SMF80 fields potentially common to all or multiple RACF events

SMF80ATH

(Boolean)

Auth_Special

cs3

Indicates that the user has the SPECIAL attribute and used this authority to issue the command

If the user also has the AUDITOR attribute and entered the command with only those operands that require the AUDITOR attribute, this bit is not set on because the user did not use their authority as a user with the SPECIAL attribute.

SMF80ATH_Audit

(Boolean)

Auth_Audit

cs4

Authority is AUDITOR

Indicates that the user has the AUDITOR attribute and used this authority to issue the command with operands that require the AUDITOR attribute.

SMF80ATH_Bypass

(Boolean)

Auth_Bypass

Indicates that *BYPASS* is specified on the user ID field

Access is granted because RACF authority checking is bypassed.

SMF80ATH_Exit

(Boolean)

Auth_Exit

Indicates that the user has authority because the exit routine indicated that the request is to be accepted without any further authority checks

SMF80ATH_Norm

(Boolean)

Auth_Normal

Indicates that the user’s authority to issue the command or SVC is determined by the checks for a user with the SPECIAL, OPERATIONS, or AUDITOR attribute

This bit indicates that the tests are made, not that the user passed the tests and has authority to issue the command. This bit is not set on if the user has the AUDITOR attribute and entered the command with only those operands that require the AUDITOR attribute.

SMF80ATH_Oper

(Boolean)

Auth_Oper

Set by RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE and indicates that the user has the OPERATIONS attribute and used this authority to obtain access to the resource

SMF80ATH_Soft

(Boolean)

Auth_Soft

Indicates that resource access is granted by the operator during failsoft processing

SMF80ATH_Spec

(Boolean)

Auth_Special

cs3

Indicates that the user has the SPECIAL attribute and use this authority to issue the command

If the user also has the AUDITOR attribute and entered the command with only those operands that require the AUDITOR attribute, this bit is not set on because the user did not use their authority as a user with the SPECIAL attribute.

SMF80ATH_Trusted

(Boolean)

Auth_Trusted

Indicates that the user has the trusted attribute

SMF80ATHD

(Mapped Integer)

Auth

cs5

Authorities used for processing commands or accessing resources, expressed as text

SMF80CAT

(EGNX)

Cat

cat

CEF category; not displayed for non-CEF

SMF80CLAUTH_Cls

(Boolean)

CLAUTH_Cls

Authority check

SMF80DES_Viol

(Boolean)

Violation

cs1

Record is a violation

SMF80DES_Warn

(Boolean)

User_Warning

cs2

Record is a warning

SMF80DESD

Desc

Descriptor flags, expressed as text

SMF80DESDX

(Mapped Integer)

Desc

Descriptor flags, expressed as text

Older version maintained for compatibility.

SMF80EVQ

(Integer)

Qual

Event code qualifier

SMF80EVT

(Integer)

Event

Event code

SMF80EVTQ

(Integer)

Event

Event code and event code qualifier expressed as as a number in the form ee.qq

SMF80EVTQD

(Mapped Integer)

(None)

Event code and event code qualifier expressed as text

SMF80EVTQD_R

(Mapped Integer)

(None)

Event code and event code qualifier expressed as text

This field’s formatting is conditioned on the software switch RFC3164.

SMF80EVTQDE

(Mapped Integer)

EventDesc

Event code and event code qualifier expressed as text

SMF80EVTQDE_JS

(Mapped Integer)

EventDesc

Event code and event code qualifier expressed as text

This field’s formatting is conditioned on the software switch JSON or Splunk.

SMF80GRP

(EGNX)

Group

spriv

Group to which the user is connected (stepname is used if the user is not defined to RACF)

SMF80GRP_L

(EGNX)

groupID

Group to which the user is connected (stepname is used if the user is not defined to RACF)

This field’s formatting is conditioned on the software switch LEEF.

SMF80GRP_Sup

(EGNX)

Group

spriv

Group to which the user is connected (stepname is used if the user is not defined to RACF)

For an invalid group event, this field is formatted as ******** to obviate the problem of an incorrectly-entered TSO logon password appearing in the SIEM data.

SMF80GRP_Sup_L

(EGNX)

Group

spriv

Group to which the user is connected (stepname is used if the user is not defined to RACF)

For an invalid group event, this field is formatted as ******** to obviate the problem of an incorrectly-entered TSO logon password appearing in the SIEM data. This field’s formatting is conditioned on the software switch LEEF.

SMF80JBN

(EGNX)

JobNm

sproc

Job name

For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be blank.

SMF80R15Vol

Vol

fileId

VOLSER volume serial (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE)

SMF80R17Type

(EGNX)

Type

fileType

Class name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE, RDEFINE, RALTER, RDELETE, PERMIT, or VMXEVENT auditing)

For z/OS UNIX, class controlling auditing for the request.

SMF80R1Res

(EGNX)

Res

Resource name or old resource name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE) if not DATASET class

SMF80R1ResDSN

(EGNX)

DSN

filePath

Resource name or old resource name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE) if DATASET class

SMF80R1Res_APF

(Boolean)

APF

APF authorization status of the resource name

For more information, see SMF-record-enrichment.

SMF80R20Pgm

(EGNX)

Prog

deviceProcessName

Application name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE processed)

SMF80R20PgmX

(EGNX)

Pgm

deviceProcessName

Application name (RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE processed) with a deprecated tag

SMF80R21

(Integer)

Class

Current class options (set by SETROPTS or RACF initialization)

SMF80R256

(Integer)

AuditFunc

Audit function codes, indicating the calling service

Refer to the description of IRRPAFC in z/OS Security Server RACF Data Areas.

SMF80R256_A

(Integer)

AuditFunc

Audit function codes, indicating the calling service, formatted as an array suitable for JSON

Refer to the description of IRRPAFC in z/OS Security Server RACF Data Areas.

SMF80R257

(Integer)

OldRealUid

Old real z/OS UNIX user identifier (UID)

SMF80R258

(Integer)

OldEffUid

Old effective z/OS UNIX user identifier (UID)

SMF80R259

(Integer)

OldSavedUid

Old saved z/OS UNIX user identifier (UID)

SMF80R260

(Integer)

OldRealGid

Old real z/OS UNIX group identifier (GID)

SMF80R261

(Integer)

OldEffGid

Old effective z/OS UNIX group identifier (GID)

SMF80R262

(Integer)

OldSavedGid

Old saved z/OS UNIX group identifier (GID)

SMF80R263

(EGNX)

Res

filePath

Requested pathname (see also data type 299)

SMF80R27

(EGNX)

ActClass

Class name from CLASSACT/NOCLASSACT keyword (SETROPTS, RVARY)

SMF80R331

(EGNX)

Subject

Subject’s distinguished name

SMF80R332

(EGNX)

Issuer

Issuer’s distinguished name

SMF80R33Prof

(EGNX)

Prof

Generic resource name or name of generic profile used

SMF80R386

Subject

SERVAUTH port of entry name (profile name protecting the SERVAUTH name if resourcename is unavailable)

SMF80R38Owner

(EGNX)

Owner

cs2

User ID or group name that owns the profile (RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE and all the RACF commands that produce log records, except SETROPTS and RVARY)

During DEFINE operations, this field contains the owner that the profile is defined with; in all other operations, it contains the current owner. Thus, for owner changes, it contains the old owner.

SMF80R38OwnerA

(EGNX)

Owner

User ID or group name that owns the profile (RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE and all the RACF commands that produce log records, except SETROPTS and RVARY)

During DEFINE operations, this field contains the owner that the profile is defined with; in all other operations, it contains the current owner. Thus, for owner changes, it contains the old owner.

SMF80R392

(EGNX)

AuthName

Authenticated user name

SMF80R393

(EGNX)

AuthRegName

Authenticated user registry name

SMF80R394

(EGNX)

AuthHostName

Authenticated user host name

SMF80R395

(EGNX)

AuthOID

Authenticated user authentication mechanism object identifier (OID)

SMF80R3Req

(Mapped Integer)

Req

cs1

Access requested

SMF80R3ReqA

(Mapped Integer)

Req

Access requested

SMF80R424

AuthDistName

Authenticated distributed-identity user name

SMF80R425

AuthDistRegName

Authenticated distributed-identity registry name

SMF80R443Auth

AuthInfo

MFA information and authenticator used

SMF80R44Delete

(Boolean)

DelSeg

Delete the segment

SMF80R44Name

(EGNX)

SegName

Name of segment

SMF80R44SubKeywd

SubKeywd

The subkeyword specified

SMF80R44SubKeyWdX

(EGNX)

SubKeywdX

The subkeyword specified and the value associated with the keyword

SMF80R46

(EGNX)

LogStr

Variable length string of data specified on LOGSTR= keyword on RACROUTE macro

SMF80R46XAPL

(EGNX)

DB2_LogStr

LOGSTR= contains the input portion of XAPL, used by Db2 for RACF access control

SMF80R49UserNm

(EGNX)

Name

suser

User name from ACEE; suppressed if '########' or X'FFFFFFFF'

SMF80R49UserNm_L

(EGNX)

accountName

User name from ACEE; suppressed if '########' or X'FFFFFFFF'

This field’s formatting is conditioned on the software switch LEEF.

SMF80R4Allow

(Mapped Integer)

Allow

filePermission

Access allowed

SMF80R55

Key

Key to link audit records together

SMF80R5Level

(Integer)

Level

Data set level number (00-99)

SMF80R66

DSN

filePath

Partitioned data set name

SMF80R66_APF

APF

APF authorization status of the partitioned data set

For more information, see SMF-record-enrichment.

SMF80R7Data

(EGNX)

Data

Installation-defined data from the DATA(‘’) parameter of ADDUSER, ALTUSER, RALTER, RDEFINE, ADDGROUP, ALTGROUP, ADDSD or ALTDSD

SMF80REA_Always

(Boolean)

Reas_Always

Reason for logging is Always Audited

Set if the RVARY or SETROPTS command produced the SMF record. (The execution of these two commands always produces an SMF record.)

SMF80REA_Audit

(Boolean)

Reas_Audit

Reason for logging is AUDIT specified set if:

– The AUDIT option in the resource profile specifies that attempts to access the resource be logged.

– The RACROUTE REQUEST=AUTH exit routine specifies unconditional logging.

– The console operator grants the resource access during failsoft processing.

SMF80REA_CMDVIOL

(Boolean)

Reas_CMDVIOL

Reason for logging is command violation

Set when a user with the AUDITOR attribute specifies logging of command violations (with the CMDVIOL operand on the SETROPTS command) and RACF detects a violation.

SMF80REA_GLOBALAUDIT

(Boolean)

Reas_GLOBALAUDIT

Reason for logging is GLOBALAUDIT specified

Set when attempts to access a RACF-protected resource are being logged, as requested by the GLOBALAUDIT option in the resource profile.

SMF80REA_SETROPTS

(Boolean)

Reas_SETROPTS

Reason for logging is SETROPTS audited

Set when there are changes made to a profile in a class specified in the AUDIT operand of the SETROPTS command.

SMF80REA_Special

(Boolean)

Reas_Special

Reason for logging is SPECIAL audited

Set when a user with the AUDITOR attribute specifies the SAUDIT or OPERAUDIT operand on the SETROPTS command and a user with either the SPECIAL or OPERATIONS attribute has changed RACF profiles with a RACF command. To determine whether SPECIAL or OPERATIONS authority is used, see the flags in SMF80ATH. Bit 1 indicates SPECIAL. Bit 2 indicates OPERATIONS.

SMF80REA_User

(Boolean)

Reas_User

Reason for logging is User Audited

Set when a user with the AUDITOR attribute specifies the UAUDIT operand on the ALTUSER command for a user and the user has changed RACF profiles with a RACF command, or a RACROUTE REQUEST=AUTH or ACROUTE.

REQUEST=DEFINE has been issued for the user.

SMF80REA_Verify

(Boolean)

Reas_Verify

Reason for logging is VERIFY specified

Set when the RACROUTE REQUEST=VERIFY fails to verify a user because of an invalid group, password, terminal, or OIDCARD, or initACEE fails because a certificate in not defined or is not trusted.

SMF80READ

Reas

reason

Reason for logging, expressed as text

These flags indicate the reason RACF produced the SMF record. The reason is expressed as,

SMF80READX

Reas

reason

Reason for logging, expressed as hex

These flags indicate the reason RACF produced the SMF record.

SMF80RST

RdrTime

start

Time that the reader recognized the JOB statement for this job

For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be zero.

SMF80SEC

(EGNX)

Sec

Security label of the user

SMF80TOKPOE

(EGNX)

POE

cs6

User port of entry taken from SMF 80 Relocatable section 53 User security token RUTKN

SMF80TOKPOEX

(Integer)

POEclass

Port of entry class, expressed as an integer: 1 Terminal, 2 Console, 3 JESinput, 4 APPCport, 5 ServAuth

SMF80TOKPOEXD

(Mapped Integer)

POEclass

Port of entry class, expressed as a text string: Terminal, Console

SMF80TOKSTYP

(Integer)

SessType

Session type, expressed as an integer: 1 System Address Space, 2 Command, 3 Console Operator, 4 Started Procedure, 5 Mount, 6 TSO Logon, 7 Internal Reader Batch Job, 8 Internal Reader Execution Batch Monitor, 9 RJE Operator, 10 NJE Operator, 11 VERIFYX Unknown User ID token, 12 External Reader Batch Job, 13 RJE Batch Job, 14 NJE Batch Job, 15 NJE SYSOUT, 16 External XBM, 17 RJE XBM, 18 NJE XBM, 19 APPC Session, 20 OMVSSRV Session, 21 IP Session

SMF80TOKSTYPD

(Mapped Integer)

SessType

Session type, expressed as a text string: System Address Space, Command, Console Operator

SMF80TOKSUSR

(EGNX)

TokSUser

Submitting userid

SMF80TOKSURR

(EGNX)

SurrogateFor

Surrogate userid

SMF80TRM

(EGNX)

TermNm

shost

Terminal ID of foreground user (blank if not available)

SMF80TRMX

(EGNX)

Term

Terminal ID of foreground user (blank if not available)

SMF80UID

(EGNX)

UID

User identification field from the SMF common exit parameter area

For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be blank.

SMF80UID_L

(EGNX)

usrName

User identification field from the SMF common exit parameter area

For RACROUTE REQUEST=VERIFY records for batch jobs, this field can be blank. This field’s formatting is conditioned on the software switch LEEF.

SMF80USR

(EGNX)

UserID

suid

Identifier of the user associated with this event (jobname is used if the user is not defined to RACF)

SMF80USR_L

(EGNX)

usrName

Identifier of the user associated with this event (jobname is used if the user is not defined to RACF)

This field’s formatting is conditioned on the software switch LEEF.

SMF80USR_Sup

(EGNX)

UserID

suid

Identifier of the user associated with this event (jobname is used if the user is not defined to RACF)

For an undefined userid event, this field is formatted as ******** to obviate the problem of an incorrectly-entered TSO logon password appearing in the SIEM data.

SMF80USR_Sup_L

(EGNX)

UserID

suid

Identifier of the user associated with this event (jobname is used if the user is not defined to RACF)

For an undefined userid event, this field is formatted as ******** to obviate the problem of an incorrectly-entered TSO logon password appearing in the SIEM data. This field’s formatting is conditioned on the software switch LEEF.

SMF80USRX

User

Identifier of the user associated with this event (jobname is used if the user is not defined to RACF)

SMF80VRMD

(Mapped Integer)

Ver

FMID for RACF, converted to Version and Release number in text