Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Record type 83: Security events z/OS Security Server RACF Macros and Interfaces SA23-2288-00 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Record type 83 is a processing record for auditing security related
events. A security event can be an authentication or authorization
attempt. The service detecting the event may be RACF® or another z/OS® component.
The specific component is identified by the product section of the
SMF type 83 record.
Note:
The format is:
Product sectionThe product section exists in all SMF type 83 records. It is filled in for subtype 1 records. The product section in the record can be located by adding the SMF83OPD field to the beginning of the SMF record. The product section is mapped in the following table.
Security sectionThe security section is common to all record type 83 subtypes. It identifies the specific event and the result. The information in the security section and the relocate sections
provide additional information about the event.
Any authentication or authorization request may succeed or fail because of one of several authority checks that grant access to the system or resource. The information in the audit record is limited to the specific authority check that succeeded or failed. The audit record does not contain all of the authorities the user has or all of the authorities that could allow access to the system or resource. The security section in the record can be located by adding the SMF83OD1 field to the beginning of the SMF record Subtype 1
Subtype 2 and above
Relocate sectionsTwo types of relocate sections may be used by type 83 records-standard relocates or extended relocates. They are described below. The start of the relocate sections in the record can be located by adding the SMF83OD2 field to the beginning of the SMF record. The relocate sections for subtype 1 use the standard relocate section format. The data types for the relocate sections for subtype 1 are described in the Table of relocate section variable data The relocate sections for subtypes 2 and above use the extended relocate section format. The data types (i.e. relocate types) for the subtypes are documented with the product or component that reported the security event. Data type values of 100 and above are reserved for product or component use.
The relocate data type values 1-99 that appear in an SMF type 83 subtype 2 or above record are reserved for use by the RACF auditing services. The following table lists those relocate data types that have been assigned. These data types are used only for SMF type 83 subtype 2 records and above.
|
Copyright IBM Corporation 1990, 2014
|