SMF80 fields potentially common to all or multiple RACF events
Name | Tag | Description |
|---|---|---|
SMF80ATH_Audit | Auth_Audit | Authority is AUDITOR Indicates that the user has the AUDITOR attribute and used this authority to issue the command with operands that require the AUDITOR attribute. |
SMF80ATH_Bypass | Auth_Bypass | Indicates that *BYPASS* is specified on the user ID field Access is granted because RACF authority checking is bypassed. |
SMF80ATH_Exit | Auth_Exit | Indicates that the user has authority because the exit routine indicated that the request is to be accepted without any further authority checks |
SMF80ATH_Norm | Auth_Normal | Indicates that the user’s authority to issue the command or SVC is determined by the checks for a user with the SPECIAL, OPERATIONS, or AUDITOR attribute This bit indicates that the tests are made, not that the user passed the tests and has authority to issue the command. This bit is not set on if the user has the AUDITOR attribute and entered the command with only those operands that require the AUDITOR attribute. |
SMF80ATH_Oper | Auth_Oper | Set by RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE and indicates that the user has the OPERATIONS attribute and used this authority to obtain access to the resource |
SMF80ATH_Soft | Auth_Soft | Indicates that resource access is granted by the operator during failsoft processing |
SMF80ATH_Spec | Auth_Special | Indicates that the user has the SPECIAL attribute and use this authority to issue the command If the user also has the AUDITOR attribute and entered the command with only those operands that require the AUDITOR attribute, this bit is not set on because the user did not use their authority as a user with the SPECIAL attribute. |
SMF80ATH_Trusted | Auth_Trusted | Indicates that the user has the trusted attribute |
SMF80ATHD | Auth | Authorities used for processing commands or accessing resources, expressed as text |
SMF80CAT | Cat | Constant RACF |
SMF80DES_Viol | Violation | Record is a violation |
SMF80DES_Warn | User_Warning | Record is a warning |
SMF80DESD | Desc | Descriptor flags, expressed as text |
SMF80DESDX | Desc | Descriptor flags, expressed as text Older version maintained for compatibility. |
SMF80EVQ | Qual | Event code qualifier |
SMF80EVT | Event | Event code |
SMF80EVTQ | Event | Event code and event code qualifier expressed as as a number in the form ee.qq |
SMF80EVTQD | (None) | Event code and event code qualifier expressed as text |
SMF80EVTQD_R | (None) | Event code and event code qualifier expressed as text This field’s formatting is conditioned on the software switch RFC3164. |
SMF80EVTQDE | EventDesc | Event code and event code qualifier expressed as text |
SMF80EVTQDE_JS | EventDesc | Event code and event code qualifier expressed as text This field’s formatting is conditioned on the software switch JSON or Splunk. |
SMF80GRP | Group | Group to which the user is connected (stepname is used if the user is not defined to RACF) |
SMF80GRP_L | groupID | Group to which the user is connected (stepname is used if the user is not defined to RACF) This field’s formatting is conditioned on the software switch LEEF. |
SMF80GRP_Sup | Group | Group to which the user is connected (stepname is used if the user is not defined to RACF) For an invalid group event, this field is formatted as ******** to obviate the problem of an incorrectly-entered TSO logon password appearing in the SIEM data. |
SMF80GRP_Sup_L | Group | Group to which the user is connected (stepname is used if the user is not defined to RACF) For an invalid group event, this field is formatted as ******** to obviate the problem of an incorrectly-entered TSO logon password appearing in the SIEM data. This field’s formatting is conditioned on the software switch LEEF. |
SMF80JBN | JobNm | Job name For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be blank. |
SMF80R15Vol | Vol | VOLSER volume serial (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE) |
SMF80R17Type | Type | Class name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE, RDEFINE, RALTER, RDELETE, PERMIT, or VMXEVENT auditing) For z/OS UNIX, class controlling auditing for the request. |
SMF80R1Res | Res | Resource name or old resource name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE) if not DATASET class |
SMF80R1ResDSN | DSN | Resource name or old resource name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE) if DATASET class |
SMF80R1Res_APF | APF | APF authorization status of the resource name For more information, see APF Status Enrichment . |
SMF80R20Pgm | Prog | Application name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE processed) |
SMF80R20PgmX | Pgm | Application name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE processed) with a deprecated tag |
SMF80R21 | Class | Current class options (set by SETROPTS or RACF initialization) |
SMF80R256 | AuditFunc | Audit function codes, indicating the calling service Refer to the description of IRRPAFC in z/OS Security Server RACF Data Areas. |
SMF80R256_A | AuditFunc | Audit function codes, indicating the calling service, formatted as an array suitable for JSON Refer to the description of IRRPAFC in z/OS Security Server RACF Data Areas. |
SMF80R257 | OldRealUid | Old real z/OS UNIX user identifier (UID) |
SMF80R258 | OldEffUid | Old effective z/OS UNIX user identifier (UID) |
SMF80R259 | OldSavedUid | Old saved z/OS UNIX user identifier (UID) |
SMF80R260 | OldRealGid | Old real z/OS UNIX group identifier (GID) |
SMF80R261 | OldEffGid | Old effective z/OS UNIX group identifier (GID) |
SMF80R262 | OldSavedGid | Old saved z/OS UNIX group identifier (GID) |
SMF80R263 | Res | Requested pathname (see also data type 299) |
SMF80R27 | ActClass | Class name from CLASSACT/NOCLASSACT keyword (SETROPTS, RVARY) |
SMF80R331 | Subject | Subject’s distinguished name |
SMF80R332 | Issuer | Issuer’s distinguished name |
SMF80R33Prof | Prof | Generic resource name or name of generic profile used |
SMF80R386 | Subject | SERVAUTH port of entry name (profile name protecting the SERVAUTH name if resourcename is unavailable) |
SMF80R38Owner | Owner | User ID or group name that owns the profile (RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE and all the RACF commands that produce log records, except SETROPTS and RVARY) During DEFINE operations, this field contains the owner that the profile is defined with; in all other operations, it contains the current owner. Thus, for owner changes, it contains the old owner. |
SMF80R38OwnerA | Owner | User ID or group name that owns the profile (RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE and all the RACF commands that produce log records, except SETROPTS and RVARY) During DEFINE operations, this field contains the owner that the profile is defined with; in all other operations, it contains the current owner. Thus, for owner changes, it contains the old owner. |
SMF80R392 | AuthName | Authenticated user name |
SMF80R393 | AuthRegName | Authenticated user registry name |
SMF80R394 | AuthHostName | Authenticated user host name |
SMF80R395 | AuthOID | Authenticated user authentication mechanism object identifier (OID) |
SMF80R3Req | Req | Access requested |
SMF80R3ReqA | Req | Access requested |
SMF80R424 | AuthDistName | Authenticated distributed-identity user name |
SMF80R425 | AuthDistRegName | Authenticated distributed-identity registry name |
SMF80R443Auth | AuthInfo | MFA Authentication information and authenticator used |
SMF80R44Delete | DelSeg | Delete the segment |
SMF80R44Name | SegName | Name of segment |
SMF80R44SubKeywd | SubKeywd | The subkeyword specified |
SMF80R44SubKeyWdX | SubKeywdX | The subkeyword specified and the value associated with the keyword |
SMF80R46 | LogStr | Variable length string of data specified on LOGSTR= keyword on RACROUTE macro |
SMF80R49UserNm | Name | User name from ACEE; suppressed if '########' or X'FFFFFFFF' |
SMF80R49UserNm_L | accountName | User name from ACEE; suppressed if '########' or X'FFFFFFFF' This field’s formatting is conditioned on the software switch LEEF. |
SMF80R4Allow | Allow | Access allowed |
SMF80R55 | Key | Key to link audit records together |
SMF80R5Level | Level | Data set level number (00-99) |
SMF80R66 | DSN | Partitioned data set name |
SMF80R66_APF | APF | APF authorization status of the partitioned data set For more information, see APF Status Enrichment. |
SMF80R7Data | Data | Installation-defined data from the DATA(‘’) parameter of ADDUSER, ALTUSER, RALTER, RDEFINE, ADDGROUP, ALTGROUP, ADDSD or ALTDSD |
SMF80REA_Always | Reas_Always | Reason for logging is Always Audited Set if the RVARY or SETROPTS command produced the SMF record. (The execution of these two commands always produces an SMF record.) |
SMF80REA_Audit | Reas_Audit | Reason for logging is AUDIT specified set if: – The AUDIT option in the resource profile specifies that attempts to access the resource be logged. – The RACROUTE REQUEST=AUTH exit routine specifies unconditional logging. – The console operator grants the resource access during failsoft processing. |
SMF80REA_CMDVIOL | Reas_CMDVIOL | Reason for logging is command violation Set when a user with the AUDITOR attribute specifies logging of command violations (with the CMDVIOL operand on the SETROPTS command) and RACF detects a violation. |
SMF80REA_GLOBALAUDIT | Reas_GLOBALAUDIT | Reason for logging is GLOBALAUDIT specified Set when attempts to access a RACF-protected resource are being logged, as requested by the GLOBALAUDIT option in the resource profile. |
SMF80REA_SETROPTS | Reas_SETROPTS | Reason for logging is SETROPTS audited Set when there are changes made to a profile in a class specified in the AUDIT operand of the SETROPTS command. |
SMF80REA_Special | Reas_Special | Reason for logging is SPECIAL audited Set when a user with the AUDITOR attribute specifies the SAUDIT or OPERAUDIT operand on the SETROPTS command and a user with either the SPECIAL or OPERATIONS attribute has changed RACF profiles with a RACF command. To determine whether SPECIAL or OPERATIONS authority is used, see the flags in SMF80ATH. Bit 1 indicates SPECIAL. Bit 2 indicates OPERATIONS. |
SMF80REA_User | Reas_User | Reason for logging is User Audited Set when a user with the AUDITOR attribute specifies the UAUDIT operand on the ALTUSER command for a user and the user has changed RACF profiles with a RACF command, or a RACROUTE REQUEST=AUTH or ACROUTE. REQUEST=DEFINE has been issued for the user. |
SMF80REA_Verify | Reas_Verify | Reason for logging is VERIFY specified Set when the RACROUTE REQUEST=VERIFY fails to verify a user because of an invalid group, password, terminal, or OIDCARD, or initACEE fails because a certificate in not defined or is not trusted. |
SMF80READ | Reas | Reason for logging, expressed as text These flags indicate the reason RACF produced the SMF record. The reason is expressed as, |
SMF80READX | Reas | Reason for logging, expressed as hex These flags indicate the reason RACF produced the SMF record. |
SMF80RST | RdrTime | Time that the reader recognized the JOB statement for this job For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be zero. |
SMF80SEC | Sec | Security label of the user |
SMF80TOKPOE | POE | User port of entry taken from SMF 80 Relocatable section 53 User security token RUTKN |
SMF80TOKPOEX | POEclass | Port of entry class, expressed as an integer: 1 Terminal, 2 Console, 3 JESinput, 4 APPCport, 5 ServAuth |
SMF80TOKPOEXD | POEclass | Port of entry class, expressed as a text string: Terminal, Console |
SMF80TOKSTYP | SessType | Session type, expressed as an integer: 1 System Address Space, 2 Command, 3 Console Operator, 4 Started Procedure, 5 Mount, 6 TSO Logon, 7 Internal Reader Batch Job, 8 Internal Reader Execution Batch Monitor, 9 RJE Operator, 10 NJE Operator, 11 VERIFYX Unknown User ID token, 12 External Reader Batch Job, 13 RJE Batch Job, 14 NJE Batch Job, 15 NJE SYSOUT, 16 External XBM, 17 RJE XBM, 18 NJE XBM, 19 APPC Session, 20 OMVSSRV Session, 21 IP Session |
SMF80TOKSTYPD | SessType | Session type, expressed as a text string: System Address Space, Command, Console Operator |
SMF80TOKSUSR | TokSUser | Submitting userid |
SMF80TOKSURR | SurrogateFor | Surrogate userid |
SMF80TRM | TermNm | Terminal ID of foreground user (blank if not available) |
SMF80TRMX | Term | Terminal ID of foreground user (blank if not available) |
SMF80UID | UID | User identification field from the SMF common exit parameter area For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be blank. |
SMF80UID_L | usrName | User identification field from the SMF common exit parameter area For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be blank. This field’s formatting is conditioned on the software switch LEEF. |
SMF80USR | UserID | Identifier of the user associated with this event (jobname is used if the user is not defined to RACF) |
SMF80USR_L | usrName | Identifier of the user associated with this event (jobname is used if the user is not defined to RACF) This field’s formatting is conditioned on the software switch LEEF. |
SMF80USR_Sup | UserID | Identifier of the user associated with this event (jobname is used if the user is not defined to RACF) For an undefined userid event, this field is formatted as ******** to obviate the problem of an incorrectly-entered TSO logon password appearing in the SIEM data. |
SMF80USR_Sup_L | UserID | Identifier of the user associated with this event (jobname is used if the user is not defined to RACF) For an undefined userid event, this field is formatted as ******** to obviate the problem of an incorrectly-entered TSO logon password appearing in the SIEM data. This field’s formatting is conditioned on the software switch LEEF. |
SMF80USRX | User | Identifier of the user associated with this event (jobname is used if the user is not defined to RACF) |
SMF80VRMD | Ver | FMID for RACF, converted to Version and Release number in text |
Many of these descriptions are taken from z/OS Security Server RACF Macros and Interfaces © Copyright 1994, 2008 IBM Corporation.
Related topic