z/OS Security Server RACF Macros and Interfaces
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Reformatted process records

z/OS Security Server RACF Macros and Interfaces
SA23-2288-00

RACF® SMF record types 20, 30, 80 and 83 become reformatted process records. These records are variable in length. Note that a RACF SMF record type 80 generated by a SETROPTS or an RVARY command also causes the creation of a reformatted status record.

The layout of the common section of the reformatted process record is:
Offsets
Dec. Hex. Name Length Format Description
0 0 RCDLEN 2 binary Total record length
2 2 - 2 binary Reserved for IBM's use
4 4 RCDRELNO 1 binary Release of RACF
5 5 RCDREFMT 1 binary Reformat indicator (if this byte is X'00', the record has been reformatted to the RACF Version 1 Release 6/7 format)
6 6 RCDSYSID 4 EBCDIC System identification
10 A RCDTYPE 1 EBCDIC Record type (80 decimal)
11 B RCDTIME 4 packed Unsigned packed decimal in the form HHMMSSTH
15 F   1 EBCDIC Reserved for IBM's use
16 10 RCDDATE 3 packed Date in form YYDDDF, where F is the sign
19 13 RCDFIXLN 2 binary Offset from the start of the record to the first relocate section
21 15 RCDCOMLN 2 binary Offset from the start of the record to the record dependent fields
23 17 RCDCNT 2 binary Number of relocate segments
25 19 RCDEVENT 1 binary Event code
26 1A RCDQUAL 1 binary Event code qualifier
27 1B RCD80FLG 1 binary Descriptor flags:
Bit
Meaning when set
0
This record is for security violations.
1
This record is for a job/step, not a user/group.
2
This record is truncated.
3
This record is for a warning.
4-7
Reserved for IBM's use.
28 1C   1 binary Reserved for IBM's use
29 1D RCDUSER 8 EBCDIC Identifier of the user for which this event is recorded (or jobname if the user is not defined to RACF)
37 25 RCDGROUP 8 EBCDIC Group to which the user was connected (or stepname if the user is not defined to RACF)
45 2D RCDLOGCL 1 binary Type of event by number:
Number
Type
1
LOGON/ JOB
2
Entity access
3
RACF command
46 2E RCDCLASS 8 EBCDIC Resource class name (see Note 1). This field contains binary zeros for records written by the RVARY and SETROPTS commands.
54 36 RCDNAME 44 EBCDIC Resource name (see Notes 1 and 6). This field contains the user ID for a LOGON/JOB; the resource name for a resource access.
98 62 RCDJOBID 8 EBCDIC Job name
106 6A   1 EBCDIC Reserved for IBM's use
107 6B RCDDATID 3 packed Date that the reader recognized the JOB card for this job in the form YYDDDF
110 6E RCDTIMID 4 EBCDIC Time that the reader recognized the JOB card for this job in the form HHMMSSTH
114 72 RCDUSRDA 8 EBCDIC User identification field
122 7A RCD80TRM 8 EBCDIC Terminal identification field
130 82 RCD80TML 1 binary Terminal level number
131 83 RCDOWNER 8 EBCDIC Owner of the resource
139 8B RCDUSRSM 20 EBCDIC User name
159 9F RCDVRM 4 EBCDIC Release, version, and modification number
163 A3 RCDSEC 8 EBCDIC User's security label
171 AB RCDLINK 4 binary LINK to connect data sets affected by a security label change with RACF command (ALTDSD, ADDSD, DELDSD) that caused the change.
175 AF RCDSTYPE 2 binary SMF record subtype
177 B1 RCDNAMEO 2 binary See Note 6. Offset in variable section to relocate section type if entity name is greater than 44 characters or X'7FFF' if resource name is less than or equal to 44 characters.
179 B3 RCDPVAU1 4 binary The APPLAUDIT key, part 1 of 2
183 B7 RCDPVAU2 4 binary The APPLAUDIT key, part 2 of 2
For process records, the record-dependent section is:
Offsets
Dec. Hex. Name Length Format Description
0 0 RCD80ATH 1 binary Authority used:
Bit
Meaning when set
0
Normal authority
1
SPECIAL attribute
2
OPERATIONS attribute
3
AUDITOR attribute
4
Exit routine granted authority
5
Failsoft processing
6
Bypassed-user ID=*BYPASS*
7
Trusted attribute
1 1 RCD80REA 2 binary Reason for logging:
Bit
Meaning when set
0
Class being audited
1
User being audited
2
Special user being audited
3
Resource being audited, installation-requested logging in effect, or failsoft processing
4
RACINIT failures being audited
5
Command always causes auditing
6
Command violations being audited
7
Audited because GLOBALAUDIT option in effect
8
SECLEVEL audit
9-15
Contains the remaining data from SMF80RE2
3 3 RCD80ERR 1 binary Error indicators:
Bit
Meaning when set
0
Command could not recover
1
Profile not altered
2-7
Reserved for IBM's use
4 4 RCDQUAL1 8 EBCDIC Qualifier for old data set name (see Note 2)
12 C RCDQUAL2 8 EBCDIC Qualifier for new data set name (see Note 3)
20 14 RCDDLEV 1 binary Data set level number (see Note 4)
21 15 RCDDINT 1 binary Access authority requested: (see Note 4)
Bit
Access authority
0
ALTER
1
CONTROL
2
UPDATE
3
READ
4-7
Reserved for IBM's use.
22 16 RCDDALWD 1 binary Access authority allowed: (see Note 4)
Bit
Access Authority
0
ALTER
1
CONTROL
2
UPDATE
3
READ
4
NONE
5
EXECUTE
6-7
Reserved for IBM's use
23 17 RCDDVOL 6 EBCDIC Volume serial (see Note 4)
29 1D RCDDOLDV 6 EBCDIC OLDVOL volume serial (see Note 4)
35 23 RCD80GNS 1 binary 1=Generic name specified
36 24 RCD80GSP 1 binary 1=Generic name specified on FROM keyword of PERMIT
37 25 RCD80RRF 1 binary 1=The old name of the RACROUTE REQUEST=DEFINE-renamed data set from data type 33 relocate section
38 26 RCD80RRT 1 binary 1=The new name of the RACROUTE REQUEST=DEFINE-renamed data set from data type 33 relocate section
39 27 RCDGENAM 44 EBCDIC Generic profile used or generic resource name (see Note 7)
83 53 RCDGNNMF 44 EBCDIC Generic profile used on RACROUTE REQUEST=DEFINE RENAME or generic resource name on RACROUTE REQUEST=DEFINE RENAME Relocate Section: (see Notes 5 and 8)
127 7F RCDGENAO 2 binary See Note 7
129 81 RCDGNNMO 2 binary See Note 8
Variable relocate section map
+0 +0 RCDDTYPE 1 binary Data type
+1 +1 RCDDLGT 1 binary Length of data that follows
+2 +2 RCDDATA variable mixed Data

Note 1: In order to support sorting by resource class name and resource name for the list report, the RACF report writer ensures that these fields contain valid names. The following table indicates the resource class names and the resource names assigned by the RACF report writer for each of the event codes in RCDEVENT. (Uppercase letters indicate that the value appears as shown, lowercase letters identify the field in the SMF type 80 record from which the name is obtained, and a number in parentheses identifies the relocate section in the SMF type 80 record from which the name is obtained.)

If RCDEVENT is Resource class name Resource name
1 USER user ID (SMF80USR)
2 class name (17) resource name (1)
3 class name (17) resource name (1)
4 class name (17) resource name (1)
5 class name (17) resource name (1)
6 class name (17) resource name (1)
7 class name (17) resource name (1)
8 DATASET data set name (6)
9 GROUP group name (6)
10 USER user ID (6)
11 DATASET data set name (6)
12 GROUP group name (6)
13 USER user ID (6)
14 USER user ID (6)
15 DATASET data set name (6)
16 GROUP group name (6)
17 USER user ID (6)
18 USER user ID (6)
19 class name (17) resource name (9)
20 class name (17) resource name (9)
21 class name (17) resource name (9)
22 class name (17) resource name (9)
23 USER user ID (6)
24 none none
25 none none

Note 2: The RACF report writer compares this field to the DSQUAL keyword specified on the EVENT subcommand. The report writer initializes RCDQUAL1 to the high-level qualifier of the old data set name found in RCDNAME at offset 41 (29 hex) of this record. The RACF report writer exit routine, ICHRSMFE, can modify this field.

Note 3: The RACF report writer compares this field to the NEWDSQUAL keyword specified on the EVENT subcommand. The report writer initializes RCDQUAL to the high-level qualifier of the new data set name found in the relocate section for data type 2 (SMF80DTP = 2). The RACF report writer exit routine, ICHRSMFE, can modify this field.

Note 4: This field is present for event codes 2–7 (SMF80EVT=2 through SMF80EVT=7) only.

Note 5: See Table of event codes and event code qualifiers and Table of relocate section variable data earlier in this topic for a further explanation of these event codes and data types.

Note 6: With RACF 1.9 or later, entity names can be a maximum of 254 characters. Entity names containing 45–254 characters are referred to as long names. Field RCDNAME cannot be expanded in order to support existing reformatted records. Long resource names are handled as follows:
  • Field RCDNAMEO contains the offset in the variable section of the reformatted record of relocate type which contains the long resource name.
  • Field RCDNAMEO is X'7FFF' if the resource name is less than or equal to 44 characters in length.
Note 7: With RACF 1.9 or later, entity names can be a maximum of 254 characters. Field RCDGENAM cannot be expanded in order to support existing reformatted records. Long resource names are handled as follows:
  • Field RCDGENAO contains the offset in the variable section of the reformatted record of relocate type which contains the long resource name.
  • Field RCDGENAO is X'7FFF' if the resource name is less than or equal to 44 characters in length.
Note 8: With RACF 1.9 or later, entity names can be a maximum of 254 characters. Field RCDGNNMF cannot be expanded in order to support existing reformatted records. Long resource names are handled as follows:
  • Field RCDGNNMO contains the offset in the variable section of the reformatted record of relocate type which contains the long resource name.
  • Field RCDGNNMO is X'7FFF' if the resource name is less than or equal to 44 characters in length.
Parent topic: Reformatted RACF SMF records

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014