|
SMF Type 80 RecordThis table shows the record layout for type 80 SMF records
|
It's easy to report on SMF 80 data! (Jump to sample reports) | |
Spectrum SMF Writer handles the difficult SMF record parsing for you automatically. You just specify which fields you want to see. Spectrum SMF Writer also converts the arcane date and time fields and reformats them into an attractive report. Plus, Spectrum SMF Writer can export SMF data as comma delimited files to use on your PC.
|
Offset (Dec.) | Offset (Hex) | Name | Length | Format | Description |
0 | 0 | SMF80LEN | 2 | binary | Record length. This field and the next field (total of four bytes) form the RDW (record descriptor word). See “Standard SMF Record Header” on page 13-1 for a detailed description.
|
2 | 2 | SMF80SEG | 2 | binary | Segment descriptor (see record length field).
|
4 | 4 | SMF80FLG | 1 | binary | System indicator: Bit Meaning When Set 0-2 Reserved 3-6 Version indicators* 7 Reserved.*See “Standard SMF Record Header” on page 13-1 for a detailed description.
|
5 | 5 | SMF80RTY | 1 | binary | Record type 80 (X'50').
|
6 | 6 | SMF80TME | 4 | binary | Time since midnight, in hundredths of a second, that the record was moved into the SMF buffer.
|
10 | A | SMF80DTE | 4 | packed | Date when the record was moved into the SMF buffer, in the form 0cyydddF. See “Standard SMF Record Header” on page 13-1 for a detailed description.
|
14 | E | SMF80SID | 4 | EBCDIC | System identification (from the SID parameter).
|
18 | 12 | SMF80DES | 2 | binary | Descriptor flags
Bit Meaning When Set 0 The event is a violation 1 User is not defined to RACF 2 Record contains a version indicator (see SMF80VER) 3 The event is a warning 4 Record contains a version, release, and modification level number (see SMF80VRM) 5-15 Reserved. |
20 | 14 | SMF80EVT | 1 | binary | Event code. For information about RACF event codes, see z/OS Security Server RACF Macros and Interfaces.
|
21 | 15 | SMF80EVQ | 1 | binary | Event code qualifier. For information about RACF event codes, see z/OS Security Server RACF Macros and Interfaces.
|
22 | 16 | SMF80USR | 8 | EBCDIC | Identifier of the user associated with this event (jobname is used if the user is not defined to RACF).
|
30 | 1E | SMF80GRP | 8 | EBCDIC | Group to which the user was connected (stepname is used if the user is not defined to RACF).
|
38 | 26 | SMF80REL | 2 | binary | Offset to the first relocate section from beginning of the record header.
|
40 | 28 | SMF80CNT | 2 | binary | Count of the number of relocate sections.
|
42 | 2A | SMF80ATH | 1 | binary | Authorities used for processing commands or accessing resources. These flags indicate the authority checks made for the user who requested the action. The RACF commands use bits 0, 1, and 3; the RACF requests use bits 0, 2, and 4-7.
Bit Meaning When Set 0 Normal authority check (resource access) Bit 0 indicates that the user’s authority to issue the command or SVC was determined by the checks for a user with the SPECIAL, OPERATIONS, or AUDITOR attribute. This bit indicates that the tests were made, not that the user passed the tests and has authority to issue the command. This bit is not set on if the user has the AUDITOR attribute and entered the command with only those operands that require the AUDITOR attribute. 1 SPECIAL attribute (command processing) Bit 1 indicates that the user has the SPECIAL attribute and used this authority to issue the command. If the user also has the AUDITOR attribute and entered the command with only those operands that require the AUDITOR attribute, this bit is not set on because the user did not use his authority as a user with the SPECIAL attribute. 2 OPERATIONS attribute (resource access, command processing Bit 2 is set by RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE and indicates that the user has the OPERATIONS attribute and used this authority to obtain access to the resource. 3 AUDITOR attribute (command processing) Bit 3 indicates that the user has the AUDITOR attribute and used this authority to issue the command with operands that require the AUDITOR attribute. 4 Installation exit processing (resource access) Bit 4 indicates that the user has authority because the exit routine indicated that the request is to be accepted without any further authority checks. 5 Failsoft processing (resource access) Bit 5 indicates that resource access was granted by the operator during failsoft processing. 6 Bypassed-userid = *BYPASS* (resource access) Bit 6 indicates that *BYPASS* was specified on the user ID field. Access was granted because RACF authority checking was bypassed. 7 Trusted attribute (resource access). Bit 7 indicates that the user has the trusted attribute. |
43 | 2B | SMF80REA | 1 | binary | Reason for logging. These flags indicate the reason RACF produced the SMF record
Bit Meaning When Set 0 SETROPTS AUDIT(class) - changes to this class of profile are being audited. Bit 0 is set when there are changes made to a profile in a class specified in the AUDIT operand of the SETROPTS command. 1 User being audited Bit 1 is set when a user with the AUDITOR attribute specifies the UAUDIT operand on the ALTUSER command for a user and the user has changed RACF profiles with a RACF command, or a RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE has been issued for the user. 2 SPECIAL users being audited Bit 2 is set when a user with the AUDITOR attribute specifies the SAUDIT operand on the SETROPTS command and a user with the SPECIAL attribute has changed RACF profiles with a RACF command. However, if a user has both the SPECIAL and AUDITOR attributes and issues a command with operands that require only the AUDITOR attribute, RACF does not log this activity because SPECIAL authority was not used. 3 Access to the resource is being audited due to the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACHECK exit routine, or because the operator granted access during failsoft processing. Bit 3 is set if:
4 RACINIT failure Bit 4 is set when the RACROUTE REQUEST=VERIFY fails to verify a user because of an invalid group, password, terminal, or OIDCARD, or initACEE fails because a certificate in not defined or is not trusted. 5 This command is always audited Bit 5 is set if the RVARY or SETROPTS command produced the SMF record. (The execution of these two commands always produce an SMF record.) 6 Violation detected in command and CMDVIOL is in effect Bit 6 is set when a user with the AUDITOR attribute specifies logging of command violations (with the CMDVIOL operand on the SETROPTS command) and RACF detects a violation. 7 Access to entity being audited due to GLOBALAUDIT option. Bit 7 is set when attempts to access a RACF-protected resource are being logged, as requested by the GLOBALAUDIT option in the resource profile. |
44 | 2C | SMF80TLV | 1 | binary | Terminal level number of foreground user (zero if not available).
|
45 | 2D | SMF80ERR | 1 | binary | Command processing error flag. These flags indicate errors during command processing and the extent of the processing.
Bit Meaning When Set 0 Command had error and RACF could not back out some changes Bit 0 indicates that an error occurred that prevented the command from completing all updates requested, and the command was unable to back out the updates already done. If this bit is on, there may be an inconsistency between the profiles on the RACF database, or between the profile for a data set and the RACF-indicator for the data set in the DSCB or catalog. The latter is also indicated by a bit in the command-related information for the ADDSD, ALTDSD, and DELDSD commands. For some commands (for example, ADDUSER), the inconsistency means an incompletely defined resource. For other commands, where the profiles are already defined (for example, ALTUSER), the inconsistency means that all changes were not made, but the profiles are still usable. This bit indicates a terminating error and should not be confused with a keyword violation or processing error where the command continues processing other operands. 1 No profile updates were made because of error in RACF processing Bit 1 indicates that none of the requested changes were made, because either (1) a terminating error occurred before the changes were made, or (2) the command was able to back out the changes after a terminating error. 2-7 Reserved. |
46 | 2E | SMF80TRM | 8 | EBCDIC | Terminal ID of foreground user (zero if not available).
|
54 | 36 | SMF80JBN | 8 | EBCDIC | Job name. For RACINIT records for batch jobs, this field can be zero. The job name, time, and date that the reader recognized the JOB card (for this job) constitute the job log identification, or transaction name (for APPC output).
|
62 | 3E | SMF80RST | 4 | binary | Time since midnight, in hundredths of a second, that the reader recognized the JOB statement for this job. For RACINIT records for batch jobs, this field can be zero.
|
66 | 42 | SMF80RSD | 4 | packed | Date the reader recognized the JOB statement for this job, in the form 0cyydddF. See “Standard SMF Record Header” on page 13-1 for a detailed description. For RACINIT records for batch jobs, this field can be zero.
|
70 | 46 | SMF80UID | 8 | EBCDIC | User identification field from the SMF common exit parameter area. For RACINIT records for batch jobs, this field can be zero.
|
78 | 4E | SMF80VER | 1 | binary | Version indicator (8 = Version 1, Release 8 or later). As of RACF 1.8.1, SMF80VRM is used instead.
|
79 | 4F | SMF80RE2 | 1 | binary | Additional reasons for logging
Bit Meaning When Set 0 Security level control for auditing 1 VMEVENT Auditing 2 Class being audited due to SETROPTS LOGOPTIONS 3 Entity audited due to SETROPTS SECLABELAUDIT 4 Reserved. 5-7 Reserved. |
80 | 50 | SMF80VRM | 4 | EBCDIC | FMID for RACF
7709 z/OS Security Server (RACF) V1 R6 7720 z/OS Security Server (RACF) V1 R7 7730 z/OS Security Server (RACF) V1 R8 7740 z/OS Security Server (RACF) V1 R9 7750 z/OS Security Server (RACF) V1 R10 |
84 | 54 | SMF80SEC | 8 | EBCDIC | Security label of the user.
|
92 | 5C | SMF80RL2 | 2 | binary | Offset to extended-length relocate sections.
|
94 | 5E | SMF80CT2 | 2 | binary | Count of extended-length relocate sections.
|
96 | 60 | SMF80AU2 | 1 | binary | Authority used continued.
Bit Meaning When Set 0 OpenEdition superuser 1 OpenEdition system function 2-7 Reserved. |
97 | 61 | SMF80RSV | 1 | binary | Reserved.
|
0 | 0 | SMF80DTP | 1 | binary | Data type. For description of the variable data elements of the relocate section, see z/OS Security Server RACF Macros and Interfaces.
|
1 | 1 | SMF80DLN | 1 | binary | Length of data that follows.
|
2 | 2 | SMF80DTA | 255 | binary | For description of the variable data elements of the relocate section, see z/OS Security Server RACF Macros and Interfaces.
|
0 | 0 | SMF80TP2 | 2 | binary | Data type.
|
2 | 2 | SMF80DL2 | 2 | binary | Length of data that follows.
|
4 | 4 | SMF80DA2 | 300 | EBCDIC | Data.
|
The table above is based on the description provided by IBM in its "MVS Systems Management Facilities (SMF)" manual.
The sample SMF report below was created with Spectrum SMF Writer,
the low-cost 4GL SMF report writer.
It reads as input the SMF file and selects just the type 80 (RACF Processing) records. (See SMF 80 record layout.)
We print a report showing each RACF processing event, with a description of what the event was, and the outcome. Note that the actual SMF record just contains codes for the event and its status. Our Spectrum SMF Writer definitions include code to expand those numeric values into descriptive texts.
Spectrum SMF Writer also uses a special exit to parse the variably formatted "relocation" fields at the end of the SMF 80 record. This lets us easily print such hard-to-access details as resource name (DSNAME), authority requested and authority allowed.
These events are grouped by unique JOB and printed in JOB/timestamp order.
All of this with just a few lines of code!
Why not install a Spectrum SMF Writer trial right now and start making your own SMF reports!
INPUT: SMF80 INCLUDEIF: SMF80RTY = 80 COLUMNS: SMF80JBN('JOBNAME') SMF80TME SMF80_EVENT_NAME(20 'SMF80 EVENT NAME') SMF80_EVENT_QUAL_DESC(18 'EVENT QUALIFIER') SMF80USR('USER') SMF80GRP('GROUP') SMF80DTA_1('RESOURCE|NAME' 16) SMF80DTA_3_WORD("AUTH|REQUEST") SMF80DTA_4_WORD("AUTH|ALLOWED") SMF80DTA_17('CLASS') SORT: SMF80_JOBID BREAK: SMF80_JOBID NOTOTALS SPACE(1) TITLE: #DATE #TIME /'RACF EVENT LOG BY JOB ON' SMF80DTE / 'PAGE' #PAGE
07/04/13 4:53 AM RACF EVENT LOG BY JOB ON 07/24/06 PAGE 1 RESOURCE AUTH AUTH JOBNAME SMF80TME SMF80 EVENT NAME EVENT QUALIFIER USER GROUP NAME REQUEST ALLOWED CLASS ________ ___________ ____________________ __________________ ________ ________ ________________ _________ _______ ______ CICS3A8A 12:00:03.85 JOB INITIATION / TSO Successful RACINIT CICSUSER SYS1 CONTROL CONTROL GARRETY 11:52:12.95 RESOURCE ACCESS Successful access GARRETY GEOTEAM MVS.STOP.STC.WT4 UPDATE CONTROL OPERCM GARRETY 11:52:18.39 RESOURCE ACCESS Successful access GARRETY GEOTEAM MVS.VARY.WLM IMSREPLY 11:30:01.32 RESOURCE ACCESS Successful access IMSUSER SYS1 MVS.DISPLAY.R JES2 11:46:09.09 RESOURCE ACCESS Successful access SETUP SYS1 MVS.MODIFY.STC.F UPDATE ALTER OPERCM JES2 11:45:08.70 RESOURCE ACCESS Successful access SETUP SYS1 MVS.MODIFY.STC.F UPDATE ALTER OPERCM JES2 11:52:15.32 RESOURCE ACCESS Successful access SETUP SYS1 MVS.MODIFY.STC.F UPDATE ALTER OPERCM NETX123 11:42:11.97 RESOURCE ACCESS Successful access SETUP SYS1 MVS.CONTROL.E NETX123 11:42:12.00 RESOURCE ACCESS Successful access SETUP SYS1 MVS.CONTROL.S NETX123 11:32:58.74 RESOURCE ACCESS Successful access SETUP SYS1 MVS.DISPLAY.CONS READ ALTER OPERCM NETX123 11:33:35.44 RESOURCE ACCESS Successful access SETUP SYS1 MVS.DISPLAY.OMVS READ ALTER OPERCM NETX123 11:56:35.35 RESOURCE ACCESS Successful access SETUP SYS1 MVS.MODIFY.STC.Z UPDATE ALTER OPERCM USER031 11:30:10.60 CHECK ACCESS TO DIRE Not authorized USER031 OEDFLTG CONTROL CONTROL DIRACC USER031 11:30:10.60 CHECK ACCESS TO DIRE Not authorized USER031 OEDFLTG CONTROL CONTROL DIRACC USER031 11:30:26.92 CHECK ACCESS TO DIRE Not authorized USER031 OEDFLTG CONTROL CONTROL DIRACC USER048 11:36:19.20 CHECK ACCESS TO FILE Not authorized USER048 OEDFLTG CONTROL CONTROL FSOBJ USER097 11:30:39.32 CHECK ACCESS TO FILE Not authorized USER097 OEDFLTG CONTROL CONTROL FSOBJ XH4AMGS 11:47:18.81 JOB INITIATION / TSO Password not valid WITADM4 WITADMGP CONTROL CONTROL XH7ADM 11:35:45.41 DIRECTORY SEARCH Not authorized XH7ADM WT6CFG CONTROL CONTROL DIRSRC XH7ADM 11:35:45.41 DIRECTORY SEARCH Not authorized XH7ADM WT6CFG CONTROL CONTROL DIRSRC XH7ADM 11:55:21.94 DIRECTORY SEARCH Not authorized XH7ADM WT6CFG CONTROL CONTROL DIRSRC XH7ADM 11:55:21.94 DIRECTORY SEARCH Not authorized XH7ADM WT6CFG CONTROL CONTROL DIRSRC XH7ADM 11:32:43.57 DIRECTORY SEARCH Not authorized XH7ADM WT6CFG CONTROL CONTROL DIRSRC XH7ADM 11:32:43.57 DIRECTORY SEARCH Not authorized XH7ADM WT6CFG CONTROL CONTROL DIRSRC ...
Home |
Products |
Prices |
Documentation |
30-Day Trials |
Customer Reviews |
Company
| FAQ
| Sample Reports
| SMF Records
Send Your Comments or Questions