Event 2( 2): RESOURCE ACCESS

This event is logged by RACROUTE REQUEST=AUTH, RACROUTE REQUEST=DIRAUTH and RACROUTE REQUEST=FASTAUTH.

The explanations of the event code qualifiers for Event 2 are:
 0(0)
SUCCESSFUL ACCESS The user has authorization to the resource.
 1(1)
INSUFFICIENT AUTHORITY The user does not have authorization to the resource.
 2(2)
PROFILE NOT FOUND—RACFIND SPECIFIED ON MACRO If the request is AUTH, the RACFIND keyword equaled YES on the authorization request, specifying that a discrete profile should exist for the resource. No discrete or generic RACF® protection was found.

If the request is FASTAUTH, the program is not controlled and the PADS data sets are open.

 3(3)
ACCESS PERMITTED DUE TO WARNING The user does not have proper authority to the resource. However, the resource's profile has the WARNING option and allows the access.
Note:

Exceptions

  • PROGRAM class profiles cannot use the WARNING option.
  • RACLISTed profiles use the WARNING option only if they are RACLISTed by SETROPTS or a RACROUTE REQUEST=LIST that specifies RELEASE=1.8 or later.
 4(4)
FAILED DUE TO PROTECTALL SETROPTS PROTECTALL FAILURES is in effect, and the data set has not been protected by a discrete or generic profile.
Note:

Exceptions

  • A privileged user bypasses this checking (no auditing done).
  • A trusted user bypasses the checking, but can be audited with the SETROPTS LOGOPTIONS command.
  • A user with the SPECIAL attribute gets a warning (see Qualifier 5).
  • A system-generated temporary data set does not require protection.
 5(5)
WARNING ISSUED DUE TO PROTECTALL SETROPTS PROTECTALL WARNING is in effect, and the data set has not been protected by a discrete or generic profile. The authorization request does not fail.

The exceptions in Qualifier 4 also apply.

 6(6)
INSUFFICIENT CATEGORY/SECLEVEL The installation uses categories or security levels as separate entities. One of the following occurred:
  • The user's SECLEVEL is less than the SECLEVEL of the resource.
  • The user is not a member of every CATEGORY associated with the resource.
 7(7)
INSUFFICIENT SECURITY LABEL AUTHORITY The SECLABEL class is active and one of the following occurred:
  • The user's security label does not dominate the resource's.
  • The user does not have a security label, but the resource does.
  • SETROPTS MLACTIVE FAILURES is in effect, and either the user or the resource is missing a security label. One exception is explained in Qualifier 8.
  • The resource's class requires reverse domination checking, and the resource's security label does not dominate the user's.
  • SETROPTS MLS FAILURES is in effect; the user's security label does not equal the resource's, and the requested access is UPDATE or CONTROL. One exception is explained under Qualifier 9.
 8(8)
SECURITY LABEL MISSING FROM JOB, USER OR PROFILE One of the following occurred:
  • SETROPTS MLACTIVE WARNING is in effect, the SECLABEL class is active, and either the resource or user is missing a security label.
  • SETROPTS MLACTIVE FAILURES is in effect, the user has the SPECIAL attribute, and either the resource or the user is missing a security label.
 9(9)
WARNING—INSUFFICIENT SECURITY LABEL AUTHORITY One of the following occurred:
  • The SECLABEL class is active, SETROPTS MLS WARNING is in effect, the user's security label does not equal the resource's security label, and the requested access is UPDATE or CONTROL.
  • SETROPTS MLS FAILURES is in effect, the user's security label does not equal the resource's security label, the requested access is UPDATE or CONTROL, and the user has the SPECIAL attribute.
10(A)
WARNING—DATA SET NOT CATALOGED SETROPTS CATDSNS WARNING is in effect. The data set being accessed cannot be cataloged.

See z/OS Security Server RACF Command Language Reference for more information.

11(B)
DATA SET NOT CATALOGED SETROPTS CATDSNS FAILURES is in effect. The data set being accessed cannot be cataloged. If the user has the SPECIAL attribute, only a warning is issued (see Qualifier 10).

See z/OS Security Server RACF Command Language Reference for more information.

12(C)
PROFILE NOT FOUND—REQUIRED FOR AUTHORITY CHECKING A profile was not found for the general resource, and that resource's class has a default return code greater than 4. The authorization request fails.
13(D)
WARNING—INSUFFICIENT CATEGORY/SECLEVEL The installation uses categories or security levels as separate entities. One of the following occurred:
  • The user's SECLEVEL is less than the SECLEVEL of the resource.
  • The user is not a member of every CATEGORY associated with the resource.
The resource profile has the WARNING option, so access is given.
Note:

Exceptions

  • PROGRAM class profiles cannot use the WARNING option.
  • RACLISTed profiles can use the WARNING option only if they are RACLISTed by SETROPTS or a RACF 1.8 (or later) RACROUTE REQUEST=LIST.
14(E)
WARNING—NON-MAIN EXECUTION ENVIRONMENT Non-MAIN execution environment was detected while in ENHANCED PGMSECURITY mode. Conditional access for Program Access to Data Sets (PADS) or access to EXECUTE-controlled program is temporarily allowed.
15(F)
CONDITIONAL ACCESS ALLOWED VIA BASIC MODE PROGRAM Conditional access for Program Access to Data Sets (PADS) or access to EXECUTE-controlled program is allowed through the BASIC mode program while in ENHANCED PGMSECURITY mode.
Parent topic: Event code qualifiers