Event 1( 1): JOB INITIATION/TSO LOGON/TSO LOGOFF

This event is logged by RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX. Installation exit ICHRIX02 can change the return code of the RACROUTE REQUEST=VERIFY or RACROUTE REQUEST=VERIFYX request to any value. The return code significantly influences the corresponding audit record's event code 1 qualifier. You should be familiar with any ICHRIX02 processing in effect for your installation. See z/OS Security Server RACF System Programmer's Guide for details.

For this event, code qualifiers 0 and 8 do not exist as type 80 records. They are contained in the unloaded records from the RACF® SMF data unload utility (IRRADU00) and as reports and reformatted records from the RACF report writer (RACFRW).

The explanations of the event code qualifiers for Event 1 are:

0(0)

SUCCESSFUL INITIATION The job began successfully.

1(1)

INVALID PASSWORD The password specified on the job card or at logon is incorrect.

2(2)

INVALID GROUP The user tried to log on or to initiate a job using a group that the user is not a member of.

3(3)

INVALID OIDCARD Operator identification cards are used at the installation, and the data received from the one used does not match that of the user's profile.

4(4)

INVALID TERMINAL/CONSOLE The user is not authorized to the port of entry (POE). There are four kinds of POEs, each with its own profile class: APPCPORT, CONSOLE, JESINPUT, and TERMINAL. One of the following occurred:

The port of entry is active but the user is not authorized.
The user is denied access because of conditional days/times in the user profile.
The user is denied access because of conditional days/times in the class profile (TERMINAL class only).

5(5)

INVALID APPLICATION The APPL class is active, and the user is trying to log on to an application without authorization.

6(6)

REVOKED USER ID ATTEMPTING ACCESS The user ID specified on the logon or job card has been revoked. One of the following occurred:

The installation-defined limit of password attempts was reached at an earlier time.
The inactive interval was reached.
The revoke date in the user's profile is in effect.
The RACF administrator revoked the user ID.

The RACF administrator must reset the user ID before the user can log on again.

7(7)

USER ID AUTOMATICALLY REVOKED The user ID has been automatically revoked. The installation-defined limit of password and password phrase attempts was reached.

8(8)

SUCCESSFUL TERMINATION The job completed successfully.

9(9)

UNDEFINED USER ID The user ID specified on the job card or at logon is not defined to the RACF database.

10(A)

INSUFFICIENT SECURITY LABEL AUTHORITY One of the following occurred:

SETROPTS MLS FAILURES is in effect and the user's security label does not dominate the submitter's security label. Two exceptions are explained under Qualifier 20.
SETROPTS MLACTIVE FAILURES is in effect and the job card/logon attempt does not specify a valid security label. One exception is explained under Qualifier 21.

11(B)

NOT AUTHORIZED TO SECURITY LABEL The user is not authorized to the security label specified. One exception is explained under Qualifier 22.

12(C)

SUCCESSFUL RACINIT INITIATION The job or user was verified.

13(D)

SUCCESSFUL RACINIT DELETE The job completed or the user logged off.

14(E)

SYSTEM NOW REQUIRES MORE AUTHORITY SETROPTS MLQUIET is in effect. If this is a user verification, the user is not a console operator and does not have the SPECIAL attribute. If this is a job verification, the job is not part of the trusted computing base (TCB). The verification fails.

15(F)

REMOTE JOB ENTRY—JOB NOT AUTHORIZED The submitting node is not authorized to the system; a NODES profile prevents remote job entry. The profile has the format 'submit_node.RUSER.userid' and has a UACC of NONE.

Note:

Surrogate Function Qualifiers:

Qualifiers 16, 17, and 18 involve the use of the surrogate function, and occur if any of the following conditions is met:

The SURROGAT class is active.
General resource profiles of the SURROGAT class are defined for the job card's user ID, and the user ID submitting the job is permitted to the profile with at least READ access.
The submitter is authorized to the security label of the job.

For more information, see z/OS Security Server RACF Security Administrator's Guide.

16(10)

SURROGATE CLASS IS INACTIVE The SURROGAT class is inactive. The job card has a user ID that is different from the submitter's user ID, and there is no password specified.

17(11)

SUBMITTER IS NOT AUTHORIZED BY USER The SURROGAT class is active. Either there is no SURROGAT profile for the job card's user ID, or the submitter's user ID is not permitted to the profile.

18(12)

SUBMITTER IS NOT AUTHORIZED TO SECURITY LABEL The SECLABEL class is active and there is a security label on the job card. The submitter is not authorized to the security label specified on the job card.

19(13)

USER IS NOT AUTHORIZED TO JOB The JESJOBS class is active, and the user is not authorized to the jobname.

20(14)

WARNING—INSUFFICIENT SECURITY LABEL AUTHORITY One of the following occurred:

SETROPTS MLS WARNING is in effect and the security label on the job card does not dominate the submitter's security label.
SETROPTS MLS FAILURES is in effect, the user's security label does not dominate the submitter's, and the user has the SPECIAL attribute.
SETROPTS MLS FAILURES and SETROPTS COMPATMODE are in effect, the user's security label does not dominate the submitter's, and the submitter's or the job owner's security label is the default.

The verification does not fail.

21(15)

WARNING—SECURITY LABEL MISSING FROM JOB, USER, OR PROFILE One of the following occurred:

MLACTIVE WARNING is in effect, and the job card or logon attempt did not specify a valid security label.
MLACTIVE FAILURES is in effect, the user has the SPECIAL attribute, and a valid security label is not specified.

The verification does not fail.

22(16)

WARNING—NOT AUTHORIZED TO SECURITY LABEL The user has the SPECIAL attribute, the security label is SYSHIGH, and the user does not have authority to it. The verification does not fail.

23(17)

SECURITY LABELS NOT COMPATIBLE SETROPTS MLS is not active, the submitter's user ID is different from the user ID on the job card, and the submitter's and the user's security labels are disjoint (neither one dominates the other).

One exception is listed under Qualifier 24.

24(18)

WARNING—SECURITY LABELS NOT COMPATIBLE SETROPTS MLS is not active, the submitter's user ID is different from the user ID on the job card, the submitter's and user's security labels are disjoint, SETROPTS COMPATMODE is in effect, and the submitter's or user's security label is the default. The verification does not fail.

25(19)

CURRENT PASSWORD HAS EXPIRED The user's password has expired for one of the following reasons:

The installation specification in SETROPTS PASSWORD INTERVAL command
Creation of the password in the ADDUSER command
Alteration of the password with the ALTUSER PASSWORD command

26(1A)

INVALID NEW PASSWORD The new password specified may be incorrect because:

It is all blanks.
The characters are not all alphanumeric.
The characters do not match the installation's password syntax rules (set by the SETROPTS PASSWORD command).
It is the same as a past password (the extent of the past history determined by the SETROPTS PASSWORD HISTORY command).
It is marked invalid by the installation's password exit.
It is too soon to change the password (as determined by the SETROPTS PASSWORD MINCHANGE command).

27(1B)

VERIFICATION FAILED BY INSTALLATION The installation exit ICHRIX01 or ICHRIX02 failed the request.

28(1C)

GROUP ACCESS HAS BEEN REVOKED The user's membership to the group specified has been revoked.

29(1D)

OIDCARD IS REQUIRED An OIDCARD is required by the installation but none was given.

30(1E)

NETWORK JOB ENTRY—JOB NOT AUTHORIZED For session types of NJE SYSOUT or NJE BATCH, the verification fails because one of the following occurred:

The user, group, or security label requirements in the NODES profiles were not met.
The submitter's node is not valid.
The reverify check failed.

See z/OS Security Server RACF Security Administrator's Guide for details on NJE.

31(1F)

WARNING—UNKNOWN USER FROM TRUSTED NODE PROPAGATED The combination of having a trusted node submit a job with the undefined user ID warrants this logging. The verification does not fail.

For an NJE BATCH job, the submitting user is the NJE undefined user ID. The default NJE undefined user ID is eight question marks (????????), unless it was changed with the SETROPTS JES NJEUSERID command. The submitting node is trusted (its best-fit NODES profile on the receiving node's system has a UACC of at least UPDATE). This profile allows propagation of submitters; however, the undefined user ID does not propagate.

32(20)

SUCCESSFUL INITIATION USING PASSTICKET Logon was achieved using a PassTicket.

33(21)

ATTEMPTED REPLAY OF PASSTICKET Logon was rejected because of attempted replay of a PassTicket.

34(22)

CLIENT SECURITY LABEL NOT EQUIVALENT TO SERVER'S Logon was rejected because security labels are not equivalent.

35(23)

USER AUTOMATICALLY REVOKED DUE TO INACTIVITY A user has not logged on, submitted a job or accessed the system for so long that the user ID has become inactive. RACF prevents the user from accessing the system.

36(24)

PASS PHRASE IS NOT VALID A user attempted to access the system specifying a password phrase that is not valid or specifying a password phrase for a protected user ID. RACF prevents the user from accessing the system.

37(25)

NEW PASS PHRASE IS NOT VALID Logon was rejected because the new password phrase is not valid.

38(26)

CURRENT PASS PHRASE HAS EXPIRED Logon was rejected because the current password phrase has expired.

39(27)

NO RACF USER ID FOUND FOR DISTRIBUTED IDENTITY Logon was rejected because no RACF user ID was found for the distributed identity.