsidiary TTY records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Access allowed.
NOTAUTH	01	Not authorized to the specified process.

The RACLINK command record extension

Table 116 describes the format of a record that is created by a RACLINK command.

The event qualifiers that can be associated with a RACLINK command are shown in Table 117.

Table 116. Format of the RACLINK command record extension (event code 59)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RACL_USER_NAME	Char	20	282	301	The name associated with the user ID.
RACL_UTK_ENCR	Yes/No	4	303	306	Is the UTOKEN associated with this user encrypted?
RACL_UTK_PRE19	Yes/No	4	308	311	Is this a pre-1.9 token?
RACL_UTK_VERPROF	Yes/No	4	313	316	Is the VERIFYX propagation flag set?
RACL_UTK_NJEUNUSR	Yes/No	4	318	321	Is this the NJE undefined user?
RACL_UTK_LOGUSR	Yes/No	4	323	326	Is UAUDIT specified for this user?
RACL_UTK_SPECIAL	Yes/No	4	328	331	Is this a SPECIAL user?
RACL_UTK_DEFAULT	Yes/No	4	333	336	Is this a default token?
RACL_UTK_UNKNUSR	Yes/No	4	338	341	Is this an undefined user?
RACL_UTK_ERROR	Yes/No	4	343	346	Is this user token in error?
RACL_UTK_TRUSTED	Yes/No	4	348	351	Is this user a part of the trusted computing base (TCB)?
RACL_UTK_SESSTYPE	Char	8	353	360	The session type of this session.
RACL_UTK_SURROGAT	Yes/No	4	362	365	Is this a surrogate user?
RACL_UTK_REMOTE	Yes/No	4	367	370	Is this a remote job?
RACL_UTK_PRIV	Yes/No	4	372	375	Is this a privileged user ID?
RACL_UTK_SECL	Char	8	377	384	The security label of the user.
RACL_UTK_EXECNODE	Char	8	386	393	The execution node of the work.
RACL_UTK_SUSER_ID	Char	8	395	402	The submitting user ID.
RACL_UTK_SNODE	Char	8	404	411	The submitting node.
RACL_UTK_SGRP_ID	Char	8	413	420	The submitting group name.
RACL_UTK_SPOE	Char	8	422	429	The port of entry.
RACL_UTK_SPCLASS	Char	8	431	438	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
RACL_UTK_USER_ID	Char	8	440	447	User ID associated with the record.
RACL_UTK_GRP_ID	Char	8	449	456	Group name associated with the record.
RACL_UTK_DFT_GRP	Yes/No	4	458	461	Is a default group assigned?
RACL_UTK_DFT_SECL	Yes/No	4	463	466	Is a default security label assigned?
RACL_PHASE	Char	20	468	487	Phase of this RACF command. Valid values are `LOCAL ISSUANCE`, `TARGET PROCESSING`, and `TARGET RESPONSE`.
RACL_ISSUE_NODE	Char	8	489	496	Node that originated the command.
RACL_ISSUE_ID	Char	8	498	505	User ID that originated the command.
RACL_SOURCE_ID	Char	8	507	514	User ID for the association. From the `ID` keyword.
RACL_TGT_NODE	Char	8	516	523	Node that is the destination of the command.
RACL_TGT_ID	Char	8	525	532	User ID that is the destination of the command.
RACL_TGT_AUTH_ID	Char	8	534	541	User ID under whose authority the association is established.
RACL_SOURCE_SMFID	Char	4	543	546	SMF system identifier of the system that originated the command.
RACL_SOURCE_TIME	Char	8	548	555	Time that the command originated.
RACL_SOURCE_DATE	Char	10	557	566	Date that the command originated.
RACL_PWD_STATUS	Char	8	568	575	Status of the password sent with the command. Valid values are: SUPPLIED A password was supplied on a DEFINE command. This value occurs only for a `LOCAL ISSUANCE` phase record or for a `TARGET PROCESSING` phase when the event number is 3. VALID The password that was supplied on a DEFINE command is correct. This value occurs only for `TARGET PROCESSING` and `TARGET RESPONSE` phase records. NOTVALID The password that was supplied on a DEFINE command is not correct. This value occurs only for a `TARGET PROCESSING` phase record. EXPIRED The password that was supplied on a DEFINE command is expired. This value occurs for a `TARGET PROCESSING` only. REVOKED The target user ID on the DEFINE command is revoked. This value occurs for a `TARGET PROCESSING` phase only. NONE No password was supplied for the DEFINE command. This value can occur for any phase record. A blank value indicates that an UNDEFINE or APPROVE command was issued. Neither of these commands have passwords.
RACL_ASSOC_STATUS	Char	8	577	584	Status of the association. Valid values are `PENDING`, `ESTAB`, and `DELETED`.
RACL_SPECIFIED	Char	1024	586	1609	The keywords specified.
RACL_UTK_NETW	Char	8	1611	1618	The port of entry network name.
RACL_X500_SUBJECT	Char	255	1620	1874	Subject's name associated with this event.
RACL_X500_ISSUER	Char	255	1876	2130	Issuer's name associated with this event.
RACL_SERV_POENAME	Char	64	2132	2195	SERVAUTH resource or profile name.
RACL_CTX_USER	Char	510	2197	2706	Authenticated user name.
RACL_CTX_REG	Char	255	2708	2962	Authenticated user registry name.
RACL_CTX_HOST	Char	128	2964	3091	Authenticated user host name.
RACL_CTX_MECH	Char	16	3093	3108	Authenticated user authentication mechanism object identifier (OID).
RACL_IDID_USER	Char	985	3110	4094	Authenticated distributed user name.
RACL_IDID_REG	Char	1021	4096	5116	Authenticated distributed user registry name.

Note: Records created for user IDs that are revoked have no UTOKEN information.

Table 117. Event qualifiers for RACLINK command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Command successful.
INSAUTH	01	Insufficient authority (local issuance only).
--------	02	Reserved for IBM's use.
ALRDYDEF	03	Association already defined.
ALRDYAPP	04	Association already approved.
NOMATCH	05	Association does not match.
NOTEXIST	06	Association does not exist.
INVPSWD	07	Invalid password.

The IPCCHK record extension

Table 118 describes the format of a record that is created by checking access to an IPC.

The event qualifiers that can be associated with a check IPC event are shown in Table 119.

Table 118. Format of the IPCCHK record extension (event code 60)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
ICHK_CLASS	Char	8	282	289	Class name.
ICHK_USER_NAME	Char	20	291	310	The name associated with the user ID.
ICHK_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
ICHK_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
ICHK_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
ICHK_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
ICHK_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
ICHK_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
ICHK_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
ICHK_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
ICHK_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
ICHK_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
ICHK_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
ICHK_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
ICHK_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
ICHK_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
ICHK_UTK_SECL	Char	8	386	393	The security label of the user.
ICHK_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
ICHK_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
ICHK_UTK_SNODE	Char	8	413	420	The submitting node.
ICHK_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
ICHK_UTK_SPOE	Char	8	431	438	The port of entry.
ICHK_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
ICHK_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
ICHK_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
ICHK_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
ICHK_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
ICHK_APPC_LINK	Char	16	477	492	Key to link together APPC records.
ICHK_AUDIT_CODE	Char	11	494	504	Audit function code. For more information on the function codes, see z/OS Security Server RACF Callable Services.
ICHK_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
ICHK_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
ICHK_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
ICHK_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
ICHK_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
ICHK_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
ICHK_KEY_OWN_UID	Integer	10	572	581	The owner z/OS UNIX user identifier (UID) associated with the key.
ICHK_KEY_OWN_GID	Integer	10	583	592	The owner z/OS UNIX group identifier (GID) associated with the key.
ICHK_REQUEST_READ	Yes/No	4	594	597	Did the requested access include read?
ICHK_REQUEST_WRITE	Yes/No	4	599	602	Did the requested access include write?
ICHK_REQUEST_EXEC	Yes/No	4	604	607	Did the requested access include execute?
ICHK_RESERVED_01	Yes/No	4	609	612	Reserved for IBM's use.
ICHK_ACCESS_TYPE	Char	8	614	621	What bits were used in granting the access? Valid values are `OWNER`, `GROUP`, `NO`, and `OTHER`.
ICHK_ALLOWED_READ	Yes/No	4	623	626	Was read access allowed?
ICHK_ALLOWED_WRITE	Yes/No	4	628	631	Was write access allowed?
ICHK_RESERVED_02	Yes/No	4	633	636	Reserved for IBM's use.
ICHK_KEY	Char	8	638	645	The key of the IPC resource.
ICHK_ID	Integer	10	647	656	The unique decimal identifier of the IPC resource.
ICHK_CREATOR_UID	Integer	10	658	667	The z/OS UNIX user identifier (UID) of the creator.
ICHK_CREATOR_GID	Integer	10	669	678	The z/OS UNIX group identifier (GID) of the creator.
ICHK_DFLT_PROCESS	Yes/No	4	680	683	Default z/OS UNIX security environment in effect.
ICHK_UTK_NETW	Char	8	685	692	The port of entry network name.
ICHK_X500_SUBJECT	Char	255	694	948	Subject's name associated with this event.
ICHK_X500_ISSUER	Char	255	950	1204	Issuer's name associated with this event.
ICHK_SECL	Char	8	1206	1213	Security label of the resource.
ICHK_SERV_POENAME	Char	64	1215	1278	SERVAUTH resource or profile name.
ICHK_CTX_USER	Char	510	1280	1789	Authenticated user name.
ICHK_CTX_REG	Char	255	1791	2045	Authenticated user registry name.
ICHK_CTX_HOST	Char	128	2047	2174	Authenticated user host name.
ICHK_CTX_MECH	Char	16	2176	2191	Authenticated user authentication mechanism object identifier (OID).
ICHK_IDID_USER	Char	985	2193	3177	Authenticated distributed user name.
ICHK_IDID_REG	Char	1021	3179	4199	Authenticated distributed user registry name.

Table 119. Event qualifiers for check IPC records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Access allowed.
NOTAUTH	01	Not authorized to the resource.
INSSECL	02	Insufficient security label.

The IPCGET record extension

Table 120 describes the format of a record that is created by creating an IPC.

The event qualifiers that can be associated with an IPCGET event are shown in Table 121.

Table 120. Format of the IPCGET record extension (event code 61)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
IGET_CLASS	Char	8	282	289	Class name.
IGET_USER_NAME	Char	20	291	310	The name associated with the user ID.
IGET_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
IGET_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
IGET_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
IGET_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
IGET_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
IGET_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
IGET_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
IGET_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
IGET_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
IGET_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
IGET_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
IGET_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
IGET_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
IGET_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
IGET_UTK_SECL	Char	8	386	393	The security label of the user.
IGET_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
IGET_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
IGET_UTK_SNODE	Char	8	413	420	The submitting node.
IGET_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
IGET_UTK_SPOE	Char	8	431	438	The port of entry.
IGET_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
IGET_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
IGET_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
IGET_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
IGET_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
IGET_APPC_LINK	Char	16	477	492	Key to link together APPC records.
IGET_AUDIT_CODE	Char	11	494	504	Audit function code. For more information on the function codes, see z/OS Security Server RACF Callable Services.
IGET_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
IGET_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
IGET_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
IGET_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
IGET_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
IGET_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
IGET_KEY_OWN_UID	Integer	10	572	581	The owner z/OS UNIX user identifier (UID) associated with the key.
IGET_KEY_OWN_GID	Integer	10	583	592	The owner z/OS UNIX group identifier (GID) associated with the key.
IGET_RESERVED_01	Yes/No	4	594	597	Reserved for IBM's use.
IGET_RESERVED_02	Yes/No	4	599	602	Reserved for IBM's use.
IGET_RESERVED_03	Yes/No	4	604	607	Reserved for IBM's use.
IGET_REQ_OWN_READ	Yes/No	4	609	612	Was the owner READ bit requested on for this file?
IGET_REQ_OWN_WRITE	Yes/No	4	614	617	Was the owner WRITE bit requested on for this file?
IGET_REQ_OWN_EXEC	Yes/No	4	619	622	Was the owner EXECUTE bit requested on for this file?
IGET_REQ_GRP_READ	Yes/No	4	624	627	Was the group READ bit requested on for this file?
IGET_REQ_GRP_WRITE	Yes/No	4	629	632	Was the group WRITE bit requested on for this file?
IGET_REQ_GRP_EXEC	Yes/No	4	634	637	Was the group EXECUTE bit requested on for this file?
IGET_REQ_OTH_READ	Yes/No	4	639	642	Was the other READ bit requested on for this file?
IGET_REQ_OTH_WRITE	Yes/No	4	644	647	Was the other WRITE bit requested on for this file?
IGET_REQ_OTH_EXEC	Yes/No	4	649	652	Was the other EXECUTE bit requested on for this file?
IGET_KEY	Char	8	654	661	The key of the IPC resource.
IGET_ID	Integer	10	663	672	The unique decimal identifier of the IPC resource.
IGET_CREATOR_UID	Integer	10	674	683	The z/OS UNIX user identifier (UID) of the creator.
IGET_CREATOR_GID	Integer	10	685	694	The z/OS UNIX group identifier (GID) of the creator.
IGET_DFLT_PROCESS	Yes/No	4	696	699	Default z/OS UNIX security environment in effect.
IGET_UTK_NETW	Char	8	701	708	The port of entry network name.
IGET_X500_SUBJECT	Char	255	710	964	Subject's name associated with this event.
IGET_X500_ISSUER	Char	255	966	1220	Issuer's name associated with this event.
IGET_SECL	Char	8	1222	1229	Security label of the resource.
IGET_SERV_POENAME	Char	64	1231	1294	SERVAUTH resource or profile name.
IGET_CTX_USER	Char	510	1296	1805	Authenticated user name.
IGET_CTX_REG	Char	255	1807	2061	Authenticated user registry name.
IGET_CTX_HOST	Char	128	2063	2190	Authenticated user host name.
IGET_CTX_MECH	Char	16	2192	2207	Authenticated user authentication mechanism object identifier (OID).
IGET_IDID_USER	Char	985	2209	3193	Authenticated distributed user name.
IGET_IDID_REG	Char	1021	3195	4215	Authenticated distributed user registry name.

Table 121. Event qualifiers for IPCGET records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Access allowed.
INSSECL	02	Insufficient security label.

The IPCCTL record extension

Table 122 describes the format of a record that is created by the IPCCTL function.

The event qualifiers that can be associated with an IPCCTL event are shown in Table 123.

Table 122. Format of the IPCCTL record extension (event code 62)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
ICTL_CLASS	Char	8	282	289	Class name.
ICTL_USER_NAME	Char	20	291	310	The name associated with the user ID.
ICTL_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
ICTL_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
ICTL_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
ICTL_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
ICTL_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
ICTL_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
ICTL_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
ICTL_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
ICTL_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
ICTL_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
ICTL_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
ICTL_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
ICTL_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
ICTL_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
ICTL_UTK_SECL	Char	8	386	393	The security label of the user.
ICTL_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
ICTL_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
ICTL_UTK_SNODE	Char	8	413	420	The submitting node.
ICTL_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
ICTL_UTK_SPOE	Char	8	431	438	The port of entry.
ICTL_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
ICTL_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
ICTL_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
ICTL_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
ICTL_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
ICTL_APPC_LINK	Char	16	477	492	Key to link together APPC records.
ICTL_AUDIT_CODE	Char	11	494	504	Audit function code. For more information on the function codes, see z/OS Security Server RACF Callable Services.
ICTL_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
ICTL_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
ICTL_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
ICTL_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
ICTL_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
ICTL_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
ICTL_KEY_OWN_UID	Integer	10	572	581	The owner z/OS UNIX user identifier (UID) associated with the key
ICTL_KEY_OWN_GID	Integer	10	583	592	The owner z/OS UNIX group identifier (GID) associated with the key.
ICTL_UID	Integer	10	594	603	The owner z/OS UNIX user identifier (UID) input parameter.
ICTL_GID	Integer	10	605	614	The owner z/OS UNIX group identifier (GID) input parameter.
ICTL_RESERVED_01	Yes/No	4	616	619	Reserved for IBM's use.
ICTL_RESERVED_02	Yes/No	4	621	624	Reserved for IBM's use.
ICTL_RESERVED_03	Yes/No	4	626	629	Reserved for IBM's use.
ICTL_OLD_OWN_READ	Yes/No	4	631	634	Was the owner READ bit on for this file?
ICTL_OLD_OWN_WRITE	Yes/No	4	636	639	Was the owner WRITE bit on for this file?
ICTL_OLD_OWN_EXEC	Yes/No	4	641	644	Was the owner EXECUTE bit on for this file?
ICTL_OLD_GRP_READ	Yes/No	4	646	649	Was the group READ bit on for this file?
ICTL_OLD_GRP_WRITE	Yes/No	4	651	654	Was the group WRITE bit on for this file?
ICTL_OLD_GRP_EXEC	Yes/No	4	656	659	Was the group EXECUTE bit on for this file?
ICTL_OLD_OTH_READ	Yes/No	4	661	664	Was the other READ bit on for this file?
ICTL_OLD_OTH_WRITE	Yes/No	4	666	669	Was the other WRITE bit on for this file?
ICTL_OLD_OTH_EXEC	Yes/No	4	671	674	Was the other EXECUTE bit on for this file?
ICTL_RESERVED_04	Yes/No	4	676	679	Reserved for IBM's use.
ICTL_RESERVED_05	Yes/No	4	681	684	Reserved for IBM's use.
ICTL_RESERVED_06	Yes/No	4	686	689	Reserved for IBM's use.
ICTL_NEW_OWN_READ	Yes/No	4	691	694	Is the owner READ bit on for this file?
ICTL_NEW_OWN_WRITE	Yes/No	4	696	699	Is the owner WRITE bit on for this file?
ICTL_NEW_OWN_EXEC	Yes/No	4	701	704	Is the owner EXECUTE bit on for this file?
ICTL_NEW_GRP_READ	Yes/No	4	706	709	Is the group READ bit on for this file?
ICTL_NEW_GRP_WRITE	Yes/No	4	711	714	Is the group WRITE bit on for this file?
ICTL_NEW_GRP_EXEC	Yes/No	4	716	719	Is the group EXECUTE bit on for this file?
ICTL_NEW_OTH_READ	Yes/No	4	721	724	Is the other READ bit on for this file?
ICTL_NEW_OTH_WRITE	Yes/No	4	726	729	Is the other WRITE bit on for this file?
ICTL_NEW_OTH_EXEC	Yes/No	4	731	734	Is the other EXECUTE bit on for this file?
ICTL_SERVICE_CODE	Char	11	736	746	The service that was being processed.
ICTL_RESERVED_07	Yes/No	4	748	751	Reserved for IBM's use.
ICTL_RESERVED_08	Yes/No	4	753	756	Reserved for IBM's use.
ICTL_RESERVED_09	Yes/No	4	758	761	Reserved for IBM's use.
ICTL_REQ_OWN_READ	Yes/No	4	763	766	Was the owner READ bit requested on for this file?
ICTL_REQ_OWN_WRITE	Yes/No	4	768	771	Was the owner WRITE bit requested on for this file?
ICTL_REQ_OWN_EXEC	Yes/No	4	773	776	Was the owner EXECUTE bit requested on for this file?
ICTL_REQ_GRP_READ	Yes/No	4	778	781	Was the group READ bit requested on for this file?
ICTL_REQ_GRP_WRITE	Yes/No	4	783	786	Was the group WRITE bit requested on for this file?
ICTL_REQ_GRP_EXEC	Yes/No	4	788	791	Was the group EXECUTE bit requested on for this file?
ICTL_REQ_OTH_READ	Yes/No	4	793	796	Was the other READ bit requested on for this file?
ICTL_REQ_OTH_WRITE	Yes/No	4	798	801	Was the other WRITE bit requested on for this file?
ICTL_REQ_OTH_EXEC	Yes/No	4	803	806	Was the other EXECUTE bit requested on for this file?
ICTL_KEY	Char	8	808	815	The key of the IPC resource.
ICTL_ID	Integer	10	817	826	The unique decimal identifier of the IPC resource.
ICTL_CREATOR_UID	Integer	10	828	837	The z/OS UNIX user identifier (UID) of the creator.
ICTL_CREATOR_GID	Integer	10	839	848	The z/OS UNIX group identifier (GID) of the creator.
ICTL_DFLT_PROCESS	Yes/No	4	850	853	Default z/OS UNIX security environment in effect.
ICTL_UTK_NETW	Char	8	855	862	The port of entry network name.
ICTL_X500_SUBJECT	Char	255	864	1118	Subject's name associated with this event.
ICTL_X500_ISSUER	Char	255	1120	1374	Issuer's name associated with this event.
ICTL_SECL	Char	8	1376	1383	Security label of the resource.
ICTL_SERV_POENAME	Char	64	1385	1448	SERVAUTH resource or profile name.
ICTL_CTX_USER	Char	510	1450	1959	Authenticated user name.
ICTL_CTX_REG	Char	255	1961	2215	Authenticated user registry name.
ICTL_CTX_HOST	Char	128	2217	2344	Authenticated user host name.
ICTL_CTX_MECH	Char	16	2346	2361	Authenticated user authentication mechanism object identifier (OID).
ICTL_IDID_USER	Char	985	2363	3347	Authenticated distributed user name.
ICTL_IDID_REG	Char	1021	3349	4369	Authenticated distributed user registry name.

Table 123. Event qualifiers for IPCCTL records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Access allowed.
NOTAUTH	01	Not authorized to the resource.
INSSECL	02	Insufficient security label.

The SETGROUP record extension

Table 124 describes the format of a record that is created by checking the owner of a file.

The event qualifiers that can be associated with the SETGROUP function are shown in Table 125.

Table 124. Format of the SETGROUP record extension (event code 63)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
SETG_CLASS	Char	8	282	289	Class name.
SETG_USER_NAME	Char	20	291	310	The name associated with the user ID.
SETG_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
SETG_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
SETG_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
SETG_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
SETG_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
SETG_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
SETG_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
SETG_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
SETG_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
SETG_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
SETG_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
SETG_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
SETG_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
SETG_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
SETG_UTK_SECL	Char	8	386	393	The security label of the user.
SETG_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
SETG_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
SETG_UTK_SNODE	Char	8	413	420	The submitting node.
SETG_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
SETG_UTK_SPOE	Char	8	431	438	The port of entry.
SETG_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
SETG_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
SETG_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
SETG_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
SETG_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
SETG_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
SETG_AUDIT_CODE	Char	11	494	504	Audit function code. For more information on the function codes, see z/OS Security Server RACF Callable Services.
SETG_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
SETG_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
SETG_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
SETG_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
SETG_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
SETG_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
SETG_DCE_LINK	Char	16	572	587	Link to connect DCE records that originate from a single DCE request.
SETG_AUTH_TYPE	Char	13	589	601	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
SETG_DFLT_PROCESS	Yes/No	4	603	606	Default z/OS UNIX security environment in effect.
SETG_UTK_NETW	Char	8	608	615	The port of entry network name.
SETG_X500_SUBJECT	Char	255	617	871	Subject's name associated with this event.
SETG_X500_ISSUER	Char	255	873	1127	Issuer's name associated with this event.
SETG_SERV_POENAME	Char	64	1129	1192	SERVAUTH resource or profile name.
SETG_CTX_USER	Char	510	1194	1703	Authenticated user name.
SETG_CTX_REG	Char	255	1705	1959	Authenticated user registry name.
SETG_CTX_HOST	Char	128	1961	2088	Authenticated user host name.
SETG_CTX_MECH	Char	16	2090	2105	Authenticated user authentication mechanism object identifier (OID).
SETG_IDID_USER	Char	985	2107	3091	Authenticated distributed user name.
SETG_IDID_REG	Char	1021	3093	4113	Authenticated distributed user registry name.

Table 125. Event qualifiers for SETGROUP records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Process successfully initialized.
NOTAUTH	01	User does not have superuser authority.

The CKOWN2 record extension

Table 126 describes the format of a record that is created by checking the owner of a file.

The event qualifiers that can be associated with checking a file's owner are shown in Table 127.

Table 126. Format of the CKOWN2 record extension (event code 64)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
CKO2_CLASS	Char	8	282	289	Class name.
CKO2_USER_NAME	Char	20	291	310	The name associated with the user ID.
CKO2_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
CKO2_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
CKO2_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
CKO2_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
CKO2_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
CKO2_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
CKO2_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
CKO2_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
CKO2_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
CKO2_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
CKO2_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
CKO2_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
CKO2_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
CKO2_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
CKO2_UTK_SECL	Char	8	386	393	The security label of the user.
CKO2_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
CKO2_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
CKO2_UTK_SNODE	Char	8	413	420	The submitting node.
CKO2_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
CKO2_UTK_SPOE	Char	8	431	438	The port of entry.
CKO2_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
CKO2_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
CKO2_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
CKO2_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
CKO2_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
CKO2_APPC_LINK	Char	16	477	492	Key to link together APPC records.
CKO2_AUDIT_CODE	Char	11	494	504	Audit function code. For more information on the function codes, see z/OS Security Server RACF Callable Services.
CKO2_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
CKO2_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
CKO2_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
CKO2_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
CKO2_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
CKO2_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
CKO2_PATH_NAME	Char	1023	572	1594	The requested path name.
CKO2_FILE1_ID	Char	32	1596	1627	First file ID.
CKO2_FILE1_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the first file.
CKO2_FILE1_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the first file.
CKO2_FILE2_ID	Char	32	1651	1682	Second requested file ID.
CKO2_FILE2_OWN_UID	Integer	10	1684	1693	z/OS UNIX user identifier (UID) of the owner of the second file.
CKO2_FILE2_OWN_GID	Integer	10	1695	1704	z/OS UNIX group identifier (GID) of the owner of the second file.
CKO2_DCE_LINK	Char	16	1706	1721	Link to connect DCE records that originate from a single DCE request.
CKO2_AUTH_TYPE	Char	13	1723	1735	Defines the type of request. Valid values are: SERVER, AUTH_CLIENT, and UNAUTH_CLIENT.
CKO2_DFLT_PROCESS	Yes/No	4	1737	1740	Default z/OS UNIX security environment in effect.
CKO2_UTK_NETW	Char	8	1742	1749	The port of entry network name.
CKO2_X500_SUBJECT	Char	255	1751	2005	Subject's name associated with this event.
CKO2_X500_ISSUER	Char	255	2007	2261	Issuer's name associated with this event.
CKO2_SECL	Char	8	2263	2270	Security label of the resource.
CKO2_SERV_POENAME	Char	64	2272	2335	SERVAUTH resource or profile name.
CKO2_CTX_USER	Char	510	2337	2846	Authenticated user name.
CKO2_CTX_REG	Char	255	2848	3102	Authenticated user registry name.
CKO2_CTX_HOST	Char	128	3104	3231	Authenticated user host name.
CKO2_CTX_MECH	Char	16	3233	3248	Authenticated user authentication mechanism object identifier (OID).
CKO2_IDID_USER	Char	985	3250	4234	Authenticated distributed user name.
CKO2_IDID_REG	Char	1021	4236	5256	Authenticated distributed user registry name.

Table 127. Event qualifiers for CKOWN2 records
Event qualifier	Event qualifier number	Event description
OWNER	00	Access allowed.
NOTOWNER	01	The user is not the owner.
INSSECL	02	Insufficient security label.

The access rights record extension

Table 128 describes the format of a record that is created when access rights are passed.

The event qualifier that can be associated with access rights records are shown in Table 129.

Table 128. Format of the access rights record extension (event code 65)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
ACCR_CLASS	Char	8	282	289	Class name.
ACCR_USER_NAME	Char	20	291	310	The name associated with the user ID
ACCR_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
ACCR_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
ACCR_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
ACCR_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
ACCR_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
ACCR_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
ACCR_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
ACCR_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
ACCR_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
ACCR_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
ACCR_UTK_SESSTYPE	Char	8	362	369	The session type of this session
ACCR_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
ACCR_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
ACCR_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
ACCR_UTK_SECL	Char	8	386	393	The security label of the user
ACCR_UTK_EXECNODE	Char	8	395	402	The execution node of the work
ACCR_UTK_SUSER_ID	Char	8	404	411	The submitting user ID
ACCR_UTK_SNODE	Char	8	413	420	The submitting node
ACCR_UTK_SGRP_ID	Char	8	422	429	The submitting group name
ACCR_UTK_SPOE	Char	8	431	438	The port of entry
ACCR_UTK_SPCLASS	Char	8	440	447	Class of the POE Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`
ACCR_UTK_USER_ID	Char	8	449	456	User ID associated with the record
ACCR_UTK_GRP_ID	Char	8	458	465	Group name associated with the record
ACCR_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
ACCR_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
ACCR_APPC_LINK	Char	16	477	492	Key to link together APPC records
ACCR_AUDIT_CODE	Char	11	494	504	Audit function code
ACCR_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID)
ACCR_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
ACCR_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
ACCR_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
ACCR_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
ACCR_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
ACCR_PATH_NAME	Char	1023	572	1594	The requested path name
ACCR_FILE1_ID	Char	32	1596	1627	File ID
ACCR_DFLT_PROCESS	Yes/No	4	1629	1632	Default z/OS UNIX security environment in effect.
ACCR_UTK_NETW	Char	8	1634	1641	The port of entry network name.
ACCR_X500_SUBJECT	Char	255	1643	1897	Subject's name associated with this event.
ACCR_X500_ISSUER	Char	255	1899	2153	Issuer's name associated with this event.
ACCR_SERV_POENAME	Char	64	2155	2218	SERVAUTH resource or profile name.
ACCR_CTX_USER	Char	510	2220	2729	Authenticated user name.
ACCR_CTX_REG	Char	255	2731	2985	Authenticated user registry name.
ACCR_CTX_HOST	Char	128	2987	3114	Authenticated user host name.
ACCR_CTX_MECH	Char	16	3116	3131	Authenticated user authentication mechanism object identifier (OID).
ACCR_IDID_USER	Char	985	3133	4117	Authenticated distributed user name.
ACCR_IDID_REG	Char	1021	4119	5139	Authenticated distributed user registry name.

Table 129. Event qualifiers for access rights records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Access rights are passed. There are no failure cases for this event.

The RACDCERT command record extension

Table 130 describes the format of a record that is created by the RACDCERT command.

The event qualifiers that can be associated with the RACDCERT command are shown in Table 131.

Table 130. Format of the RACDCERT command extension (event code 66)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RACD_USER_NAME	Char	20	282	301	The name associated with the user ID.
RACD_UTK_ENCR	Yes/No	4	303	306	Is the UTOKEN associated with this user encrypted?
RACD_UTK_PRE19	Yes/No	4	308	311	Is this a pre-1.9 token?
RACD_UTK_VERPROF	Yes/No	4	313	316	Is the VERIFYX propagation flag set?
RACD_UTK_NJEUNUSR	Yes/No	4	318	321	Is this the NJE undefined user?
RACD_UTK_LOGUSR	Yes/No	4	323	326	Is UAUDIT specified for this user?
RACD_UTK_SPECIAL	Yes/No	4	328	331	Is this a SPECIAL user?
RACD_UTK_DEFAULT	Yes/No	4	333	336	Is this a default token?
RACD_UTK_UNKNUSR	Yes/No	4	338	341	Is this an undefined user?
RACD_UTK_ERROR	Yes/No	4	343	346	Is this user token in error?
RACD_UTK_TRUSTED	Yes/No	4	348	351	Is this user a part of the trusted computing base (TCG)?
RACD_UTK_SESSTYPE	Char	8	353	360	The session type of this session.
RACD_UTK_SURROGAT	Yes/No	4	362	365	Is this a surrogate user?
RACD_UTK_REMOTE	Yes/No	4	367	370	Is this a remote job?
RACD_UTK_PRIV	Yes/No	4	372	375	Is this a privileged user ID?
RACD_UTK_SECL	Char	8	377	384	The security label of the user.
RACD_UTK_EXECNODE	Char	8	386	393	The execution node of the work.
RACD_UTK_SUSER_ID	Char	8	395	402	The submitting user ID.
RACD_UTK_SNODE	Char	8	404	411	The submitting node.
RACD_UTK_SGRP_ID	Char	8	413	420	The submitting group name.
RACD_UTK_SPOE	Char	8	422	429	The port of entry.
RACD_UTK_SPCLASS	Char	8	431	438	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`
RACD_UTK_USER_ID	Char	8	440	447	User ID associated with the record.
RACD_UTK_GRP_ID	Char	8	449	456	Group name associated with the record.
RACD_UTK_DFT_GRP	Yes/No	4	458	461	Is a default group assigned?
RACD_UTK_DFT_SECL	Yes/No	4	463	466	Is a default security label assigned?
RACD_SERIAL_NUMBER	Char	255	468	722	Certificate serial number.
RACD_ISSUERS_DN	Char	255	724	978	Certificate issuer's distinguished name.
RACD_CERT_DS	Char	44	980	1023	Data set name containing the certificate.
RACD_SPECIFIED	Char	1024	1025	2048	The keywords specified.
RACD_UTK_NETW	Char	8	2050	2057	The port of entry network name.
RACD_X500_SUBJECT	Char	255	2059	2313	Subject's name associated with this event.
RACD_X500_ISSUER	Char	255	2315	2569	Issuer's name associated with this event.
RACD_SERV_POENAME	Char	64	2571	2634	SERVAUTH resource or profile name.
RACD_CTX_USER	Char	510	2636	3145	Authenticated user name.
RACD_CTX_REG	Char	255	3147	3401	Authenticated user registry name.
RACD_CTX_HOST	Char	128	3403	3530	Authenticated user host name.
RACD_CTX_MECH	Char	16	3532	3547	Authenticated user authentication mechanism object identifier (OID).
RACD_PKDS_LABEL	Char	64	3549	3612	PKDS label.
RACD_TOKEN	Char	32	3614	3645	Token name.
RACD_IDID_USER	Char	985	3647	4631	Authenticated distributed user name.
RACD_IDID_REG	Char	1021	4633	5653	Authenticated distributed user registry name.
RACD_CERT_FGRPRNT	Char	64	5655	5718	Certificate SHA256 fingerprint in printable hex

Table 131. Event qualifiers for RACDCERT command records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Command successful.
INSAUTH	01	Insufficient authority.

The InitACEE record extension

Table 132 describes the format of a record that is created by InitACEE.

The event qualifiers that can be associated with InitACEE records are shown in Table 133.

Table 132. Format of the InitACEE record extension (event code 67)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
INTA_USER_NAME	Char	20	282	301	The name associated with the user ID.
INTA_UTK_ENCR	Yes/No	4	303	306	Is the UTOKEN associated with this user encrypted?
INTA_UTK_PRE19	Yes/No	4	308	311	Is this a pre-1.9 token?
INTA_UTK_VERPROF	Yes/No	4	313	316	Is the VERIFYX propagation flag set?
INTA_UTK_NJEUNUSR	Yes/No	4	318	321	Is this the NJE undefined user?
INTA_UTK_LOGUSR	Yes/No	4	323	326	Is UAUDIT specified for this user?
INTA_UTK_SPECIAL	Yes/No	4	328	331	Is this a SPECIAL user?
INTA_UTK_DEFAULT	Yes/No	4	333	336	Is this a default token?
INTA_UTK_UNKNUSR	Yes/No	4	338	341	Is this an undefined user?
INTA_UTK_ERROR	Yes/No	4	343	346	Is this user token in error?
INTA_UTK_TRUSTED	Yes/No	4	348	351	Is this user a part of the trusted computing base (TCB)?
INTA_UTK_SESSTYPE	Char	8	353	360	The session type of this session.
INTA_UTK_SURROGAT	Yes/No	4	362	365	Is this a surrogate user?
INTA_UTK_REMOTE	Yes/No	4	367	370	Is this a remote job?
INTA_UTK_PRIV	Yes/No	4	372	375	Is this a privileged user ID?
INTA_UTK_SECL	Char	8	377	384	The security label of the user.
INTA_UTK_EXECNODE	Char	8	386	393	The execution node of the work.
INTA_UTK_SUSER_ID	Char	8	395	402	The submitting user ID.
INTA_UTK_SNODE	Char	8	404	411	The submitting node.
INTA_UTK_SGRP_ID	Char	8	413	420	The submitting group name.
INTA_UTK_SPOE	Char	8	422	429	The port of entry.
INTA_UTK_SPCLASS	Char	8	431	438	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`
INTA_UTK_USER_ID	Char	8	440	447	User ID associated with the record.
INTA_UTK_GRP_ID	Char	8	449	456	Group name associated with the record.
INTA_UTK_DFT_GRP	Yes/No	4	458	461	Is a default group assigned?
INTA_UTK_DFT_SECL	Yes/No	4	463	466	Is a default security label assigned?
INTA_SERIAL_NUMBER	Char	255	468	722	Certificate serial number.
INTA_ISSUERS_DN	Char	255	724	978	Certificate issuer's distinguished name.
INTA_UTK_NETW	Char	8	980	987	The port of entry network name.
INTA_X500_SUBJECT	Char	255	989	1243	Subject's name associated with this event.
INTA_X500_ISSUER	Char	255	1245	1499	Issuer's name associated with this event.
INTA_SERVSECL	Char	8	1501	1508	Security label of server.
INTA_SERV_POENAME	Char	64	1510	1573	SERVAUTH resource or profile name.
INTA_CTX_USER	Char	510	1575	2084	Authenticated user name.
INTA_CTX_REG	Char	255	2086	2340	Authenticated user registry name.
INTA_CTX_HOST	Char	128	2342	2469	Authenticated user host name.
INTA_CTX_MECH	Char	16	2471	2486	Authenticated user authentication mechanism object identifier (OID).
INTA_IDID_USER	Char	985	2488	3472	Authenticated distributed user name.
INTA_IDID_REG	Char	1021	3474	4494	Authenticated distributed user registry name.
INTA_CERT_FGRPRNT	Char	64	4496	4559	Certificate SHA256 fingerprint in printable hex.
INTA_IDT_USER	Char	8	4561	4568	User ID from specified ACEE for generate IDT function
INTA_APPL	Char	8	4570	4577	Application name specified to initACEE for generate IDT function
INTA_IDT_BUILD_RSNC	Char	8	4579	4586	IDT Build Reason Code
INTA_SERVICE_CODE	Char	8	4588	4595	Failing Service Identifier
INTA_SERVICE_RC	Char	8	4597	4604	Failing Service Return Code
INTA_SERVICE_RSNC	Char	8	4606	4613	Failing Service Reason Code

Table 133. Event qualifiers for InitACEE records
Event qualifier	Event qualifier number	Event description
SUCCSREG	00	Successful certificate registration.
SUCCSDER	01	Successful certificate deregistration.
INSAUREG	02	Insufficient authority to register the certificate.
INSAUDER	03	Insufficient authority to unregister the certificate.
NOUSRFND	04	No user ID found for the certificate.
CERNTRS	05	The certificate is not trusted.
SUCCSRCA	06	Successful CERTAUTH certificate registration.
INSAURCA	07	Insufficient authority to register the CERTAUTH certificate.
SECLSRVM	08	Mismatch with server's security label.
CERTRESV	09	A SITE or CERTAUTH certificate was used to authenticate a user.
DIDNOTDF	10	No RACF user ID found for distributed identity.
SUCCSIDT	11	Successful IDT generated from ACEE.
FAILIDT	12	Failed attempting to generate IDT from ACEE.

The Network Authentication Service record extension

Table 134 describes the format of a record that is created by the Network Authentication Service.

The event qualifiers that can be associated with Network Authentication Service records are shown in Table 135.

Table 134. Format of the Network Authentication Service record extension (event code 68)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
KTKT_PRINCIPAL	Char	240	282	521	The Kerberos principal name.
KTKT_LOGIN_SOURCE	Char	22	523	544	The Kerberos login request source.
KTKT_KDC_STAT_CODE	Char	10	546	555	The Kerberos KDC status code.

Table 135. Event qualifiers for Network Authentication Service records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful grant of initial Kerberos ticket.
FAILURE	01	Unsuccessful grant of initial Kerberos ticket.

The RPKIGENC record extension

Table 136 describes the format of a record that is created by RPKIGENC.

The event qualifiers that can be associated with RPKIGENC records are shown in Table 137.

Table 136. Format of the RPKIGENC record extension (event code 69)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RPKG_LOGSTRING	Char	255	282	536	Logstring parameter.
RPKG_USER_NAME	Char	20	538	557	The name associated with the user ID.
RPKG_UTK_ENCR	Yes/No	4	559	562	Is the UTOKEN associated with this user encrypted?
RPKG_UTK_PRE19	Yes/No	4	564	567	Is this a pre-1.9 token?
RPKG_UTK_VERPROF	Yes/No	4	569	572	Is the VERIFYX propagation?
RPKG_UTK_NJEUNUSR	Yes/No	4	574	577	Is this the NJE undefined user?
RPKG_UTK_LOGUSR	Yes/No	4	579	582	Is UAUDIT specified for this user?
RPKG_UTK_SPECIAL	Yes/No	4	584	587	Is this a SPECIAL user?
RPKG_UTK_DEFAULT	Yes/No	4	589	592	Is this a default token?
RPKG_UTK_UNKNUSR	Yes/No	4	594	597	Is this an undefined user?
RPKG_UTK_ERROR	Yes/No	4	599	602	Is this user token in error?
RPKG_UTK_TRUSTED	Yes/No	4	604	607	Is this user a part of the TCB?
RPKG_UTK_SESSTYPE	Char	8	609	616	The session type of this session.
RPKG_UTK_SURROGAT	Yes/No	4	618	621	Is this a surrogate user?
RPKG_UTK_REMOTE	Yes/No	4	623	626	Is this a remote job?
RPKG_UTK_PRIV	Yes/No	4	628	631	Is this a privileged user ID?
RPKG_UTK_SECL	Char	8	633	640	The security label of the user.
RPKG_UTK_EXECNODE	Char	8	642	649	The execution node of the work.
RPKG_UTK_SUSER_ID	Char	8	651	658	The submitting user ID.
RPKG_UTK_SNODE	Char	8	660	667	The submitting node.
RPKG_UTK_SGRP_ID	Char	8	669	676	The submitting group name.
RPKG_UTK_SPOE	Char	8	678	685	The port of entry.
RPKG_UTK_SPCLASS	Char	8	687	694	Class of the POE.
RPKG_UTK_USER_ID	Char	8	696	703	User ID associated with the record.
RPKG_UTK_GRP_ID	Char	8	705	712	Group name associated with the record.
RPKG_UTK_DFT_GRP	Yes/No	4	714	717	Is a default group assigned?
RPKG_UTK_DFT_SECL	Yes/No	4	719	722	Is a default security label assigned?
RPKG_SERIAL_NUMBER	Char	255	724	978	Certificate serial number.
RPKG_ISSUERS_DN	Char	255	980	1234	Certificate issuer's distinguished name.
RPKG_UTK_NETW	Char	8	1236	1243	The port of entry network name.
RPKG_X500_SUBJECT	Char	255	1245	1499	Subject's name associated with this event.
RPKG_X500_ISSUER	Char	255	1501	1755	Issuer's name associated with this event.
RPKG_KEYUSAGE	Char	64	1757	1820	Requested certificate KeyUsage.
RPKG_NOTBEFOR_DATE	Char	10	1822	1831	Requested certificate NotBefore date.
RPKG_NOTAFTER_DATE	Char	10	1833	1842	Requested certificate NotAfter date.
RPKG_TARGET_USERID	Char	8	1844	1851	IRRSPX00 target user ID.
RPKG_TARGET_LABEL	Char	32	1853	1884	IRRSPX00 target label.
RPKG_SIGNWITH	Char	45	1886	1930	IRRSPX00 SignWith value.
RPKG_SUBJECTS_DN	Char	255	1932	2186	Certificate subject's distinguished name.
RPKG_ALT_IP	Char	64	2188	2251	Requested ALTNAME IP address.
RPKG_ALT_URI	Char	255	2253	2507	Requested ALTNAME URI.
RPKG_ALT_EMAIL	Char	100	2509	2608	Requested ALTNAME EMail.
RPKG_ALT_DOMAIN	Char	100	2610	2709	Requested ALTNAME Domain.
RPKG_CERT_ID	Char	56	2711	2766	IRRSPX00 Certificate ID.
RPKG_HOSTID_MAP	Char	1024	2768	3791	HOSTID mappings extension data.
RPKG_REQUESTOR	Char	32	3793	3824	Requester's name.
RPKG_PASS_PHRASE	Yes/No	4	3826	3829	Requester specified a pass phrase.
RPKG_NOTIFY_EMAIL	Char	64	3831	3894	Email address for notification purposes.
RPKG_EXTKEYUSAGE	Char	255	3896	4150	Requested Extended KeyUsage.
RPKG_CERTPOLICIES	Char	32	4152	4183	Policies for certificate usage.
RPKG_AUTHINFOACC	Char	1024	4185	5208	AuthorityInfoAccess extension data.
RPKG_CRITICAL	Char	255	5210	5464	Extensions marked critical.
RPKG_SERV_POENAME	Char	64	5466	5529	SERVAUTH resource or profile name.
RPKG_ALT_OTHER	Char	1024	5531	6554	Requested ALTNAME OtherName
RPKG_CA_DOMAIN	Char	8	6556	6563	Domain name of target PKI Services instance
RPKG_CTX_USER	Char	510	6565	7074	Authenticated user name.
RPKG_CTX_REG	Char	255	7076	7330	Authenticated user registry name.
RPKG_CTX_HOST	Char	128	7332	7459	Authenticated user host name.
RPKG_CTX_MECH	Char	16	7461	7476	Authenticated user authentication mechanism object identifier (OID).
RPKG_KEY_SIZE	Char	4	7478	7481	Key size
RPKG_IDID_USER_UTF8	Char	246	7483	7728	Authenticated distributed user name in UTF-8.
RPKG_IDID_USER_EBCDIC	Char	738	7730	8467	Authenticated distributed user name in EBCDIC.
RPKG_IDID_REG_UTF8	Char	255	8469	8723	Authenticated distributed registry name in UTF-8.
RPKG_IDID_REG_EBCDIC	Char	765	8725	9489	Authenticated distributed registry name in EBCDIC.
RPKG_KEY_ALG	Char	10	9491	9500	Key algorithm.
RPKG_CUSTOM_EXT	Char	1024	9502	10525	Customized extension.
RPKG_RECORD_LINK	Char	32	10527	10558	Field to link audit records together.
RPKG_CERT_FGRPRNT	Char	64	10560	10623	Subject Certificate SHA256 fingerprint in printable hex value

Table 137. Event qualifiers for RPKIGENC records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful certificate GENCERT request.
INSAUTH	01	Unsuccessful certificate GENCERT request because of insufficient authority.
SUCCSRQC	02	Successful certificate REQCERT request.
IAUTHRQC	03	Unsuccessful certificate REQCERT request because of insufficient authority.
SUCCSGNR	04	Successful certificate GENRENEW request.
IAUTHGNR	05	Unsuccessful certificate GENRENEW request because of insufficient authority.
SUCCSRQR	06	Successful certificate REQRENEW request.
IAUTHRQR	07	Unsuccessful certificate REQRENEW request because of insufficient authority.
SUCCSPRG	08	Successful PREREGISTER request.
IAUTHPRG	09	Insufficient authority for PREREGISTER

The RPKIEXPT record extension

Table 138 describes the format of a record that is created by RPKIEXPT.

The event qualifiers that can be associated with RPKIEXPT records are shown in Table 139.

Table 138. Format of the RPKIEXPT record extension (event code 70)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RPKE_LOGSTRING	Char	255	282	536	Logstring parameter.
RPKE_USER_NAME	Char	20	538	557	The name associated with the user ID.
RPKE_UTK_ENCR	Yes/No	4	559	562	Is the UTOKEN associated with this user encrypted?
RPKE_UTK_PRE19	Yes/No	4	564	567	Is this a pre-1.9 token?
RPKE_UTK_VERPROF	Yes/No	4	569	572	Is the VERIFYX propagation.
RPKE_UTK_NJEUNUSR	Yes/No	4	574	577	Is this the NJE undefined user?
RPKE_UTK_LOGUSR	Yes/No	4	579	582	Is UAUDIT specified for this user?
RPKE_UTK_SPECIAL	Yes/No	4	584	587	Is this a SPECIAL user?
RPKE_UTK_DEFAULT	Yes/No	4	589	592	Is this a default token?
RPKE_UTK_UNKNUSR	Yes/No	4	594	597	Is this an undefined user?
RPKE_UTK_ERROR	Yes/No	4	599	602	Is this user token in error?
RPKE_UTK_TRUSTED	Yes/No	4	604	607	Is this user a part of the TCB?
RPKE_UTK_SESSTYPE	Char	8	609	616	The session type of this session.
RPKE_UTK_SURROGAT	Yes/No	4	618	621	Is this a surrogate user?
RPKE_UTK_REMOTE	Yes/No	4	623	626	Is this a remote job?
RPKE_UTK_PRIV	Yes/No	4	628	631	Is this a privileged user ID?
RPKE_UTK_SECL	Char	8	633	640	The security label of the user.
RPKE_UTK_EXECNODE	Char	8	642	649	The execution node of the work.
RPKE_UTK_SUSER_ID	Char	8	651	658	The submitting user ID.
RPKE_UTK_SNODE	Char	8	660	667	The submitting node.
RPKE_UTK_SGRP_ID	Char	8	669	676	The submitting group name.
RPKE_UTK_SPOE	Char	8	678	685	The port of entry.
RPKE_UTK_SPCLASS	Char	8	687	694	Class of the POE.
RPKE_UTK_USER_ID	Char	8	696	703	User ID associated with the record.
RPKE_UTK_GRP_ID	Char	8	705	712	Group name associated with the record.
RPKE_UTK_DFT_GRP	Yes/No	4	714	717	Is a default group assigned?
RPKE_UTK_DFT_SECL	Yes/No	4	719	722	Is a default security label assigned?
RPKE_UTK_NETW	Char	8	724	731	The port of entry network name.
RPKE_X500_SUBJECT	Char	255	733	987	Subject's name associated with this event.
RPKE_X500_ISSUER	Char	255	989	1243	Issuer's name associated with this event.
RPKE_TARGET_USERID	Char	8	1245	1252	IRRSPX00 target user ID.
RPKE_TARGET_LABEL	Char	32	1254	1285	IRRSPX00 target label.
RPKE_CERT_ID	Char	56	1287	1342	IRRSPX00 certificate ID.
RPKE_PASS_PHRASE	Yes/No	4	1344	1347	Requestor specified a pass phrase.
RPKE_SERV_POENAME	Char	64	1349	1412	SERVAUTH resource or profile name.
RPKE_CA_DOMAIN	Char	8	1414	1421	Domain name of target PKI Services instance.
RPKE_CTX_USER	Char	510	1423	1932	Authenticated user name.
RPKE_CTX_REG	Char	255	1934	2188	Authenticated user registry name.
RPKE_CTX_HOST	Char	128	2190	2317	Authenticated user host name.
RPKE_CTX_MECH	Char	16	2319	2334	Authenticated user authentication mechanism object identifier (OID).
RPKE_KEY_ID	Char	40	2336	2375	Hash of the public key generated by PKI Services.
RPKE_IDID_USER	Char	985	2377	3361	Authenticated distributed user name.
RPKE_IDID_REG	Char	1021	3363	4383	Authenticated distributed user registry name.
RPKG_CERT_FGRPRNT	Char	64	4385	4448	Subject Certificate SHA256 fingerprint in printable hex value

Table 139. Event qualifiers for RPKIEXPT records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful certificate EXPORT request.
INSAUTH	01	Unsuccessful certificate EXPORT request because of insufficient authority.
INCORPHR	02	Incorrect pass phrase specified for EXPORT.

The Policy Director Authorization Services record extension

Table 140 describes the format of a record that is created for Policy Director Authorization Services.

The event qualifiers that can be associated with Policy Director Authorization Services records are shown in Table 141.

Table 140. Format of Policy Director Authorization Services record extension (event code 71)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
PDAC_OBJECT	Char	4096	282	4377	The Policy Director Authorization Services protected object.
PDAC_REQ_PERMS	Char	1024	4379	5402	The requested Policy Director Authorization Services permissions.
PDAC_HOST_USERID	Char	8	5404	5411	The Policy Director Authorization Services principal user ID.
PDAC_PRINCIPAL	Char	36	5413	5448	The Policy Director Authorization Services principal ID string.
PDAC_QOP	Integer	10	5450	5459	The Policy Director Authorization Services quality of protection value.
PDAC_CRED_TYPE	Char	30	5461	5490	The Policy Director Authorization Services credential type. The valid types are: "UNAUTHENTICATED" and "AUTHENTICATED"

Table 141. Event qualifiers for Policy Director Authorization Services records
Event qualifier	Event qualifier number	Event description
AUTH	00	Authorized to access protected object.
UNAUTHW	01	Not authorized to access protected object but permitted because of warning mode.
INSTRAVW	02	Not authorized to access protected object because of insufficient traverse authority but permitted because of warning mode.
TODW	03	Not authorized to access protected object because of time-of-day check but permitted because of warning mode.
UNAUTH	04	Not authorized to access protected object.
INSTRAV	05	Not authorized to access protected object because of insufficient traverse authority.
TOD	06	Not authorized to access protected object because of time-of-day check.

The RPKIREAD record extension

Table 142 describes the format of a record that is created by RPKIREAD.

The event qualifiers that can be associated with RPKIREAD records are shown in Table 143.

Table 142. Format of the RPKIREAD record extension (event code 72)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RPKR_APPL	Char	8	282	289	Logstring parameter.
RPKR_LOGSTRING	Char	255	291	545	Logstring parameter.
RPKR_USER_NAME	Char	20	547	566	The name associated with the user ID.
RPKR_UTK_ENCR	Yes/No	4	568	571	Is the UTOKEN associated with this user encrypted?
RPKR_UTK_PRE19	Yes/No	4	573	576	Is this a pre-1.9 token?
RPKR_UTK_VERPROF	Yes/No	4	578	581	Is the VERIFYX propagation?
RPKR_UTK_NJEUNUSR	Yes/No	4	583	586	Is this the NJE undefined user?
RPKR_UTK_LOGUSR	Yes/No	4	588	591	Is UAUDIT specified for this user?
RPKR_UTK_SPECIAL	Yes/No	4	593	596	Is this a SPECIAL user?
RPKR_UTK_DEFAULT	Yes/No	4	598	601	Is this a default token?
RPKR_UTK_UNKNUSR	Yes/No	4	603	606	Is this an undefined user?
RPKR_UTK_ERROR	Yes/No	4	608	611	Is this user token in error?
RPKR_UTK_TRUSTED	Yes/No	4	613	616	Is this user a part of the TCB?
RPKR_UTK_SESSTYPE	Char	8	618	625	The session type of this session.
RPKR_UTK_SURROGAT	Yes/No	4	627	630	Is this a surrogate user?
RPKR_UTK_REMOTE	Yes/No	4	632	635	Is this a remote job?
RPKR_UTK_PRIV	Yes/No	4	637	640	Is this a privileged user ID?
RPKR_UTK_SECL	Char	8	642	649	The security label of the user.
RPKR_UTK_EXECNODE	Char	8	651	658	The execution node of the work.
RPKR_UTK_SUSER_ID	Char	8	660	667	The submitting user ID.
RPKR_UTK_SNODE	Char	8	669	676	The submitting node.
RPKR_UTK_SGRP_ID	Char	8	678	685	The submitting group name.
RPKR_UTK_SPOE	Char	8	687	694	The port of entry.
RPKR_UTK_SPCLASS	Char	8	696	703	Class of the POE.
RPKR_UTK_USER_ID	Char	8	705	712	User ID associated with the record.
RPKR_UTK_GRP_ID	Char	8	714	721	Group name associated with the record.
RPKR_UTK_DFT_GRP	Yes/No	4	723	726	Is a default group assigned?
RPKR_UTK_DFT_SECL	Yes/No	4	728	731	Is a default security label assigned?
RPKR_SERIAL_NUMBER	Char	255	733	987	Certificate serial number.
RPKR_ISSUERS_DN	Char	255	989	1243	Certificate issuer's distinguished name.
RPKR_UTK_NETW	Char	8	1245	1252	The port of entry network name.
RPKR_X500_SUBJECT	Char	255	1254	1508	Subject's name associated with this event.
RPKR_X500_ISSUER	Char	255	1510	1764	Issuer's name associated with this event.
RPKR_KEYUSAGE	Char	64	1766	1829	Requested certificate KeyUsage.
RPKR_NOTBEFOR_DATE	Char	10	1831	1840	Requested certificate NotBefore date.
RPKR_NOTAFTER_DATE	Char	10	1842	1851	Requested certificate NotAfter date.
RPKR_SUBJECTS_DN	Char	255	1853	2107	Certificate subject's distinguished name.
RPKR_CERT_ID	Char	56	2109	2164	IRRSPX00 Certificate ID.
RPKR_REQUESTOR	Char	32	2166	2197	Requester's name.
RPKR_STATUS	Char	32	2199	2230	Requester certificate status.
RPKR_CREATION_DATE	Char	10	2232	2241	Requester certificate creation date (YYYY/MM/DD).
RPKR_LAST_MOD_DATE	Char	10	2243	2252	Requester certificate last modification date (YYYY/MM/DD).
RPKR_PREV_SERIAL	Char	255	2254	2508	Requester's previous serial number.
RPKR_NOTIFY_EMAIL	Char	64	2510	2573	Email address for notification purposes.
RPKR_EXTKEYUSAG	Char	255	2575	2829	Requested Extended KeyUsage.
RPKR_SERV_POENAME	Char	64	2831	2894	SERVAUTH resource or profile name.
RPKR_CA_DOMAIN	Char	8	2896	2903	Domain name of target PKI Services instance.
RPKR_CTX_USER	Char	510	2905	3414	Authenticated user name.
RPKR_CTX_REG	Char	255	3416	3670	Authenticated user registry name.
RPKR_CTX_HOST	Char	128	3672	3799	Authenticated user host name.
RPKR_CTX_MECH	Char	16	3801	3816	Authenticated user authentication mechanism object identifier (OID).
RPKR_KEY_ID	Char	40	3818	3857	Hash of the public key generated by PKI Services.
RPKR_IDID_USER	Char	985	3859	4843	Authenticated distributed user name.
RPKR_IDID_REG	Char	1021	4845	5865	Authenticated distributed user registry name.
RPKR_KEY_SIZE	Char	4	5867	5870	Key size
RPKR_KEY_ALG	Char	10	5872	5881	Key algorithm
RPKR_SIGN_ALG	Char	32	5883	5914	Signing algorithm of a certificate request or a certificate
RPKR_APPROVAL_REQ	Integer	2	5916	5917	Number of approvals required for the request
RPKR_APPROVAL_CNT	Integer	2	5919	5920	Count of approvals performed

Table 143. Event qualifiers for RPKIREAD records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful admin QUERY or DETAILS request.
INSAUTH	01	Unsuccessful certificate admin QUERY or DETAILS request because of insufficient authority.
SUCCSVFY	02	Successful certificate VERIFY request.
IAUTHVFY	03	Unsuccessful certificate VERIFY request because of insufficient authority.
INCORCRT	04	Incorrect VERIFY certificate, no record found for this certificate.

The RPKIUPDR record extension

Table 144 describes the format of a record that is created by RPKIUPDR.

The event qualifiers that can be associated with RPKIUPDR records are shown in Table 145.

Table 144. Format of the RPKIUPDR record extension (event code 73)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RPKU_LOGSTRING	Char	255	282	536	Logstring parameter.
RPKU_USER_NAME	Char	20	538	557	The name associated with the user ID.
RPKU_UTK_ENCR	Yes/No	4	559	562	Is the UTOKEN associated with this user encrypted?
RPKU_UTK_PRE19	Yes/No	4	564	567	Is this a pre-1.9 token?
RPKU_UTK_VERPROF	Yes/No	4	569	572	Is the VERIFYX propagation?
RPKU_UTK_NJEUNUSR	Yes/No	4	574	577	Is this the NJE undefined user?
RPKU_UTK_LOGUSR	Yes/No	4	579	582	Is UAUDIT specified for this user?
RPKU_UTK_SPECIAL	Yes/No	4	584	587	Is this a SPECIAL user?
RPKU_UTK_DEFAULT	Yes/No	4	589	592	Is this a default token?
RPKU_UTK_UNKNUSR	Yes/No	4	594	597	Is this an undefined user?
RPKU_UTK_ERROR	Yes/No	4	599	602	Is this user token in error?
RPKU_UTK_TRUSTED	Yes/No	4	604	607	Is this user a part of the TCB?
RPKU_UTK_SESSTYPE	Char	8	609	616	The session type of this session.
RPKU_UTK_SURROGAT	Yes/No	4	618	621	Is this a surrogate user?
RPKU_UTK_REMOTE	Yes/No	4	623	626	Is this a remote job?
RPKU_UTK_PRIV	Yes/No	4	628	631	Is this a privileged user ID?
RPKU_UTK_SECL	Char	8	633	640	The security label of the user.
RPKU_UTK_EXECNODE	Char	8	642	649	The execution node of the work.
RPKU_UTK_SUSER_ID	Char	8	651	658	The submitting user ID.
RPKU_UTK_SNODE	Char	8	660	667	The submitting node.
RPKU_UTK_SGRP_ID	Char	8	669	676	The submitting group name.
RPKU_UTK_SPOE	Char	8	678	685	The port of entry.
RPKU_UTK_SPCLASS	Char	8	687	694	Class of the POE.
RPKU_UTK_USER_ID	Char	8	696	703	User ID associated with the record.
RPKU_UTK_GRP_ID	Char	8	705	712	Group name associated with the record.
RPKU_UTK_DFT_GRP	Yes/No	4	714	717	Is a default group assigned?
RPKU_UTK_DFT_SECL	Yes/No	4	719	722	Is a default security label assigned?
RPKU_UTK_NETW	Char	8	724	731	The port of entry network name.
RPKU_X500_SUBJECT	Char	255	733	987	Subject's name associated with this event.
RPKU_X500_ISSUER	Char	255	989	1243	Issuer's name associated with this event.
RPKU_KEYUSAGE	Char	64	1245	1308	Requested certificate KeyUsage.
RPKU_NOTBEFOR_DATE	Char	10	1310	1319	Requested certificate NotBefore date.
RPKU_NOTAFTER_DATE	Char	10	1321	1330	Requested certificate NotAfter date.
RPKU_SUBJECTS_DN	Char	255	1332	1586	Certificate subject's distinguished name.
RPKU_ALT_IP	Char	64	1588	1651	Requested ALTNAME IP address.
RPKU_ALT_URI	Char	255	1653	1907	Requested ALTNAME URI.
RPKU_ALT_EMAIL	Char	100	1909	2008	Requested ALTNAME EMail.
RPKU_ALT_DOMAIN	Char	100	2010	2109	Requested ALTNAME Domain.
RPKU_CERT_ID	Char	56	2111	2166	IRRSPX00 Certificate ID.
RPKU_HOSTID_MAP	Char	1024	2168	3191	HOSTID mappings extension data.
RPKU_ACTION	Char	16	3193	3208	Action taken against certificate request.
RPKU_ACTION_COM	Char	64	3210	3273	Comment for the action on the certificate request.
RPKU_EXTKEYUSAGE	Char	255	3275	3529	Requested Extended KeyUsage.
RPKU_CERTPOLICIES	Char	32	3531	3562	Policies for certificate usage.
RPKU_AUTHINFOACC	Char	1024	3564	4587	AuthorityInfoAccess extension data.
RPKU_CRITICAL	Char	255	4589	4843	Extensions marked critical.
RPKU_SERV_POENAME	Char	64	4845	4908	SERVAUTH resource or profile name.
RPKU_ALT_OTHER	Char	1024	4910	5933	Requested ALTNAME OtherName.
RPKU_CA_DOMAIN	Char	8	5935	5942	Domain name of target PKI Services instance.
RPKU_CTX_USER	Char	510	5944	6453	Authenticated user name.
RPKU_CTX_REG	Char	255	6455	6709	Authenticated user registry name.
RPKU_CTX_HOST	Char	128	6711	6838	Authenticated user host name.
RPKU_CTX_MECH	Char	16	6840	6855	Authenticated user authentication mechanism object identifier (OID).
RPKU_IDID_USER_UTF8	Char	246	6857	7102	Authenticated distributed user name in UTF-8.
RPKU_IDID_USER_EBCDIC	Char	738	7104	7841	Authenticated distributed user name in EBCDIC.
RPKU_IDID_REG_UTF8	Char	255	7843	8097	Authenticated distributed registry name in UTF-8.
RPKU_IDID_REG_EBCDIC	Char	765	8099	8863	Authenticated distributed registry name in EBCDIC.
RPKU_CUSTOM_EXT	Char	1024	8865	9888	Customized extension.
RPKU_RECORD_LINK	Char	32	9890	9921	Field to link audit records together.

Table 145. Event qualifiers for RPKIUPDR records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful admin UPDATEREQ request.
INSAUTH	01	Unsuccessful admin UPDATEREQ request because of insufficient authority.

The RPKIUPDC record extension

Table 146 describes the format of a record that is created by RPKIUPDC.

The event qualifiers that can be associated with RPKIUPDC records are shown in Table 147.

Table 146. Format of the RPKIUPDC record extension (event code 74)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RPKC_LOGSTRING	Char	255	282	536	Logstring parameter.
RPKC_USER_NAME	Char	20	538	557	The name associated with the user ID.
RPKC_UTK_ENCR	Yes/No	4	559	562	Is the UTOKEN associated with this user encrypted?
RPKC_UTK_PRE19	Yes/No	4	564	567	Is this a pre-1.9 token?
RPKC_UTK_VERPROF	Yes/No	4	569	572	Is the VERIFYX propagation?
RPKC_UTK_NJEUNUSR	Yes/No	4	574	577	Is this the NJE undefined user?
RPKC_UTK_LOGUSR	Yes/No	4	579	582	Is UAUDIT specified for this user?
RPKC_UTK_SPECIAL	Yes/No	4	584	587	Is this a SPECIAL user?
RPKC_UTK_DEFAULT	Yes/No	4	589	592	Is this a default token?
RPKC_UTK_UNKNUSR	Yes/No	4	594	597	Is this an undefined user?
RPKC_UTK_ERROR	Yes/No	4	599	602	Is this user token in error?
RPKC_UTK_TRUSTED	Yes/No	4	604	607	Is this user a part of the TCB?
RPKC_UTK_SESSTYPE	Char	8	609	616	The session type of this session.
RPKC_UTK_SURROGAT	Yes/No	4	618	621	Is this a surrogate user?
RPKC_UTK_REMOTE	Yes/No	4	623	626	Is this a remote job?
RPKC_UTK_PRIV	Yes/No	4	628	631	Is this a privileged user ID?
RPKC_UTK_SECL	Char	8	633	640	The security label of the user.
RPKC_UTK_EXECNODE	Char	8	642	649	The execution node of the work.
RPKC_UTK_SUSER_ID	Char	8	651	658	The submitting user ID.
RPKC_UTK_SNODE	Char	8	660	667	The submitting node.
RPKC_UTK_SGRP_ID	Char	8	669	676	The submitting group name.
RPKC_UTK_SPOE	Char	8	678	685	The port of entry.
RPKC_UTK_SPCLASS	Char	8	687	694	Class of the POE.
RPKC_UTK_USER_ID	Char	8	696	703	User ID associated with the record.
RPKC_UTK_GRP_ID	Char	8	705	712	Group name associated with the record.
RPKC_UTK_DFT_GRP	Yes/No	4	714	717	Is a default group assigned?
RPKC_UTK_DFT_SECL	Yes/No	4	719	722	Is a default security label assigned?
RPKC_SERIAL_NUMBER	Char	255	724	978	Certificate serial number.
RPKC_UTK_NETW	Char	8	980	987	The port of entry network name.
RPKC_X500_SUBJECT	Char	255	989	1243	Subject's name associated with this event.
RPKC_X500_ISSUER	Char	255	1245	1499	Issuer's name associated with this event.
RPKC_ACTION	Char	16	1501	1516	Action taken against certificate request.
RPKC_ACTION_COM	Char	64	1518	1581	Comment for the certificate request.
RPKC_REVOKE_RSN	Char	32	1583	1614	Reason for certificate revocation.
RPKC_SERV_POENAME	Char	64	1616	1679	SERVAUTH resource or profile name.
RPKC_CA_DOMAIN	Char	8	1681	1688	Domain name of target PKI Services instance.
RPKC_CTX_USER	Char	510	1690	2199	Authenticated user name.
RPKC_CTX_REG	Char	255	2201	2455	Authenticated user registry name.
RPKC_CTX_HOST	Char	128	2457	2584	Authenticated user host name.
RPKC_CTX_MECH	Char	16	2586	2601	Authenticated user authentication mechanism object identifier (OID).
RPKC_REQUESTOR_EMAIL	Char	32	2603	2634	New email address of the requester.
RPKC_IDID_USER	Char	985	2636	3620	Authenticated distributed user name.
RPKC_IDID_REG	Char	1021	3622	4642	Authenticated distributed user registry name.
RPKC_CERT_FGRPRNT	Char	64	4644	4707	Subject Certificate SHA256 fingerprint in printable hex value

Table 147. Event qualifiers for RPKIUPDC records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful admin UPDATECERT request.
INSAUTH	01	Unsuccessful admin UPDATECERT request because of insufficient authority.
SUCCSRVK	02	Successful certificate REVOKE request.
IAUTHRVK	03	Unsuccessful certificate REVOKE request because of insufficient authority.

The SETFACL record extension

Table 148 describes the format of a record that is created by adding, modifying, or deleting an access control list entry of a z/OS UNIX file.

The event qualifiers that can be associated with an access control list modification event are shown in Table 149.

Table 148. Format of the SETFACL record extension (event code 75)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
SACL_CLASS	Char	8	282	289	Class name.
SACL_USER_NAME	Char	20	291	310	The name associated with the user ID.
SACL_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
SACL_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
SACL_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
SACL_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
SACL_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
SACL_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
SACL_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
SACL_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
SACL_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
SACL_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
SACL_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
SACL_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
SACL_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
SACL_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
SACL_UTK_SECL	Char	8	386	393	The security label of the user.
SACL_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
SACL_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
SACL_UTK_SNODE	Char	8	413	420	The submitting node.
SACL_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
SACL_UTK_SPOE	Char	8	431	438	The port of entry.
SACL_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
SACL_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
SACL_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
SACL_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
SACL_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
SACL_APPC_LINK	Char	16	477	492	Key to link together APPC records.
SACL_AUDIT_CODE	Char	11	494	504	Audit function code.
SACL_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
SACL_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
SACL_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
SACL_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
SACL_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
SACL_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
SACL_PATH_NAME	Char	1023	572	1594	The requested path name.
SACL_FILE_ID	Char	32	1596	1627	File ID.
SACL_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
SACL_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
SACL_FILEPOOL	Char	8	1651	1658	SFS filepool containing the BFS file.
SACL_FILESPACE	Char	8	1660	1667	SFS filespace containing the BFS file.
SACL_INODE	Integer	10	1669	1678	Inode (file serial number)
SACL_SCID	Integer	10	1680	1689	File SCID
SACL_DCE_LINK	Char	16	1691	1706	Link to connect DCE records that originate from a DCE request
SACL_AUTH_TYPE	Char	13	1708	1720	Defines the type of request. Valid values are: `SERVER`, `AUTH_CLIENT`, and `UNAUTH_CLIENT`.
SACL_DFLT_PROCESS	Yes/No	4	1722	1725	Default z/OS UNIX security environment in effect
SACL_UTK_NETW	Char	8	1727	1734	Port of entry network name
SACL_X500_SUBJECT	Char	255	1736	1990	Subject's name associated with this request.
SACL_X500_ISSUER	Char	255	1992	2246	Issuer's name associated with this request
SACL_ACL_TYPE	Char	8	2248	2255	What type of ACL is this? Valid values are `ACCESS`, `FILEMOD`, and `DIRMOD`.
SACL_OPTYPE	Char	8	2257	2264	ACL entry operation. Valid values are `ADD`, `MODIFY`, and `DELETE`.
SACL_ENTRY_TYPE	Char	3	2266	2268	ACL entry type. Valid values are `UID` and `GID`.
SACL_ENTRY_ID	Integer	10	2270	2279	UID or GID value in the ACL entry.
SACL_OLD_READ	Yes/No	4	2281	2284	Was the READ bit on for this entry? (blank when SACL_OPTYPE is ADD)
SACL_OLD_WRITE	Yes/No	4	2286	2289	Was the WRITE bit on for this entry? (blank when SACL_OPTYPE is ADD)
SACL_OLD_EXECUTE	Yes/No	4	2291	2294	Was the EXECUTE bit on for this entry? (blank when SACL_OPTYPE is ADD)
SACL_NEW_READ	Yes/No	4	2296	2299	Was the READ bit on for this entry? (blank when SACL_OPTYPE is DELETE)
SACL_NEW_WRITE	Yes/No	4	2301	2304	Was the WRITE bit on for this entry? (blank when SACL_OPTYPE is DELETE)
SACL_NEW_EXECUTE	Yes/No	4	2306	2309	Was the EXECUTE bit on for this entry? (blank when SACL_OPTYPE is DELETE)
SACL_SECL	Char	8	2311	2318	Security label of the resource.
SACL_SERV_POENAME	Char	64	2320	2383	SERVAUTH resource or profile name.
SACL_CTX_USER	Char	510	2385	2894	Authenticated user name.
SACL_CTX_REG	Char	255	2896	3150	Authenticated user registry name.
SACL_CTX_HOST	Char	128	3152	3279	Authenticated user host name.
SACL_CTX_MECH	Char	16	3281	3296	Authenticated user authentication mechanism object identifier (OID).
SACL_IDID_USER	Char	985	3298	4282	Authenticated distributed user name.
SACL_IDID_REG	Char	1021	4284	5304	Authenticated distributed user registry name.

Table 149. Event qualifiers for SETFACL records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	ACL entry added, modified, or deleted.
INSAUTH	01	Caller does not have authority to change ACL of the specified file.
INSSECL	02	Insufficient security label.

The DELFACL record extension

Table 150 describes the format of a record that is created by deleting an access control list of a z/OS UNIX file.

The event qualifiers that can be associated with an access control list deletion event are shown in Table 151.

Table 150. Format of the DELFACL record extension (event code 76)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
DACL_CLASS	Char	8	282	289	Class name.
DACL_USER_NAME	Char	20	291	310	The name associated with the user ID.
DACL_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
DACL_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
DACL_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
DACL_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
DACL_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
DACL_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
DACL_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
DACL_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
DACL_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
DACL_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
DACL_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
DACL_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
DACL_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
DACL_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
DACL_UTK_SECL	Char	8	386	393	The security label of the user.
DACL_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
DACL_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
DACL_UTK_SNODE	Char	8	413	420	The submitting node.
DACL_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
DACL_UTK_SPOE	Char	8	431	438	The port of entry.
DACL_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
DACL_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
DACL_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
DACL_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
DACL_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
DACL_APPC_LINK	Char	16	477	492	Key to link together APPC records.
DACL_AUDIT_CODE	Char	11	494	504	Audit function code.
DACL_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
DACL_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
DACL_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
DACL_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
DACL_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
DACL_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
DACL_PATH_NAME	Char	1023	572	1594	The requested path name.
DACL_FILE_ID	Char	32	1596	1627	File ID.
DACL_FILE_OWN_UID	Integer	10	1629	1638	The owner z/OS UNIX user identifier (UID) associated with the file.
DACL_FILE_OWN_GID	Integer	10	1640	1649	The owner z/OS UNIX group identifier (GID) associated with the file.
DACL_FILEPOOL	Char	8	1651	1658	SFS filepool containing the BFS file.
DACL_FILESPACE	Char	8	1660	1667	SFS filespace containing the BFS file.
DACL_INODE	Integer	10	1669	1678	Inode (file serial number)
DACL_SCID	Integer	10	1680	1689	File SCID
DACL_DCE_LINK	Char	16	1691	1706	Link to connect DCE records that originate from a DCE request
DACL_AUTH_TYPE	Char	13	1708	1720	Defines the type of request. Valid values are: `SERVER`, `AUTH_CLIENT`, and `UNAUTH_CLIENT`.
DACL_DFLT_PROCESS	Yes/No	4	1722	1725	Default z/OS UNIX security environment in effect
DACL_UTK_NETW	Char	8	1727	1734	Port of entry network name
DACL_X500_SUBJECT	Char	255	1736	1990	Subject's name associated with this request.
DACL_X500_ISSUER	Char	255	1992	2246	Issuer's name associated with this request
DACL_ACL_TYPE	Char	8	2248	2255	What type of ACL is this? Valid values are `ACCESS`, `FILEMOD`, and `DIRMOD`.
DACL_SECL	Char	8	2257	2264	Security label of the resource.
DACL_SERV_POENAME	Char	64	2266	2329	SERVAUTH resource or profile name.
DACL_CTX_USER	Char	510	2331	2840	Authenticated user name.
DACL_CTX_REG	Char	255	2842	3096	Authenticated user registry name.
DACL_CTX_HOST	Char	128	3098	3225	Authenticated user host name.
DACL_CTX_MECH	Char	16	3227	3242	Authenticated user authentication mechanism object identifier (OID).
DACL_IDID_USER	Char	985	3244	4228	Authenticated distributed user name.
DACL_IDID_REG	Char	1021	4230	5250	Authenticated distributed user registry name.

Table 151. Event qualifiers for DELFACL records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Entire ACL removed.
INSAUTH	01	Caller does not have authority to remove ACL of the specified file.
INSSECL	02	Insufficient security label.

The SETFSECL record extension

Table 152 describes the format of a record that is created by setting the security label of a z/OS UNIX file.

The event qualifiers that can be associated with a set file security label event are shown in Table 153.

Table 152. Format of the SETFSECL record extension (event code 77)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
SSCL_CLASS	Char	8	282	289	Class name.
SSCL_USER_NAME	Char	20	291	310	The name associated with the user ID.
SSCL_NEWSECL	Char	8	312	319	New security label.
SSCL_OLDSECL	Char	8	321	328	Old security label.
SSCL_UTK_ENCR	Yes/No	4	330	333	Is the UTOKEN associated with this user encrypted?
SSCL_UTK_PRE19	Yes/No	4	335	338	Is this a pre-1.9 token?
SSCL_UTK_VERPROF	Yes/No	4	340	343	Is the VERIFYX propagation flag set?
SSCL_UTK_NJEUNUSR	Yes/No	4	345	348	Is this the NJE undefined user?
SSCL_UTK_LOGUSR	Yes/No	4	350	353	Is UAUDIT specified for this user?
SSCL_UTK_SPECIAL	Yes/No	4	355	358	Is this a SPECIAL user?
SSCL_UTK_DEFAULT	Yes/No	4	360	363	Is this a default token?
SSCL_UTK_UNKNUSR	Yes/No	4	365	368	Is this an undefined user?
SSCL_UTK_ERROR	Yes/No	4	370	373	Is this user token in error?
SSCL_UTK_TRUSTED	Yes/No	4	375	378	Is this user a part of the trusted computed base (TCB)?
SSCL_UTK_SESSTYPE	Char	8	380	387	The session type of this session.
SSCL_UTK_SURROGAT	Yes/No	4	389	392	Is this a surrogate user?
SSCL_UTK_REMOTE	Yes/No	4	394	397	Is this a remote job?
SSCL_UTK_PRIV	Yes/No	4	399	402	Is this a privileged user ID?
SSCL_UTK_SECL	Char	8	404	411	The security label of the user.
SSCL_UTK_EXECNODE	Char	8	413	420	The execution node of the work.
SSCL_UTK_SUSER_ID	Char	8	422	429	The submitting user ID.
SSCL_UTK_SNODE	Char	8	431	438	The submitting node.
SSCL_UTK_SGRP_ID	Char	8	440	447	The submitting group name.
SSCL_UTK_SPOE	Char	8	449	456	The port of entry.
SSCL_UTK_SPCLASS	Char	8	458	465	Class of the port of entry.
SSCL_UTK_USER_ID	Char	8	467	474	User ID associated with the record.
SSCL_UTK_GRP_ID	Char	8	476	483	Group name associated with the record.
SSCL_UTK_DFT_GRP	Yes/No	4	485	488	Is a default group assigned?
SSCL_UTK_DFT_SECL	Yes/No	4	490	493	Is a default security label assigned?
SSCL_AUDIT_CODE	Char	11	495	505	Audit function code.
SSCL_OLD_REAL_UID	Integer	10	507	516	Old real z/OS UNIX user identifier (UID).
SSCL_OLD_EFF_UID	Integer	10	518	527	Old effective z/OS UNIX user identifier (UID).
SSCL_OLD_SAVED_UID	Integer	10	529	538	Old saved z/OS UNIX user identifier (UID).
SSCL_OLD_REAL_GID	Integer	10	540	549	Old real z/OS UNIX group identifier (GID).
SSCL_OLD_EFF_GID	Integer	10	551	560	Old effective z/OS UNIX group identifier (GID).
SSCL_OLD_SAVED_GID	Integer	10	562	571	Old saved z/OS UNIX group identifier (GID).
SSCL_PATH_NAME	Char	1023	573	1595	The requested path name.
SSCL_FILE_ID	Char	32	1597	1628	File ID.
SSCL_FILE_OWN_UID	Integer	10	1630	1639	The owner z/OS UNIX user identifier (UID) associated with the file.
SSCL_FILE_OWN_GID	Integer	10	1641	1650	The owner z/OS UNIX group identifier (GID) associated with the file.
SSCL_DFLT_PROCESS	Yes/No	4	1652	1655	Default z/OS UNIX security environment in effect.
SSCL_UTK_NETW	Char	8	1657	1664	Port of entry network name.
SSCL_X500_SUBJECT	Char	255	1666	1920	Subject's name associated with this request.
SSCL_X500_ISSUER	Char	255	1922	2176	Issuer's name associated with this request.
SSCL_SERV_POENAME	Char	64	2178	2241	SERVAUTH resource or profile name.
SSCL_CTX_USER	Char	510	2243	2752	Authenticated user name.
SSCL_CTX_REG	Char	255	2754	3008	Authenticated user registry name.
SSCL_CTX_HOST	Char	128	3010	3137	Authenticated user host name.
SSCL_CTX_MECH	Char	16	3139	3154	Authenticated user authentication mechanism object identifier (OID).
SSCL_IDID_USER	Char	985	3156	4140	Authenticated distributed user name.
SSCL_IDID_REG	Char	1021	4142	5162	Authenticated distributed user registry name.

Table 153. Event qualifiers for SETFSECLrRecords
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Security label set successful.
NOTAUTH	01	Caller does not have authority to set security label.

The WRITEDWN record extension

Table 154 describes the format of a record that is created by setting the write-down privilege.

The event qualifiers that can be associated with a set file write-down privilege event are shown in Table 155.

Table 154. Format of the WRITEDWN record extension (event code 78)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
WDWN_USER_NAME	Char	20	282	301	The name associated with the user ID.
WDWN_UTK_ENCR	Yes/No	4	303	306	Is the UTOKEN associated with this user encrypted?
WDWN_UTK_PRE19	Yes/No	4	308	311	Is this a pre-1.9 token?
WDWN_UTK_VERPROF	Yes/No	4	313	316	Is the VERIFYX propagation flag set?
WDWN_UTK_NJEUNUSR	Yes/No	4	318	321	Is this the NJE undefined user?
WDWN_UTK_LOGUSR	Yes/No	4	323	326	Is UAUDIT specified for this user?
WDWN_UTK_SPECIAL	Yes/No	4	328	331	Is this a SPECIAL user?
WDWN_UTK_DEFAULT	Yes/No	4	333	336	Is this a default token?
WDWN_UTK_UNKNUSR	Yes/No	4	338	341	Is this an undefined user?
WDWN_UTK_ERROR	Yes/No	4	343	346	Is this user token in error?
WDWN_UTK_TRUSTED	Yes/No	4	348	351	Is this user a part of the trusted computed base (TCB)?
WDWN_UTK_SESSTYPE	Char	8	353	360	The session type of this session.
WDWN_UTK_SURROGAT	Yes/No	4	362	365	Is this a surrogate user?
WDWN_UTK_REMOTE	Yes/No	4	367	370	Is this a remote job?
WDWN_UTK_PRIV	Yes/No	4	372	375	Is this a privileged user ID?
WDWN_UTK_SECL	Char	8	377	384	The security label of the user.
WDWN_UTK_EXECNODE	Char	8	386	393	The execution node of the work.
WDWN_UTK_SUSER_ID	Char	8	395	402	The submitting user ID.
WDWN_UTK_SNODE	Char	8	404	411	The submitting node.
WDWN_UTK_SGRP_ID	Char	8	413	420	The submitting group name.
WDWN_UTK_SPOE	Char	8	422	429	The port of entry.
WDWN_UTK_SPCLASS	Char	8	431	438	Class of the port of entry.
WDWN_UTK_USER_ID	Char	8	440	447	User ID associated with the record.
WDWN_UTK_GRP_ID	Char	8	449	456	Group name associated with the record.
WDWN_UTK_DFT_GRP	Yes/No	4	458	461	Is a default group assigned?
WDWN_UTK_DFT_SECL	Yes/No	4	463	466	Is a default security label assigned?
WDWN_UTK_NETW	Char	8	468	475	Port of entry network name.
WDWN_X500_SUBJECT	Char	255	477	731	Subject's name associated with this request.
WDWN_X500_ISSUER	Char	255	733	987	Issuer's name associated with this request.
WDWN_SERV_POENAME	Char	64	989	1052	SERVAUTH resource or profile name.
WDWN_CTX_USER	Char	510	1054	1563	Authenticated user name.
WDWN_CTX_REG	Char	255	1565	1819	Authenticated user registry name.
WDWN_CTX_HOST	Char	128	1821	1948	Authenticated user host name.
WDWN_CTX_MECH	Char	16	1950	1965	Authenticated user authentication mechanism object identifier (OID).
WDWN_IDID_USER	Char	985	1967	2951	Authenticated distributed user name.
WDWN_IDID_REG	Char	1021	2953	3973	Authenticated distributed user registry name.

Table 155. Event qualifiers for WRITEDWN records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Success.
NOTAUTH	01	Caller does not have authority to set write-down privilege.

The PKIDPUBR record extension

Table 156 describes the format of a record that is created by CRL publication.

The event qualifiers that can be associated with a CRL publication event are shown in Table 157.

Table 156. Format of the PKIDPUBR record extension (event code 79)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
PKDP_CRL_SER_NUM	Char	255	282	536	CRL serial number
PKDP_ISSUERS_DN	Char	255	538	792	CRL issuer's distinguished name
PKDP_ISSUING DP_DN	Char	255	794	1048	CRL's issuing distribution point distinguished name
PKDP_THIS_DATE	Date	10	1050	1059	CRL's date of issue
PKDP_THIS_TIME	Time	8	1061	1068	CRL's time of issue
PKDP_NEXT_DATE	Date	10	1070	1079	CRL's expiration date (issue date of next CRL)
PKDP_NEXT_TIME	Time	8	1081	1088	CRL's expiration time (issue time of next CRL)
PKDP_PUBLISH_DATE	Date	10	1090	1099	CRL's date of publish
PKDP_PUBLISH_TIME	Time	8	1101	1108	CRL's time of publish
PKDP_ISSUING_URI	Char	1024	1110	2133	CRL's issuing distribution point URI

Table 157. Event qualifiers for PKIDPUBR records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful publication of revocation information

The RPKIRESP record extension

Table 158 describes the format of a record that is created by the PKI Services responder when a request for certificate status is made.

The event qualifiers that can be associated with RPKIRESP records are shown in Table 159.

Table 158. Format of the RPKIRESP record extension (event code 80)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RPKO_LOGSTRING	Char	255	282	536	Logstring parameter
RPKO_USER_NAME	Char	20	538	557	The name associated with the user ID
RPKO_UTK_ENCR	Yes/No	4	559	562	Is the UTOKEN associated with this user encrypted?
RPKO_UTK_PRE19	Yes/No	4	564	567	Is this a pre-1.9 token?
RPKO_UTK_VERPROF	Yes/No	4	569	572	Is the VERIFYX propagation flag set?
RPKO_UTK_NJEUNUSR	Yes/No	4	574	577	Is this the NJE undefined user?
RPKO_UTK_LOGUSR	Yes/No	4	579	582	Is UAUDIT specified for this user?
RPKO_UTK_SPECIAL	Yes/No	4	584	587	Is this a SPECIAL user?
RPKO_UTK_DEFAULT	Yes/No	4	589	592	Is this a default token?
RPKO_UTK_UNKNUSR	Yes/No	4	594	597	Is this an undefined user?
RPKO_UTK_ERROR	Yes/No	4	599	602	Is this user token in error?
RPKO_UTK_TRUSTED	Yes/No	4	604	607	Is this user part of the trusted computer base (TCB)?
RPKO_UTK_SESSTYPE	Char	8	609	616	The session type of this session
RPKO_UTK_SURROGAT	Yes/No	4	618	621	Is this a surrogate user?
RPKO_UTK_REMOTE	Yes/No	4	623	626	Is this a remote job?
RPKO_UTK_PRIV	Yes/No	4	628	631	Is this a privileged user ID?
RPKO_UTK_SECL	Char	8	633	640	The security label of the user.
RPKO_UTK_EXECNODE	Char	8	642	649	The execution node of the work.
RPKO_UTK_SUSER_ID	Char	8	651	658	The submitting user ID.
RPKO_UTK_SNODE	Char	8	660	667	The submitting node.
RPKO_UTK_SGRP_ID	Char	8	669	676	The submitting group name.
RPKO_UTK_SPOE	Char	8	678	685	The port of entry.
RPKO_UTK_SPCLASS	Char	8	687	694	Class of the POE.
RPKO_UTK_USER_ID	Char	8	696	703	User ID associated with the record.
RPKO_UTK_GRP_ID	Char	8	705	712	Group name associates with the record.
RPKO_UTK_DFT_GROUP	Yes/No	4	714	717	Is a default group assigned?
RPKO_UTK_DFT_SECL	Yes/No	4	719	722	Is a default security label assigned?
RPKO_UTK_NETW	Char	8	724	731	The port of entry network name.
RPKO_X500_SUBJECT	Char	255	733	987	Subject's name associated with this event.
RPKO_X500_ISSUER	Char	255	989	1243	Issuer's name associated with this event.
RPKO_SERV_POENAME	Char	64	1245	1308	SERVAUTH resource or profile name.
RPKO_RESPONSE	Char	1024	1310	2333	Responses from OCSP.
RPKO_CA_DOMAIN	Char	8	2335	2342	Domain name of target PKI Services instance.
RPKO_CTX_USER	Char	510	2344	2853	Authenticated user name.
RPKO_CTX_REG	Char	255	2855	3109	Authenticated user registry name.
RPKO_CTX_HOST	Char	128	3111	3238	Authenticated user host name.
RPKO_CTX_MECH	Char	16	3240	3255	Authenticated user authentication mechanism object identifier (OID).
RPKO_IDID_USER	Char	985	3257	4241	Authenticated distributed user name.
RPKO_IDID_REG	Char	1021	4243	5263	Authenticated distributed user registry name.

Table 159. Event qualifiers for RPKIRESP records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful RESPOND request
INSAUTH	01	Insufficient authority for RESPOND

The PassTicket evaluation (PTEVAL) record extension

Table 160 describes the format of a record that is created when a PassTicket is evaluated.

The event qualifiers that can be associated with PassTicket evaluation records are shown in Table 161.

Table 160. Format of the PassTicket evaluation record extension (event code 81)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
PTEV_APPLICATION	Char	8	282	289	Application name used in PassTicket operation.
PTEV_TARGET_USER	Char	8	291	298	User ID for which the PassTicket operation was performed. This is not the user who called the PassTicket service.
PTEV_USER_NAME	Char	20	300	319	The name associated with the caller of the PassTicket service. This is not the same user as PTEV_TARGET_USER.
PTEV_UTK_ENCR	Yes/No	4	321	324	Is the UTOKEN associated with this user encrypted?
PTEV__UTK_PRE19	Yes/No	4	326	329	Is this a pre-1.9 token?
PTEV_UTK_VERPROF	Yes/No	4	331	334	Is the VERIFYX propagation flag set?
PTEV_UTK_NJEUNUSR	Yes/No	4	336	339	Is this the NJE undefined user?
PTEV_UTK_LOGUSR	Yes/No	4	341	344	Is UAUDIT specified for this user?
PTEV_UTK_SPECIAL	Yes/No	4	346	349	Is this a SPECIAL user?
PTEV_UTK_DEFAULT	Yes/No	4	351	354	Is this a default token?
PTEV_UTK_UNKNUSR	Yes/No	4	356	359	Is this an undefined user?
PTEV_UTK_ERROR	Yes/No	4	361	364	Is this user token in error?
PTEV_UTK_TRUSTED	Yes/No	4	366	369	Is this user part of the trusted computing base (TCB)?
PTEV_UTK_SESSTYPE	Char	8	371	378	The session type of this session.
PTEV_UTK_SURROGAT	Yes/No	4	380	383	Is this a surrogate user?
PTEV_UTK_REMOTE	Yes/No	4	385	388	Is this a remote job?
PTEV_UTK_PRIV	Yes/No	4	390	393	Is this a privileged user ID?
PTEV_UTK_SECL	Char	8	395	402	The security label of the user.
PTEV_UTK_EXECNODE	Char	8	404	411	The execution node of the work.
PTEV_UTK_SUSER_ID	Char	8	413	420	The submitting user ID.
PTEV_UTK_SNODE	Char	8	422	429	The submitting node.
PTEV_UTK_SGRP_ID	Char	8	431	438	The submitting group name.
PTEV_UTK_SPOE	Char	8	440	447	The port of entry.
PTEV_UTK_SPCLASS	Char	8	449	456	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT` and `APPCPORT`.
PTEV_UTK_USER_ID	Char	8	458	465	User ID associated with the record.
PTEV_UTK_GRP_ID	Char	8	467	474	Group name associated with the record.
PTEV_UTK_DFT_GRP	Yes/No	4	476	479	Is a default group assigned?
PTEV_UTK_DFT_SECL	Yes/No	4	481	484	Is a default security label assigned?
PTEV_LPT_EVAL	Yes/No	4	486	489	The supplied password was evaluated as a legacy PassTicket.
PTEV_LPT_SUCC	Yes/No	4	491	494	The legacy PassTicket was evaluated successfully.
PTEV_EPT_UPPER_EVAL	Yes/No	4	496	499	The supplied Password was evaluated as an enhanced PassTicket type UPPER.
PTEV_EPT_UPPER_SUCC	Yes/No	4	501	504	The supplied Password was evaluated successfully as an enhanced PassTicket type UPPER.
PTEV_EPT_MIXED_EVAL	Yes/No	4	506	509	The supplied Password was evaluated as an enhanced PassTicket type MIXED.
PTEV_EPT_MIXED_SUCC	Yes/No	4	511	514	The supplied Password was evaluated successfully as an enhanced PassTicket type MIXED.
PTEV_REPLAY_FAILURE	Yes/No	4	516	519	Failure due to replay attempt.
PTEV_RESERVED_08	Yes/No	4	521	524	Reserved for IBM's use.
PTEV_RESERVED_09	Yes/No	4	526	529	Reserved for IBM's use.
PTEV_RESERVED_10	Yes/No	4	531	534	Reserved for IBM's use.
PTEV_RESERVED_11	Yes/No	4	536	539	Reserved for IBM's use.
PTEV_RESERVED_12	Yes/No	4	541	544	Reserved for IBM's use.
PTEV_RESERVED_13	Yes/No	4	546	549	Reserved for IBM's use.
PTEV_RESERVED_14	Yes/No	4	551	443	Reserved for IBM's use.
PTEV_RESERVED_15	Yes/No	4	556	559	Reserved for IBM's use.
PTEV_RESERVED_16	Yes/No	4	561	564	Reserved for IBM's use.
PTEV_APPL_NAME	Char	8	566	573	Application name used to evaluate the PassTicket.
PTEV_EVAL_RSN1	Char	8	575	582	Evaluation Return Code. Expressed as hexadecimal number.
PTEV_EVAL_RSN2	Char	8	584	591	Evaluation Reason Code. Expressed as hexadecimal number.

Table 161. Event qualifiers for PTEVAL records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	PassTicket evaluation succeeded.
FAILURE	01	PassTicket evaluation failed.

The PassTicket generation (PTCREATE) record extension

Table 162 describes the format of a record that is created when a PassTicket is generated.

The event qualifiers that can be associated with PassTicket generation records are shown in Table 163.

Table 162. Format of the PassTicket generation record extension (event code 82)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
PTCR_APPLICATION	Char	8	282	289	Application name used in PassTicket operation.
PTCR_TARGET_USER	Char	8	291	298	User ID for which the PassTicket operation was performed. This is not the user who called the PassTicket service.
PTCR_USER_NAME	Char	20	300	319	The name associated with the caller of the PassTicket service. This is not the same user as PTCR_TARGET_USER
PTCR_UTK_ENCR	Yes/No	4	321	324	Is the UTOKEN associated with this user encrypted?
PTCR__UTK_PRE19	Yes/No	4	326	329	Is this a pre-1.9 token?
PTCR_UTK_VERPROF	Yes/No	4	331	334	Is the VERIFYX propagation flag set?
PTCR_UTK_NJEUNUSR	Yes/No	4	336	339	Is this the NJE undefined user?
PTCR_UTK_LOGUSR	Yes/No	4	341	344	Is UAUDIT specified for this user?
PTCR_UTK_SPECIAL	Yes/No	4	346	349	Is this a SPECIAL user?
PTCR_UTK_DEFAULT	Yes/No	4	351	354	Is this a default token?
PTCR_UTK_UNKNUSR	Yes/No	4	356	359	Is this an undefined user?
PTCR_UTK_ERROR	Yes/No	4	361	364	Is this user token in error?
PTCR_UTK_TRUSTED	Yes/No	4	366	369	Is this user part of the trusted computing base (TCB)?
PTCR_UTK_SESSTYPE	Char	8	371	378	The session type of this session.
PTCR_UTK_SURROGAT	Yes/No	4	380	383	Is this a surrogate user?
PTCR_UTK_REMOTE	Yes/No	4	385	388	Is this a remote job?
PTCR_UTK_PRIV	Yes/No	4	390	393	Is this a privileged user ID?
PTCR_UTK_SECL	Char	8	395	402	The security label of the user.
PTCR_UTK_EXECNODE	Char	8	404	411	The execution node of the work.
PTCR_UTK_SUSER_ID	Char	8	413	420	The submitting user ID.
PTCR_UTK_SNODE	Char	8	422	429	The submitting node.
PTCR_UTK_SGRP_ID	Char	8	431	438	The submitting group name.
PTCR_UTK_SPOE	Char	8	440	447	The port of entry.
PTCR_UTK_SPCLASS	Char	8	449	456	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT` and `APPCPORT`.
PTCR_UTK_USER_ID	Char	8	458	465	User ID associated with the record.
PTCR_UTK_GRP_ID	Char	8	467	474	Group name associated with the record.
PTCR_UTK_DFT_GRP	Yes/No	4	476	479	Is a default group assigned?
PTCR_UTK_DFT_SECL	Yes/No	4	481	484	Is a default security label assigned?
PTCR_LPT	Yes/No	4	486	489	Generate of a legacy PassTicket was attempted.
PTCR_RESERVED_02	Yes/No	4	491	494	Reserved for IBM's use.
PTCR_EPT_UPPER	Yes/No	4	496	499	Generate of an enhanced PassTicket type UPPER was attempted.
PTCR_RESERVED_04	Yes/No	4	501	504	Reserved for IBM's use.
PTCR_EPT_MIXED	Yes/No	4	506	509	Generate of an enhanced PassTicket type MIXED was attempted.
PTCR_RESERVED_06	Yes/No	4	511	514	Reserved for IBM's use.
PTCR_RESERVED_07	Yes/No	4	516	519	Reserved for IBM's use.
PTCR_RESERVED_08	Yes/No	4	521	524	Reserved for IBM's use.
PTCR_RESERVED_09	Yes/No	4	526	529	Reserved for IBM's use.
PTCR_RESERVED_10	Yes/No	4	531	534	Reserved for IBM's use.
PTCR_RESERVED_11	Yes/No	4	536	539	Reserved for IBM's use.
PTCR_RESERVED_12	Yes/No	4	541	544	Reserved for IBM's use.
PTCR_RESERVED_13	Yes/No	4	546	549	Reserved for IBM's use.
PTCR_RESERVED_14	Yes/No	4	551	554	Reserved for IBM's use.
PTCR_RESERVED_15	Yes/No	4	556	559	Reserved for IBM's use.
PTCR_RESERVED_16	Yes/No	4	561	564	Reserved for IBM's use.
PTCR_APPL_NAME	Char	8	566	573	Application Name used to generate the PassTicket.
PTCR_GEN_RSN1	Char	8	575	582	Generation Return Code. Expressed as hexadecimal number.
PTCR_GEN_RSN2	Char	8	584	591	Generation Reason Code. Expressed as hexadecimal number.

Table 163. Event qualifiers for PTCREATE records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	PassTicket was generated.
FAILURE	01	PassTicket generation failed.

The RPKISCEP record extension

Table 164. Format of the RPKISCEP record extension (event code 83)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RPKS_LOGSTRING	Char	255	282	536	Logstring parameter.
RPKS_USER_NAME	Char	20	538	557	The name associated with the user ID.
RPKS_UTK_ENCR	Yes/No	4	559	562	Is the UTOKEN associated with this user encrypted?
RPKS_UTK_PRE19	Yes/No	4	564	567	Is this a pre-1.9 token?
RPKS_UTK_VERPROF	Yes/No	4	569	572	Is the VERIFYX propagation flag set?
RPKS_UTK_NJEUNUSR	Yes/No	4	574	577	Is this the NJE undefined user?
RPKS_UTK_LOGUSR	Yes/No	4	579	582	Is UAUDIT specified for this user?
RPKS_UTK_SPECIAL	Yes/No	4	584	587	Is this a SPECIAL user?
RPKS_UTK_DEFAULT	Yes/No	4	589	592	Is this a default token?
RPKS_UTK_UNKNUSR	Yes/No	4	594	597	Is this an undefined user?
RPKS_UTK_ERROR	Yes/No	4	599	602	Is this user token in error?
RPKS_UTK_TRUSTED	Yes/No	4	604	607	Is this user a part of the TCB?
RPKS_UTK_SESSTYPE	Char	8	609	616	The session type of this session.
RPKS_UTK_SURROGAT	Yes/No	4	618	621	Is this a surrogate user?
RPKS_UTK_REMOTE	Yes/No	4	623	626	Is this a remote job?
RPKS_UTK_PRIV	Yes/No	4	628	631	Is this a privileged user ID?
RPKS_UTK_SECL	Char	8	633	640	The security label of the user.
RPKS_UTK_EXECNODE	Char	8	642	649	The execution node of the work.
RPKS_UTK_SUSER_ID	Char	8	651	658	The submitting user ID.
RPKS_UTK_SNODE	Char	8	660	667	The submitting node
RPKS_UTK_SGRP_ID	Char	8	669	676	The submitting group name.
RPKS_UTK_SPOE	Char	8	678	685	The port of entry.
RPKS_UTK_SPCLASS	Char	8	687	694	Class of the POE.
RPKS_UTK_USER_ID	Char	8	696	703	User ID associated with the record.
RPKS_UTK_GRP_ID	Char	8	705	712	Group name associated with the record.
RPKS_UTK_DFT_GRP	Yes/No	4	714	717	Is a default group assigned?
RPKS_UTK_DFT_SECL	Yes/No	4	719	722	Is a default security label assigned?
RPKS_SERIAL_NUMBER	Char	255	724	978	Certificate serial number.
RPKS_ISSUERS_DN	Char	255	980	1234	Certificate issuer's distinguished name.
RPKS_UTK_NETW	Char .	8	1236	1243	The port of entry network name.
RPKS_X500_SUBJECT	Char	255	1245	1499	Subject's name associated with this event.
RPKS_X500_ISSUER	Char	255	1501	1755	Issuer's name associated with this event.
RPKS_KEYUSAGE	Char	64	1757	1820	Requested certificate KeyUsage.
RPKS_NOTBEFOR_DATE	Char	10	1822	1831	Requested certificate NotBefore date.
RPKS_NOTAFTER_DATE	Char	10	1833	1842	Requested certificate NotAfter date.
RPKS_SUBJECTS_DN	Char	255	1844	2098	Certificate subject's distinguished name.
RPKS_ALT_IP	Char	64	2100	2163	Requested ALTNAME IP address.
RPKS_ALT_URI	Char	255	2165	2419	Requested ALTNAME URI.
RPKS_ALT_EMAIL	Char	100	2421	2520	Requested ALTNAME email.
RPKS_ALT_DOMAIN	Char	100	2522	2621	Requested ALTNAME Domain.
RPKS_CERT_ID	Char	56	2623	2678	IRRSPX00 Certificate ID.
RPKS_HOSTID_MAP	Char	1024	2680	3703	Reserved for IBM's use.
RPKS_REQUESTOR	Char	32	3705	3736	Requester's name - SCEP transaction ID.
RPKS_PASS_PHRASE	Yes/No	4	3738	3741	Requester specified a pass phrase.
RPKS_NOTIFY_EMAIL	Char	64	3743	3806	Reserved for IBM's use.
RPKS_EXTKEYUSAGE	Char	255	3808	4062	Requested Extended KeyUsage.
RPKS_SERV_POENAME	Char	64	4064	4127	SERVAUTH resource or profile name.
RPKS_ALT_OTHER	Char	1024	4129	5152	Requested ALTNAME OtherName.
RPKS_CA_DOMAIN	Char	8	5154	5161	Domain name of target PKI Services instance.
RPKS_CTX_USER	Char	510	5163	5672	Authenticated user name.
RPKS_CTX_REG	Char	255	5674	5928	Authenticated user registry name.
RPKS_CTX_HOST	Char	128	5930	6057	Authenticated user host name.
RPKS_CTX_MECH	Char	16	6059	6074	Authenticated user authentication mechanism object identifier (OID).
RPKS_IDID_USER_UTF8	Char	246	6076	6321	Authenticated distributed user name in UTF-8.
RPKS_IDID_USER_EBCDIC	Char	738	6323	7060	Authenticated distributed user name in EBCDIC.
RPKS_IDID_REG_UTF8	Char	255	7062	7316	Authenticated distributed registry name in UTF-8.
RPKS_IDID_REG_EBCDIC	Char	765	7318	8082	Authenticated distributed registry name in EBCDIC.
RPKS_CUSTOM_EXT	Char	1024	8084	9107	Customized extension.
RPKS_RECORD_LINK	Char	32	9109	9140	Field to link audit records together.
RPKS_CERT_FGRPRNT	Char	64	9142	9205	Subject Certificate SHA256 fingerprint in printable hex value

Table 165. Event qualifiers for RPKISCEP records
Event qualifier	Event qualifier number	Event description
SUCCAUTO	00	Successful AutoApprove PKCSReq request.
SUCCADIM	01	Successful AdminApprove PKCSReq request
SUCCGETI	02	Successful GetCertInitial request
REJECTED	03	Rejected PKCSReq or GetCertInitial request
INCORRCT	04	Incorrect SCEP transaction ID specified for GetCertInitial
INSAUTH	05	Insufficient authority for SCEPREQ

The RDATAUPD record extension

Table 166. Format of the RDATAUPD record extension (event code 84)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RPUT_USER_NAME	Char	20	282	301	The name associated with the user ID.
RPUT_UTK_ENCR	Yes/No	4	303	306	Is the UTOKEN associated with this user encrypted?
RPUT_UTK_PRE19	Yes/No	4	308	311	Is this a pre-1.9 token?
RPUT_UTK_VERPROF	Yes/No	4	313	316	Is the VERIFYX propagation flag set?
RPUT_UTK_NJEUNUSR	Yes/No	4	318	321	Is this the NJE undefined user?
RPUT_UTK_LOGUSR	Yes/No	4	323	326	Is UAUDIT specified for this user?
RPUT_UTK_SPECIAL	Yes/No	4	328	331	Is this a SPECIAL user?
RPUT_UTK_DEFAULT	Yes/No	4	333	336	Is this a default token?
RPUT_UTK_UNKNUSR	Yes/No	4	338	341	Is this an undefined user?
RPUT_UTK_ERROR	Yes/No	4	343	346	Is this user token in error?
RPUT_UTK_TRUSTED	Yes/No	4	348	351	Is this user a part of the TCB?
RPUT_UTK_SESSTYPE	Char	8	353	360	The session type of this session.
RPUT_UTK_SURROGAT	Yes/No	4	362	365	Is this a surrogate user?
RPUT_UTK_REMOTE	Yes/No	4	367	370	Is this a remote job?
RPUT_UTK_PRIV	Yes/No	4	372	375	Is this a privileged user ID?
RPUT_UTK_SECL	Char	8	377	384	The security label of the user.
RPUT_UTK_EXECNODE	Char	8	386	393	The execution node of the work.
RPUT_UTK_SUSER_ID	Char	8	395	402	The submitting user ID.
RPUT_UTK_SNODE	Char	8	404	411	The submitting node.
RPUT_UTK_SGRP_ID	Char	8	413	420	The submitting group name.
RPUT_UTK_SPOE	Char	8	422	429	The port of entry.
RPUT_UTK_SPCLASS	Char	8	431	438	Class of the POE.
RPUT_UTK_USER_ID	Char	8	440	447	User ID associated with the record.
RPUT_UTK_GRP_ID	Char	8	449	456	Group name associated with the record.
RPUT_UTK_DFT_GRP	Yes/No	4	458	461	Is a default group assigned?
RPUT_UTK_DFT_SECL	Yes/No	4	463	466	Is a default security label assigned?
RPUT_SERIAL_NUMBER	Char	255	468	722	Certificate serial number.
RPUT_ISSUERS_DN	Char	255	724	978	Certificate issuer's distinguished name.
RPUT_RING_NAME	Char .	237	980	1216	Ring name.
RPUT_UTK_NEW	Char	8	1218	1225	The port of entry network name.
RPUT_X500_SUBJECT	Char	255	1227	1481	Subject's name associated with this event.
RPUT_X500_ISSUER	Char	255	1483	1737	Issuer's name associated with this event.
RPUT_CERT_OWNER	Char	8	1739	1746	Certificate owner.
RPUT_CERT_LABEL	Char	32	1748	1779	Certificate label.
RPUT_SUBJECTS_DN	Char	255	1781	2035	Certificate subject's distinguished name.
RPUT_RING_OWNER	Char	8	2037	2044	Ring owner.
RPUT_ATTR_REUSE	Yes/No	4	2046	2049	Is the reuse attribute on?
RPUT_ATTR_TRUST	Yes/No	4	2051	2054	Is the trust attribute on?
RPUT_ATTR_HITRUST	Yes/No	4	2056	2059	Is the hightrust attribute on?
RPUT_ATTR_DELETE	Yes/No	4	2061	2064	Is the delete attribute on?
RPUT_CERT_USAGE	Char	8	2066	2073	Certificate usage in ring.
RPUT_CERT_DEFAULT	Yes/No	4	2075	2078	Is it the default certificate?
RPUT_PRIVATE_KEY	Yes/No	4	2080	2083	Is there a private key?
RPUT_ATTR_NOTRUST	Yes/No	4	2085	2088	Is the notrust attribute on?
RPUT_ATTR_DELFROMRING	Yes/No	4	2090	2093	Is the attribute that determines whether a certificate is to be deleted, even if it is connected to the rings, turned on?
RPUT_ATTR_DELFORCE	Yes/No	4	2095	2098	Is the delete force attribute on?
RPUT_SOURCE_LABEL	Char	32	2100	2131	Source certificate label
RPUT_CERT_FGRPRNT	Char	64	2133	2196	Certificate SHA256 fingerprint

Table 167. Event qualifiers for RDATAUPD records
Event qualifier	Event qualifier number	Event description
SUCCNEW	00	Successful NewRing.
INAUNEW	01	Not authorized to call NewRing.
SUCCPUT	02	Successful DataPut.
INAUPUT	03	Not authorized to call DataPut.
SUCCRMV	04	Successful DataRemove.
INAURMV	05	Not authorized to call DataRemove
SUCCDEL	06	Successful DelRing.
INAUDEL	07	Not authorized to call DelRing.
SUCCALT	08	Successful DataAlter.
INAUALT	09	Not authorized to call DataAlter.

The PKIAURNW record extension

Table 168. Format of the PKIAURNW record extension (event code 85)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
PKRN_SERIAL_NUMBER	Char	255	282	536	Certificate serial number.
PKRN_ISSUERS_DN	Char	255	538	792	Certificate issuer's distinguished name.
PKRN_NOTBEFOR_DATE	Char	10	794	803	Requested certificate's NotBefore date.
PKRN_NOTAFTER_DATE	Char	10	805	814	Requested certificate's NotAfter date.
PKRN_SUBJECTS_DN	Char	255	816	1070	Certificate subject's distinguished name.
PKRN_REQUESTOR	Char	32	1072	1103	Requester's name.
PKRN_PREV_SERIAL	Char	255	1105	1359	Previous serial number of the certificate.
PKRN_NOTIFY_EMAIL	Char	64	1361	1424	Email address for notification purposes.
PKRN_CA_DOMAIN	Char	8	1426	1433	Domain name of target PKI Services instance.
PKRN_EXIT_PATH	Char	256	1435	1690	Full path name of the exit.
PKRN_CERT_FGRPRNT	Char	64	1692	1755	Subject Certificate SHA256 fingerprint in printable hex value
PKRN_ISU_CERT_FGRPRNT	Char	64	1757	1820	Issuer Certificate SHA256 fingerprint in hex value
PKRN_PREV_CERT_FGRPRNT	Char	64	1822	1885	Previous Certificate SHA256 fingerprint in printable hex value

Table 169. Event qualifiers for PKIAURNW records
Event qualifier	Event qualifier number	Event description
SUCCRNEW	00	Successful Renew.

The PGMVERYF record extension

Table 170 describes the format of a record that is created by the R_PgmSignVer callable service.

The event qualifiers that can be associated with an R_PgmSignVer callable service are shown in Table 171.

Table 170. Format of the PGMVERYF record extension (event code 86)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
PGMV_RES_NAME	Char	255	282	536	Name of program being verified.
PGMV_VOL	Char	6	538	543	Volume containing the program.
PGMV_LOGSTRING	Char	255	545	799	Logstring parameter.
PGMV_USER_NAME	Char	20	801	820	The name associated with the user ID.
PGMV_UTK_ENCR	Yes/No	4	822	825	Is the UTOKEN associated with this user encrypted?
PGMV_UTK_PRE19	Yes/No	4	827	830	Is this a pre-1.9 token?
PGMV_UTK_VERPROF	Yes/No	4	832	835	Is the VERIFYX propagation flag set?
PGMV_UTK_NJEUNUSR	Yes/No	4	837	840	Is this the NJE undefined user?
PGMV_UTK_LOGUSR	Yes/No	4	842	845	Is UAUDIT specified for this user?
PGMV_UTK_SPECIAL	Yes/No	4	847	850	Is this a SPECIAL user?
PGMV_UTK_DEFAULT	Yes/No	4	852	855	Is this a default token?
PGMV_UTK_UNKNUSR	Yes/No	4	857	860	Is this an undefined user?
PGMV_UTK_ERROR	Yes/No	4	862	865	Is this user token in error?
PGMV_UTK_TRUSTED	Yes/No	4	867	870	Is this user a part of the TCB?
PGMV_UTK_SESSTYPE	Char	8	872	879	The session type of this session.
PGMV_UTK_SURROGAT	Yes/No	4	881	884	Is this a surrogate user?
PGMV_UTK_REMOTE	Yes/No	4	886	889	Is this a remote job?
PGMV_UTK_PRIV	Yes/No	4	891	894	Is this a privileged user ID?
PGMV_UTK_SECL	Char	8	896	903	The security label of the user.
PGMV_UTK_EXECNODE	Char	8	905	912	The execution node of the work.
PGMV_UTK_SUSER_ID	Char	8	914	921	The submitting user ID.
PGMV_UTK_SNODE	Char	8	923	930	The submitting node.
PGMV_UTK_SGRP_ID	Char	8	932	939	The submitting group name.
PGMV_UTK_SPOE	Char	8	941	948	The port of entry.
PGMV_UTK_SPCLASS	Char	8	950	957	Class of the POE.
PGMV_UTK_USER_ID	Char	8	959	966	User ID associated with the record.
PGMV_UTK_GRP_ID	Char	8	968	975	Group name associated with the record.
PGMV_UTK_DFT_GRP	Yes/No	4	977	980	Is a default group assigned?
PGMV_UTK_DFT_SECL	Yes/No	4	982	985	Is a default security label assigned?
PGMV_PDS_DSN	Char	44	987	1030	Partitioned data set name containing the program.
PGMV_UTK_NETW	Char	8	1032	1039	The port of entry network name.
PGMV_X500_SUBJECT	Char	255	1041	1295	Subject's name associated with this event.
PGMV_X500_ISSUER	Char	255	1297	1551	Issuer's name associated with this event.
PGMV_SERV_POENAME	Char	64	1553	1616	SERVAUTH resource or profile name.
PGMV_CTX_USER	Char	510	1618	2127	Authenticated user name.
PGMV_CTX_REG	Char	255	2129	2383	Authenticated user registry name.
PGMV_CTX_HOST	Char	128	2385	2512	Authenticated user host name.
PGMV_CTX_MECH	Char	16	2514	2529	Authenticated user authentication mechanism object identifier (OID).
PGMV_ROOT_DN	Char	255	2531	2785	Root signing certificate subject's distinguished name.
PGMV_SIGNER_DN	Char	255	2787	3041	Program signing certificate subject's distinguished name.
PGMV_MOD_LOADED	Yes/No	4	3043	3046	Module loaded?
PGMV_SIGN_TIME	Time	8	3048	3055	Time module was signed.
PGMV_SIGN_DATE	Date	10	3057	3066	Date module was signed.
PGMV_EXPIR_DATE	Date	10	3068	3077	Date at which module signature certificate chain expires.
PGMV_IDID_USER	Char	985	3079	4063	Authenticated distributed user name.
PGMV_IDID_REG	Char	1021	4065	5085	Authenticated distributed user registry name.

Table 171. Event qualifiers for PGMVERYF records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful signature verification.
NOTRUST	01	Signature appears valid but root CA certificate not trusted.
INVALSIG	02	Module signature failed verification.
INCORCHN	03	Module certificate chain incorrect.
NOTSIGND	04	Signature required but module not signed.
SIGREMOV	05	Signature required but signature has been removed.
VERNOTLD	06	Program verification module not loaded. Program verification was not available when attempt was made to load this program.
SLFTSTFL	07	Algorithmic self test failed.

The RACMAP record extension

Table 172. Format of the RACMAP record extension (event code 87)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RACM_USER_NAME	Char	20	282	301	The name associated with the user ID.
RACM_UTK_ENCR	Yes/No	4	303	306	Is the UTOKEN associated with this user encrypted?
RACM_UTK_PRE19	Yes/No	4	308	311	Is this a pre-1.9 token?
RACM_UTK_VERPROF	Yes/No	4	313	316	Is the VERIFYX propagation flag set?
RACM_UTK_NJEUNUSR	Yes/No	4	318	321	Is this the NJE undefined user?
RACM_UTK_LOGUSR	Yes/No	4	323	326	Is UAUDIT specified for this user?
RACM_UTK_SPECIAL	Yes/No	4	328	331	Is this a SPECIAL user?
RACM_UTK_DEFAULT	Yes/No	4	333	336	Is this a default token?
RACM_UTK_UNKNUSR	Yes/No	4	338	341	Is this an undefined user?
RACM_UTK_ERROR	Yes/No	4	343	346	Is this user token in error?
RACM_UTK_TRUSTED	Yes/No	4	348	351	Is this user a part of the trusted computing base?
RACM_UTK_SESSTYPE	Char	8	353	360	The session type of this session.
RACM_UTK_SURROGAT	Yes/No	4	362	365	Is this a surrogate user?
RACM_UTK_REMOTE	Yes/No	4	367	370	Is this a remote job?
RACM_UTK_PRIV	Yes/No	4	372	375	Is this a privileged user ID?
RACM_UTK_SECL	Char	8	377	384	The security label of the user.
RACM_UTK_EXECNODE	Char	8	386	393	The execution node of the work.
RACM_UTK_SUSER_ID	Char	8	395	402	The submitting user ID.
RACM_UTK_SNODE	Char	8	404	411	The submitting node.
RACM_UTK_SGRP_ID	Char	8	413	420	The submitting group name.
RACM_UTK_SPOE	Char	8	422	429	The port of entry.
RACM_UTK_SPCLASS	Char	8	431	438	Class of the POE. Valid values are "TERMINAL", "CONSOLE", "JESINPUT", and "APPCPORT".
RACM_UTK_USER_ID	Char	8	440	447	User ID associated with the record.
RACM_UTK_GRP_ID	Char	8	449	456	Group name associated with the record.
RACM_UTK_DFT_GRP	Yes/No	4	458	461	Is a default group assigned?
RACM_UTK_DFT_SECL	Yes/No	4	463	466	Is a default security label assigned?
RACM_SPECIFIED	Char	1024	468	1491	The keywords specified on the RACMAP command.
RACM_UTK_NETW	Char	8	1493	1500	The port of entry network name.
RACM_X500_SUBJECT	Char	255	1502	1756	Subject's name associated with this event.
RACM_X500_ISSUER	Char	255	1758	2012	Issuer's name associated with this event.
RACM_SERV_POENAME	Char	64	2014	2077	SERVAUTH resource or profile name.
RACM_CTX_USER	Char	510	2079	2588	Authenticated user name.
RACM_CTX_REG	Char	255	2590	2844	Authenticated user registry name.
RACM_CTX_HOST	Char	128	2846	2973	Authenticated user host name.
RACM_CTX_MECH	Char	16	2975	2990	Authenticated user authentication mechanism object identifier (OID).
RACM_IDID_USER	Char	985	2992	3976	Authenticated distributed user name.
RACM_IDID_REG	Char	1021	3978	4998	Authenticated distributed user registry name.

Table 173. Event qualifiers for RACMAP records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Success.
NOTAUTH	01	Caller does not have authority.

The AUTOPROF record extension

Table 174. Format of the AUTOPROF record extension (event code 88)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
AUTO_CLASS	Char	8	282	289	Class name.
AUTO_USER_NAME	Char	20	291	310	The name associated with the user ID.
AUTO_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
AUTO_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
AUTO_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
AUTO_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
AUTO_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
AUTO_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
AUTO_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
AUTO_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
AUTO_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
AUTO_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
AUTO_UTK_SESSTYPE	Char	8	362	369	The session type of this session.
AUTO_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
AUTO_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
AUTO_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
AUTO_UTK_SECL	Char	8	386	393	The security label of the user.
AUTO_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
AUTO_UTK_SUSER_ID	Char	8	404	411	The submitting user ID.
AUTO_UTK_SNODE	Char	8	413	420	The submitting node.
AUTO_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
AUTO_UTK_SPOE	Char	8	431	438	The port of entry.
AUTO_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
AUTO_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
AUTO_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
AUTO_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
AUTO_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
AUTO_APPC_LINK	Char	16	477	492	A key to link together audit record together for a user's APPC transaction processing work.
AUTO_AUDIT_CODE	Char	11	494	504	Audit function code.
AUTO_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
AUTO_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
AUTO_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
AUTO_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
AUTO_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
AUTO_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
AUTO_DFLT_PROCESS	Yes/No	4	572	575	Default z/OS UNIX security environment in effect.
AUTO_UTK_NETW	Char	8	577	584	The port of entry network name.
AUTO_X500_SUBJECT	Char	255	586	840	Subject's name associated with this event.
AUTO_X500_ISSUER	Char	255	842	1096	Issuer's name associated with this event.
AUTO_SERV_POENAME	Char	64	1098	1161	SERVAUTH resource or profile name
AUTO_CTX_USER	Char	510	1163	1672	Authenticated user name.
AUTO_CTX_REG	Char	255	1674	1928	Authenticated user registry name.
AUTO_CTX_HOST	Char	128	1930	2057	Authenticated user host name.
AUTO_CTX_MECH	Char	16	2059	2074	Authenticated user authentication mechanism object identifier (OID).
AUTO_MOD_SERVICE	Char	20	2076	2095	Service or process name.
AUTO_MOD_CLASS	Char	8	2097	2104	Class for automatically updated profile.
AUTO_MOD_PROF	Char	255	2106	2360	Auto-updated profile name.
AUTO_MOD_DATA	Char	4000	2362	6361	Auto-updated profile data.
AUTO_IDID_USER	Char	985	6363	7347	Authenticated distributed user name.
AUTO_IDID_REG	Char	1021	7349	8369	Authenticated distributed user registry name.

Table 175. Event qualifiers for AUTOPROF records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful profile update.

The RPKIQREC record extension

Table 176. Format of the RPKIQREC record extension (event code 89)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
RPKQ_APPL	Char	8	282	289	The application data or application name from the original request.
RPKQ_LOGSTRING	Char	255	291	545	Logstring parameter.
RPKQ_USER_NAME	Char	20	547	566	The name associated with the user ID.
RPKQ_UTK_ENCR	Yes/No	4	568	571	Is the UTOKEN associated with this user encrypted?
RPKQ_UTK_PRE19	Yes/No	4	573	576	Is this a pre-1.9 token?
RPKQ_UTK_VERPROF	Yes/No	4	578	581	Is the VERIFYX propagation.
RPKQ_UTK_NJEUNUSR	Yes/No	4	583	586	Is this the NJE undefined user?
RPKQ_UTK_LOGUSR	Yes/No	4	588	591	Is UAUDIT specified for this user?
RPKQ_UTK_SPECIAL	Yes/No	4	593	596	Is this a SPECIAL user?
RPKQ_UTK_DEFAULT	Yes/No	4	598	601	Is this a default token?
RPKQ_UTK_UNKNUSR	Yes/No	4	603	606	Is this an undefined user?
RPKQ_UTK_ERROR	Yes/No	4	608	611	Is this user token in error?
RPKQ_UTK_TRUSTED	Yes/No	4	613	616	Is this user a part of the TCB?
RPKQ_UTK_SESSTYPE	Char	8	618	625	The session type of this session.
RPKQ_UTK_SURROGAT	Yes/No	4	627	630	Is this a surrogate user?
RPKQ_UTK_REMOTE	Yes/No	4	632	635	Is this a remote job?
RPKQ_UTK_PRIV	Yes/No	4	637	640	Is this a privileged user ID?
RPKQ_UTK_SECL	Char	8	642	649	The SECLABEL of the user.
RPKQ_UTK_EXECNODE	Char	8	651	658	The execution node of the work.
RPKQ_UTK_SUSER_ID	Char	8	660	667	The submitting user ID.
RPKQ_UTK_SNODE	Char	8	669	676	The submitting node.
RPKQ_UTK_SGRP_ID	Char	8	678	685	The submitting group name.
RPKQ_UTK_SPOE	Char	8	687	694	The port of entry.
RPKQ_UTK_SPCLASS	Char	8	696	703	Class of the POE.
RPKQ_UTK_USER_ID	Char	8	705	712	User ID associated with the record.
RPKQ_UTK_GRP_ID	Char	8	714	721	Group name associated with the record.
RPKQ_UTK_DFT_GRP	Yes/No	4	723	726	Is a default group assigned?
RPKQ_UTK_DFT_SECL	Yes/No	4	728	731	Is a default SECLABEL assigned?
RPKQ_SERIAL_NUMBER	Char	255	733	987	Certificate serial number.
RPKQ_ISSUERS_DN	Char	255	989	1243	Certificate issuer's distinguished name.
RPKQ_UTK_NETW	Char	8	1245	1252	The port of entry network name.
RPKQ_X500_SUBJECT	Char	255	1254	1508	Subject's name associated with this event.
RPKQ_X500_ISSUER	Char	255	1510	1764	Issuer's name associated with this event.
RPKQ_NOTBEFOR_DATE	Char	10	1766	1775	Requested certificate NotBefore date.
RPKQ_NOTAFTER_DATE	Char	10	1777	1786	Requested certificate NotAfter date.
RPKQ_SUBJECTS_DN	Char	255	1788	2042	Certificate subject's distinguished name.
RPKQ_REQUESTOR	Char	32	2044	2075	Requester's email address.
RPKQ_SERV_POENAME	Char	64	2077	2140	SERVAUTH resource or profile name.
RPKQ_CA_DOMAIN	Char	8	2142	2149	Domain name of the target PKI Services instance.
RPKQ_CTX_USER	Char	510	2151	2660	Authenticated user name.
RPKQ_CTX_REG	Char	255	2662	2916	Authenticated user registry name.
RPKQ_CTX_HOST	Char	128	2918	3045	Authenticated user host name.
RPKQ_CTX_MECH	Char	16	3047	3062	Authenticated user authentication mechanism object identifier (OID).
RPKQ_KEY_ID	Char	40	3064	3103	Hash of the public key generated by PKI Services.
RPKQ_IDID_USER	Char	985	3105	4089	Authenticated distributed user name.
RPKQ_IDID_REG	Char	1021	4091	5111	Authenticated distributed user registry name.

Table 177. Event qualifiers for RPKIQREC records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful user QRECOVER request.
INSAUTH	01	Insufficient authority for user QRECOVER.

The PKIGENC record extension

Table 178 describes the format of a record that is created by PKIGENC.

The event qualifiers that can be associated with PKIGENC records are shown in Table 179.

Table 178. Format of the PKIGENC record extension (event code 90)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
PKGC_CERT_FGRPRNT	Char	64	282	345	Subject Certificate SHA256 fingerprint in printable hex value
PKGC_ISU_CERT_FGRPRNT	Char	64	347	410	Issuer Certificate SHA256 fingerprint in printable hex value
PKGC_SERIAL_NUM	Char	255	412	666	Certificate serial number
PKGC_ISSUERS_DN	Char	255	668	922	Certificate issuer distinguished name
PKGC_SUBJECTS_DN	Char	255	924	1178	Certificate subject distinguished name
PKGC_NOTBEFOR_DATE	Char	10	1180	1189	Certificate start date
PKGC_NOTAFTER_DATE	Char	10	1191	1200	Certificate expiration date
PKGC_CA_DOMAIN	Char	8	1202	1209	Domain name of target PKI Services instance

Table 179. Event qualifiers for PKIGENC records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Successful certificate GENCERT request.

The PRLIMIT record extension

Table 180 describes the format of a record that is created by the prlimit() API.

The event qualifiers that can be associated with prlimit() are shown in Table 181.

Table 180. Format of the prlimit record extension (event code 91)
Field name	Type	Length	Position		Comments
Field name	Type	Length	Start	End	Comments
PRLM_CLASS	Char	8	282	289	Class name.
PRLM_USER_NAME	Char	20	291	310	The name associated with the user ID.
PRLM_UTK_ENCR	Yes/No	4	312	315	Is the UTOKEN associated with this user encrypted?
PRLM_UTK_PRE19	Yes/No	4	317	320	Is this a pre-1.9 token?
PRLM_UTK_VERPROF	Yes/No	4	322	325	Is the VERIFYX propagation flag set?
PRLM_UTK_NJEUNUSR	Yes/No	4	327	330	Is this the NJE undefined user?
PRLM_UTK_LOGUSR	Yes/No	4	332	335	Is UAUDIT specified for this user?
PRLM_UTK_SPECIAL	Yes/No	4	337	340	Is this a SPECIAL user?
PRLM_UTK_DEFAULT	Yes/No	4	342	345	Is this a default token?
PRLM_UTK_UNKNUSR	Yes/No	4	347	350	Is this an undefined user?
PRLM_UTK_ERROR	Yes/No	4	352	355	Is this user token in error?
PRLM_UTK_TRUSTED	Yes/No	4	357	360	Is this user a part of the trusted computing base (TCB)?
PRLM_UTK_SESSTYPE	Yes/No	8	362	369	The session type of this session.
PRLM_UTK_SURROGAT	Yes/No	4	371	374	Is this a surrogate user?
PRLM_UTK_REMOTE	Yes/No	4	376	379	Is this a remote job?
PRLM_UTK_PRIV	Yes/No	4	381	384	Is this a privileged user ID?
PRLM_UTK_SECL	Char	8	386	393	The security label of the user.
PRLM_UTK_EXECNODE	Char	8	395	402	The execution node of the work.
PRLM_UTK_SUSER_IDL	Char	8	404	411	The submitting user ID.
PRLM_UTK_SNODE	Char	8	413	420	The submitting node.
PRLM_UTK_SGRP_ID	Char	8	422	429	The submitting group name.
PRLM_UTK_SPOE	Char	8	431	438	The port of entry.
PRLM_UTK_SPCLASS	Char	8	440	447	Class of the POE. Valid values are `TERMINAL`, `CONSOLE`, `JESINPUT`, and `APPCPORT`.
PRLM_UTK_USER_ID	Char	8	449	456	User ID associated with the record.
PRLM_UTK_GRP_ID	Char	8	458	465	Group name associated with the record.
PRLM_UTK_DFT_GRP	Yes/No	4	467	470	Is a default group assigned?
PRLM_UTK_DFT_SECL	Yes/No	4	472	475	Is a default security label assigned?
PRLM_APPC_LINK	Char	16	477	492	Key to link together APPC records.
PRLM_AUDIT_CODE	Char	11	494	504	Audit function code.
PRLM_OLD_REAL_UID	Integer	10	506	515	Old real z/OS UNIX user identifier (UID).
PRLM_OLD_EFF_UID	Integer	10	517	526	Old effective z/OS UNIX user identifier (UID).
PRLM_OLD_SAVED_UID	Integer	10	528	537	Old saved z/OS UNIX user identifier (UID).
PRLM_OLD_REAL_GID	Integer	10	539	548	Old real z/OS UNIX group identifier (GID).
PRLM_OLD_EFF_GID	Integer	10	550	559	Old effective z/OS UNIX group identifier (GID).
PRLM_OLD_SAVED_GID	Integer	10	561	570	Old saved z/OS UNIX group identifier (GID).
PRLM_TGT_REAL_UID	Integer	10	572	581	Target real z/OS UNIX user identifier (UID).
PRLM_TGT_EFF_UID	Integer	10	583	592	Target effective z/OS UNIX user identifier (UID).
PRLM_TGT_SAV_UID	Integer	10	594	603	Target saved z/OS UNIX user identifier (UID).
PRLM_TGT_REAL_GID	Integer	10	605	614	Target real z/OS UNIX group identifier (GID).
PRLM_TGT_EFF_GID	Integer	10	616	625	Target effective z/OS UNIX group identifier (GID).
PRLM_TGT_SAV_GID	Integer	10	627	636	Target saved z/OS UNIX group identifier (GID).
PRLM_TGT_PID	Integer	10	638	647	Target process ID.
PRLM_DFLT_PROCESS	Yes/No	4	649	652	Default z/OS UNIX security environment in effect.
PRLM_UTK_NETW	Char	8	654	661	The port of entry network name.
PRLM_X500_SUBJECT	Char	225	663	917	Subject's name associated with this event.
PRLM_X500_ISSUER	Char	255	919	1173	Issuer's name associated with this event.
PRLM_SECL	Char	8	1175	1182	Security label of the resource.
PRLM_SERV_POENAME	Char	64	1184	1247	SERVAUTH resource or profile name.
PRLM_CTX_USER	Char	510	1249	1758	Authenticated user name.
PRLM_CTX_REG	Char	255	1760	2014	Authenticated user registry name.
PRLM_CTX_HOST	Char	128	2016	2143	Authenticated user host name.
PRLM_CTX_MECH	Char	16	2145	2160	Authenticated user authentication mechanism object identifier (OID).
PRLM_IDID_USER	Char	985	2162	3146	Authenticated distributed user name.
PRLM_IDID_REG	Char	1021	3148	4168	Authenticated distributed user registry name.

Table 181. Event qualifiers for PRLIMIT records
Event qualifier	Event qualifier number	Event description
SUCCESS	00	Prlimit successful.
NOTAUTH	01	Not authorized to issue prlimit.
INSSECL	02	Insufficient security label.