ACFRPTDS - Data Set/Program Event Log

Describes the ACFRPTDS data set program event log report
acf2src
Journaling an Event
CA ACF2 journals an event in the SMF records when one of the following occurs:
  • A security label in use on a data set, resource or by a user is to be audited because MLS Seclabel Audit is active. When a record is cut with MLS Seclabel Audit a '+' will appear in front of the seclabel being audited
  • A request for data set or program access is not authorized.
  • A request for data set or program access was specifically required to be journaled (for example, by an access rule, a user exit, TRACE set in a logonid record, NEXTKEY error, and so on).
These journal records are classified as follows:
  • Data set loggings
  • Data set access violations
  • Data set access trace requests
  • Program use loggings and violations
At the end of the ACFRPTDS-Data Set/Program Event Log report, an index cross-references the data set name with the logonid of the person or batch job that accessed it. The index also shows the number of times the data set was accessed.
Many data set and program accesses are not logged, because the user owns the data or an access rule allows access. An CA ACF2 security administrator might request that all accesses for a particular user be logged by specifying the TRACE field in the user's logonid record. When this occurs, CA ACF2 writes a trace journal record describing the access. It also creates records whenever an access causes a violation or the rule specifies log.
The information in the SMF records describes the user and job, the access environment, and the type of access requested. The ACFRPTDS report generator formats the information for the different accesses.
You can request the output in hex format and edited for printer output format (133 characters per line) or in terminal output format (80 characters per line). However, in certain circumstances (such as when the data set name or the access parameter list is invalid), a particular record can also appear on the report in hex format, regardless of whether you specify the HEX option. A separate report called the ACFRPTDS Dump Report records hex-formatted information about invalid data set names. The ACFRPTDS Data Access Journal Report issues a message that reports the occurrence of an invalid data set name and references the ACFRPTDS Dump Report:
INVALID DSN: SEE NO. xxx ON DUMP REPORT
When using ISPF, the ACFRPTDS Dump Report is displayed after the ACFRPTDS Data Access Journal Report and printed separately. To process either report, enter data set names in the OUTPUT LIST NAME and specify the HEXDUMP field on the ACFRPTDS-Data Set/Program Event Log Panel.
Checking Authorization
CA ACF2 checks whether the person submitting the utility is authorized to view or manipulate the input SMF data. If you specify RPTSCOPE in the GSO OPTS record, a user is restricted to the SMF record data that matches his or her privileges and restrictions. In the default case of NORPTSCOPE, no authorization checking is done.
For the ACFRPTDS report, the following privileges and restrictions of the user running the report are validated as part of the report processing when RPTSCOPE is specified: the user's PREFIX, SECURITY or AUDIT field, and the DSN field in the associated scope record. If the user has one of these authorities and, for SECURITY and AUDIT privileges, the SMF record in his scope, he can view the record. In addition, if the logonid of the user being journaled falls within the UID/LID scope of the user running the report, then the record can be viewed.
Common Parameters
When using the ISPF panel or JCL, ACFRPTDS accepts the following parameters.
  • LINECNT
  • JOBMASK
  • TITLE
  • SDATE
  • EDATE
  • STIME
  • ETIME
  • SELECT
  • SYSID
  • HEX
Running the Report Using the ISPF Panel
You can use the ACFRPTDS Data Set/Program Event Log ISPF panel to create your input for the ACFRPTDS report.
Panel Parameters
The following parameters are specific to the ACFRPTDS ISPF panel.
  • TITLE
    Specifies a character string added to other title information at the top of the report. This character string can be up to 35 characters in length. If you do not specify this parameter, the report generator uses the first 35 characters in the PARM field of the EXEC statement. If this character string is longer than 35 characters, only the first 35 characters are used.
  • UID MASK
    Specifies a character string added to other title information at the top of the report. This character string can be up to 35 characters in length. If you do not specify this parameter, the report generator uses the first 35 characters in the PARM field of the EXEC statement. If this character string is longer than 35 characters, only the first 35 characters are used.
  • LOGONID MASK
    Specifies invalid or logged data set accesses for a particular logonid or group of logonids. The default is all logonids.
  • TIME
    Specifies the desired format of the timestamp in report : M (default) displays HH.MM, S = HH.MM.SS or H = HH.MM.SS.TH.
  • DSNAME MASK
    Specifies information for a particular data set or group of data sets. This function is useful when investigating the accesses to a particular user's data sets. For example, to run a report of SYS1 data set loggings, specify MASK(SYS1.-). The default is all data sets.
  • NDSNAME MASK
    Specifies a null data set name mask. This mask lets you exclude information from the report pertaining to a certain data set or group of data sets. For example, a parameter of NMASK(SYS1.-) excludes from the report any information pertaining to the SYS1 data sets. Any data set names that this parameter specifies override any data set names that the MASK parameter specifies.
  • DCLASS
    Specifies to limit the report output to invalid or logged data set accesses within a particular Data Classification.
  • REPORT TYPE:
    ALL
    |LOGGING|VIO|TRACE|PGMNAME|TAPE| INSTALL|UNKNOWN | PPTRACE
    Specifies one of four output formats. Specify only one of these parameters per report. If you do not specify a format, the default format is TERMINAL. The following list describes each format:
    • T-This format is the default and is suitable for use on a limited display panel. This format usually fits on an 80-character screen width with an occasional wraparound due to long data set names. A five-line detail section is produced.
    • If NEXTKEY's were used in the validation process and access was denied, an additional 1 to 3 lines of NEXTKEY information are added to the display.
    • If trace records (REPORT TYPE=ALL or TRACE) are processed, an additional 1 to 3 lines of NEXTKEY information may be added to the display.
    • P-provides a three-line detail section for each record (133 characters per line).
    • If NEXTKEY's were used in the validation process and access was denied, an additional 1 to 3 lines of NEXTKEY information are added to the display.
    • If trace records (REPORT TYPE=ALL or TRACE) are processed, an additional 1 to 3 lines of NEXTKEY information may be added to the display.
    • S-provides a one-line detail section for each record (133 characters per line). Each detail section contains minimal information about the data set accessed and the user involved.
      H-requests that only the cross-reference table is printed for this run of ACFRPTDS. The cross-reference table provides a listing of data set prefixes and the logonids that accessed data sets with that prefix, showing the access counts.
  • OUTPUT LIST NAME: LIST ID
    Specifies the 1- to 8-character output list name. ISPF prefixes the name you specify with the user's prefix from his profile and the characters ACF2.ACFRPTDS. For example, if you specify TEST as the output list name, your output list data set name will be dft-pfx.ACF2.ACFRPTDS.TEST.
  • HEXDUMP LIST NAME: LIST ID
    Specifies the 1- to 8-character hexdump list name. ISPF prefixes the name you specify with the user's prefix from his profile and the characters ACF2.ACFRPTDS. For example, if you specify TEST as the output list name, your output list data set name will be dft-pfx.ACF2.ACFRPTDS.TEST
  • LOGSTREAM
    Indicates if LOGSTREAM SMF data needs to be retrieved. This parameter is available for z/OS1.9 and higher when the SNF data is being captured by a LGR LOGSTREAM structure. When Y is specified an ACFRPTAL is displayed to provide specific logstream parameters.
Additional Parameters
A second panel lets you type multiple parameters for NLIDMASK and JOBMASK.
  • NLOGONID MASK
    This mask lets you exclude information from the report for certain logonids or groups of logonids.  For example, a parameter of NLIDMASK (PAY-) excludes any information from the report for logonids beginning with the letters PAY.  Any logonids specified by this parameter override those specified by the LIDMASK parameter.  Up to 32 logonids are allowed.  The default is nulls.
  • JOBMASK
    Up to 32 job names or masks might be specified. If JOBMASK is not defined, then the default is all job names.
  • SPECIFY INPUT DATA SETS FOR ACFRPTDS
    For an explanation of the options available, see Reporting.
Running the Report Using JCL
You can use JCL to run the ACFRPTDS report. For information on running the report, see Using Sample JCL to Execute Reports.
See ACFRPTDS Sample Output for examples of the ACFRPTDS output when TERMINAL, DUMP, PRINTER, and SUMMARY are specified. The last section, NEXTKEY Reporting, describes what happens when the maximum number of NEXTKEY parameters is exceeded during data set validation or a NEXTKEY loop occurs.
The following parameters are specific to ACFRPTDS:
  • DCLASS
    Specifies a 32-byte DCLASS name that limits the number of records appearing on the report to data sets defined in the specified data class. This DCLASS value should match exactly to the DCLASS field of the DCO DATA records on your CA ACF2 system. For more information, see CA ACF2 Data Classifications Record (DATA). The default is no screening of data set accesses by data class.
  • [MASK(
    -
    |dsnmask)]
    Specifies information for a particular data set or group of data sets. This function is useful when investigating the accesses to a particular user's data sets. For example, to run a report of SYS1 data set loggings, specify MASK(SYS1.-). The default is all data sets.
  • [NMASK(dsnmask)]
    Specifies a null data set name mask. This mask lets you exclude information from the report pertaining to a certain data set or group of data sets. For example, a parameter of NMASK(SYS1.-) excludes from the report any information pertaining to the SYS1 data sets. Any data set names that this parameter specifies override any data set names that the MASK parameter specifies.
  • [LIDMASK(********|logonidmask)]
    Specifies invalid or logged data set accesses for a particular logonid or group of logonids. The default is all logonids.
  • [NLIDMASK(logonidmask,...,logonidmask)]
    This mask lets you exclude information from the report for certain logonids or groups of logonids.  For example, a parameter of NLIDMASK (PAY-) excludes any information from the report for logonids beginning with the letters PAY.  Any logonids specified by this parameter override those specified by the LIDMASK parameter.  Up to 32 logonids are allowed.  The default is nulls.
  • [UID(-|uidmask)]
    Specifies that the records appearing on the report are limited to a user or group of users indicated by the UID mask. The default is all users
  • [SIZE(2500|nnnnn)]
    Specifies the number of elements permitted at the end of the report in the Data Set Prefix/Logonid Cross-reference table. A cross-reference entry is built for each data set prefix to logonid combination. Each element in this table is 20 bytes long; therefore, the table takes 20 times the number of SIZE bytes of memory. The default table size occupies 50,000 bytes (49K) of memory. However, if an overflow occurs, you can set the table size to a larger number.
  • [SHORT]
    Specifies that only the cross-reference table is printed for this run of ACFRPTDS. The cross-reference table provides a listing of data set prefixes and the logonids that accessed data sets with that prefix, showing the access counts. The default is that all detailed information is printed.
  • [LOGGING|VIO|TRACE|PGMNAME|TAPE|INSTALL|UNKNOWN|PPTRACE|ALL]
    Specifies which of the various types of records are formatted for a run of ACFRPTDS. You can specify any combination of these parameters. If you do not specify any of these parameters, the default of ALL takes effect. These parameters operate in an inclusive OR manner. For example, a specification of PGMNAME and VIO results in a report detailing every access to a protected program and every data set access that resulted in a violation of CA ACF2 access controls. The following list describes the parameters:
    • LOGGING-specifies records that resulted from a log for access in which the access rule requested a journal record. LOGGING records are also issued in the situation when the access is permitted through the user's SECURITY, NON-CNCL, or READALL privilege. These privileges override the recommendation of an access rule.
    • VIO-specifies records produced because of an attempted violation of access controls.
    • TRACE-specifies records produced for a user because the TRACE field was specified in the user's logonid record. In addition, NKEYLOOP and KEYEXCES trace records are also processed, if present. Trace records are written, regardless of whether the access is denied or logged.
    • PGMNAME-specifies that the report show logging or violation records written for attempts to access protected or logged programs via the JCL EXEC PGM= parameter. This keyword also shows all trace records written for access attempts made through any program.
    • Specifies protected and logged programs, using the GSO PPGM and LOGPGM records. For more information, see Global Systems Option Records.
    • TAPE-specifies that the report shows records written for tape access requests validated on the volume level (as opposed to tape access requests validated at the data set name level). Validation on the volume level occurs when the volser is specified in the GSO SECVOLS record or the DSNGEN user exit is taken.
    • INSTALL-specifies a report that shows records whenever any of the CA ACF2 data set validation user exits (VIOEXIT, DSNGEN, and VLDEXIT as specified in the CA ACF2 Field Definition Record module) requests that the access be journaled to SMF.
    • PPTRACE-specifies records produced for a user because the PP-TRC or PP-TRCV field was specified in the user's logonid record.
    • UNKNOWN-specifies a report that shows UNKNOWN type records. UNKNOWN type records are created whenever the CA ACF2 data set access validation SVC detects an error condition, such as an invalid parameter list. These records indicate an access attempt for which no proper determination is made. In this case, the access is aborted and the UNKNOWN type record (INVPARMS) is produced. The report output contains whatever information is determined but might contain invalid data and might print in hexadecimal notation.
    • ALL-requests that information for all journaled accesses is formatted. This is the default. However, if the MASK parameter is specified, the report does not contain program records.
  • [PRINTER|SUMMARY|TERMINAL]
    Specifies one of three output formats. Specify only one of these parameters per report. If you do not specify one of these parameters, the default is TERMINAL. The following list describes each parameter.
    • PRINTER-provides a three-line detail section for each record (133 characters per line).
    • If NEXTKEY's were used in the validation process and access was denied, an additional 1 to 3 lines of NEXTKEY information are added to the display if EXTEND is specified. .
    • If trace records (logonid TRACE, NKEYLOOP, KEYEXCES, etc) are processed, an additional 1 to 3 lines of NEXTKEY information can be added to all displays.
    • SUMMARY-provides a one-line detail section for each record (133 characters per line). Each detail section contains minimal information about the data set accessed and the user involved.
    • TERMINAL-This format is the default and is suitable for use on a limited display panel. This format usually fits on an 80-character screen width with an occasional wraparound due to long data set names. If NOEXTEND is specified, a four-line detail section is produced. If EXTEND is specified (the default), a five-line detail section is produced.
      If NEXTKEY's were used in the validation process and access was denied, an additional 1 to 3 lines of NEXTKEY information are added to the display if EXTEND is specified.
      If trace records (logonid TRACE, NKEYLOOP, KEYEXCES, etc) are processed, an additional 1 to 3 lines of NEXTKEY information can be added to all displays.
  • [EXTEND|NOEXTEND]
    Further defines the TERMINAL and PRINTER report formats. The EXTEND parameter enables the display of maximum information from a record. The default is EXTEND.  See the PRINTER and TERMINAL parameter descriptions for more information.
Input and Output Files
ACFRPTDS uses the standard SYSPRINT, SYSIN, and RECxxxxx files that are described in the documentation about input and output files for report generators. In addition, it can use the HEXDUMP file, which is specific to ACFRPTDS. The HEXDUMP file has the same characteristics as SYSPRINT. This file is optional and contains the ACFRPTDS Dump Report. If the HEXDUMP file is not used, invalid SMF records are represented in the report in hexadecimal format.
Sort Sequence
The recommended sort sequence for the ACFRPTDS report first splits the report into four separate groups: logging, violation, trace, and program journal records. Records in each of these sections are sorted as follows:
  • Data Set Logging Report-Data set name (major), logonid, date, and time
  • Data Set Violation Report-Data set name (major), logonid, date, and time
  • Data Set Trace Report-Logonid (major), date, and time
  • Program Violations and Loggings Report-Program name (major), logonid, date, and time
Perform this sorting using your own routine or using the prototype JCL or ISPF panels provided with CA ACF2.
Field Descriptions
The following fields are available on the ACFRPTDS report.
  • cpuid
    The SMF CPU ID of the executing CPU. (Field DATE in Printer Format.)
  • DDN=ddname
    The ddname specified in the DD statement of the job attempting access, if applicable. (Field DDNAME in Printer Format.) If DDN=SYSUDUMP, SYSMDUMP, SYSABEND, ABENDAID, or ABNLTERM, and if DSN is a JES assigned data set name (such as JES2.JOB0038l.S00104), this record is on the report because the user was in a program pathing or an execute-only environment; the user did not have DUMPAUTH in his logonid record; and the system attempted a dump (for a non-CA ACF2 abend of the job). In this case, CA ACF2 is not using access rules, but the logonid's DUMPAUTH authority, to determine that this is a violation. Writing a rule for $KEY(JES2) does not affect this processing. Other records without JES-type data set names but with DDN=SYSUDUMP, SYSMDUMP, SYSABEND, ABENDAID, or ABNLTERM are also likely to be on the report for the same reason.
  • DSN=dsname
    The name of the data set to which access is attempted. (Field DATA SET in Printer Format.) This is the actual name used for data set validation and rule interpretation and reflects any editing by user exits or by CA ACF2. The term RING-IN is appended to the data set name to indicate that the read/write ring is in place when the tape is mounted.
    Note: If this data set name is invalid, CA ACF2 prints the entire record printing in hexadecimal notation.
  • gdate
    The Gregorian date of the attempted access. (Field DATE in Printer Format.) The format of this date field is MM/DD or DD/MM, depending on the DATE option in the GSO OPTS infostorage record.
  • inst
    This field indicates that the logging was created because of a user exit or user specification, as detailed in the following list:
    • DSNGEN-the Data Set Name Generator exit journaled the access.
    • DSNPOST-the Data Set Postvalidation exit journaled the access.
    • NON-CANC-access permitted because accessing logonid has NON-CNCL attribute.
    • PRE-VALD-the user Prevalidation exit journaled the access.
    • READ-ALL-access for input permitted because logonid has READALL attribute.
    • SEC-OFF-access permitted because logonid of user has SECURITY attribute.
    • VIO-EXIT-the user violation exit journaled the access.
  • jdate
    The Julian date when the access or attempted access occurred. (Field DATE in Printer Format.)
  • jobid
    The JES2 or JES3 assigned job number. (Field JOB # in Printer Format.)
  • jobname
    The name of the job. (Field JNAME in Printer Format.) For TSO sessions, the job name is generally the same as the logonid.
  • LIB=library
    The library from which the program is loaded. Certain library names have a specific meaning, such as SYS1.LINKLIB, which indicates any library in the system link list or the link pack area.
  • logonid
    The logonid of the user attempting the data set access. (Field LID in Printer Format.)
  • major
    The system or CA ACF2 component through which access is attempted. (Field ACCESS TYPE in Printer Format.) This field can take on any of the following values:
    • ALLOC-DADSM request for new data set allocation.
    • CATLG-AMS/CMS issued the request.
    • CVOL-catalog management CVOL processing issued this request. To determine the type of CVOL request made, see the minor field.
    • DA-EOV-DADSM E-O-V issued the request.
    • DA-OPN-DADSM OPEN issued the request.
    • DELETE-DADSM data set scratch requested.
    • DIV-data in virtual.
    • EXTRNL-this is an external request for a multiple-user address space subsystem (WYLBUR, CA-Roscoe, JES2 USERPROC, CRJE, ACEP, and so on).
    • INSTLL-Logging activity, a violation, or a TRACE request occurred in response to a user’s security request when executing FDR, FDRDSF, CA-ASM2, or other programs.
    • PRGNAM-this request is for program execution authorization by the initiator.
    • RENAME-DADSM rename operation requested (to and from names are indeterminate).
    • REN-FR-DADSM rename operation requested (original data set name).
    • REN-TO-DADSM rename operation requested (new data set name).
    • TP-EOV-tape EOV issued the request. This request occurs before the new volume is mounted and the label verified.
    • TP-OPN-tape processing issued the request. This request occurs before the volume is mounted and label verified.
    • TP-XOV-tape E-O-V processing after new volume verification and label processing are updated. All internal O-C-E work area control blocks are updated.
    • TP-XPN-tape OPEN processing during volume verification. This request occurs after volume mount and label verification processing.
    • TP-XTD-tape OPEN processing after all final volume verification and label processing has occurred, and the system has updated all O-C-E work area control blocks.
    • TRN-PH-violation caused by a program and library in a rule set. This trace entry is being processed in this manner because the Pathtran option is active.
    • VS-OPN-VSAM OPEN issued the request.
  • minor
    The type of access performed. (Field ACCESS TYPE in Printer Format.) The major and minor fields combine to detail the exact nature of the data set access environment. The possible values of the minor field are as follows.
    • ALTER-CMS functions, catalog entry is being modified.
    • BLDA-CVOL build alias request (assigns an alias to an index).
    • BLDG-CVOL build GDG index request (builds an index for generation data groups).
    • BLDX-CVOL build index request (creates a new index in the catalog).
    • **BLP**-the access is to a tape data set and the JCL specified bypass label processing access by the LABEL=(,BLP) DD parameter.
    • CATLG-CVOL catalog request (generates an entry in the index of the catalog).
    • DEFINE-CMS functions, catalog entry is created.
    • DELETE-CMS functions, catalog entry is deleted. This function does not require deletion of the data set.
    • DLTA-CVOL delete alias request (deletes an alias previously assigned to an index).
    • DLTX-CVOL delete index request (removes an index from the catalog).
    • DRPX-CVOL disconnect request (disconnects two volumes).
    • EXECUTE-for PRGNAM access, the program is executed.
    • IN/OUT-the request specified that the data set is opened for input and output processing. The JCL for the program might be modified to specify only input processing, for this case, by specifying LABEL=(,,,IN) on the appropriate DD statement. This access type is standard for FORTRAN files and results in a security violation if read only access is permitted and the JCL LABEL parameter is not specified to limit processing to input-only.
    • INPUT-the data set processed is read only.
    • LNKX-CVOL link request (connects two volumes together).
    • OUT/IN-this access writes and reads the data set and requires a rule that specifies both READ and WRITE access. Some high-level languages, especially FORTRAN, open all data sets for OUT/IN processing even when the data set is only going to be read. To cause a WRITE access, specify the JCL LABEL(,,,OUT) parameter; to force this access to be only READ, specify the JCL LABEL(,,,IN) parameter.
    • OUTPUT-the data set accessed is written.
    • RDBACK-the data set is processed for input and read backwards. Read back requires an access rule that specifies write access instead of just read access.
    • READ-read access to a catalog.
    • RECAT-CVOL recatalog request (replaces an entry in the index of the catalog).
    • UNCAT-CVOL uncatalog request (removes an entry from the index of the catalog).
    • UNKNOWN-CVOL request of an unknown nature (none of the requests listed above).
    • UPDATE-this access is to read records from the data set and update them in place.
  • NAM=name
    The name of the user attempting the access. (Field NAME in Printer Format.)
  • nextkey
    The $KEY of every rule set that was checked during access validation when a NKEYLOOP or KEYEXCES condition occurred. The $KEYs are listed in the order referenced from first to last. This line appears only for NEXTKEY trace records when the TERMINAL or PRINTER formatting options are specified and TRACE or ALL record types were requested.
  • path
    This field describes any program pathing restrictions placed on this access by the applicable rule.
    LIB-the library (but no specific program) was specified.
    LIB-PGM-both the library and program parameters were specified in the rule that applied to this access.
    PGM-a specific program was specified in the rule without a library. This might indicate an improperly constructed rule set.
    **TEST**-access denied because the TSO TEST command was issued sometime during program execution, which was under program pathing controls (PGM or LIB).
    If a program pathing error occurs, LIB, PGM, and LIB-PGM are abbreviated to L, P, and LP respectively, and the following return codes are appended to the abbreviation:
    • INV-JSL
    • INV-TMP
    • NON-APF
    • NO-CDE
    • NOTEST
    • PATHERR
    An explanation of each return code is found under the RMRC field definition that follows later in this section.
  • PGM=pgmname
    The name of the program attempting the access. (Field PROGRAM in Printer Format.) CA ACF2 or the Program Override exit (PGMOVRD) generates this name.
  • record
    The type of security record being formatted. (Field LOG TYPE in Printer Format.) The following list details the various keywords that can be present in this field. The keywords for the printer output format are shown in parentheses.
    • DATA SET (DSET)-the access was to a data set.
    • INVPARMS-the access request validation parameter list is invalid. All the information that was determined is listed in the report. The record is also printed in hexadecimal notation.
    • LOGGING (LOG)-the access was permitted but logged because the access rule requested logging, or the user had the SECURITY or NON-CNCL privilege in his logonid.
    • LOG/VIO-the violation issued by the access rule was reset to a logging record. See the description of the LOG return code of the RMRC field.
    • PATHTRAN (PTRN)-this access was logged because you are in transition mode for program pathing. Therefore, you must analyze the rule used to validate the access and determine whether access is warranted. To prevent a violation from occurring in the future, update your rules accordingly. The PGM and LIB names issuing the OPEN are shown under the PATHTRAN header in the report. See the PATHTRAN field of the GSO RULEOPTS record for information about this mode.
    • PROGRAM (PROG)-this record issued for program access validation instead of data set validation.
    • TRACE (TRC)-this access journaled because the user's logonid contained the TRACE field or from a RACROUTE REQUEST=AUDIT call. A trace record might accompany a logging or violation record depending on the access rules. In addition, a trace record is automatically written whenever a NKEYLOOP or KEYEXCES condition occurs. For more information see the descriptions of the RMRC field return codes.
    • VIOLATION (VIO)-this record was issued because the access violated CA ACF2 access controls.
    • VOLUME (VOL)-this indicates the access was validated at a volume level. The data set name in this case might be @volser.VOLUME. For additional information, see GSO SECVOLS record.
    • WARN/VIO (WRNV)-the violation issued by the access rule is reset to a warning record. See the description of the WARN return code of the RMRC field.
    • PP TRACE (PTRC)-this access was journaled because the user's logonid contained the PP-TRC or PP-TRCV field.
  • Registry
    The distributed identity registry name that is associated with the z/OS userid. This field is shown only when z/OS Identity Propagation is being used.
  • RKEY=ruleid
    The name ($KEY) of the access rule set used to process this request. This information is optional in the terminal format report and is displayed only if the rule set used is not the same as the data set high-level index (for example, if a NEXTKEY rule was used for validation).
  • rmrc
    The return code from the CA ACF2 access rule record manager and interpreter.
    • $MODEQT-the access to the data set is permitted because a $MODE(QUIET) control statement is specified in the access rule.
    • $MODELG-the access to the data set is permitted and logged because a $MODE(LOG) control statement is specified in the access rule.
    • $MODEWR-the access to the data set is permitted because a $MODE(WARN) control statement is specified in the access rule.
    • $MODEAB-the access to the data set is denied because a $MODE(ABORT) control statement is specified in the access rule.
    • ACCESS-an access rule that permitted access is found to match the environment when this access was attempted; or the user has the NON-CNCL logonid privilege to permit access.
    • BLPLOG-the access is logged because a BLP tape access was attempted and the GSO OPTS record indicated BLPLOG.
    • BLPVIO-the user requested BLP access to a tape data set and did not have that authority. Access was denied.
    • DASDUNSC-the GSO records specified by the site indicated that CA ACF2 is not to protect this DASD data set; or the data set spanned multiple volumes, some of which are not secured.
    • DUMPAUTH-a dump was requested and the user opened a data set in which program pathing permitted the user access to the data set. In this case, the user must have the DUMPAUTH logonid attribute to permit the dump.
    • EXITALLW-a user exit permitted access to the data set.
    • EXITLOG-access permitted and logged because a user exit indicated allow and log access.
    • XITNLOG-access to the data set is denied but not logged because a user exit indicated abort and nolog.
    • EXITVIO-a user exit denied access to the requested data set.
    • INITFAIL-scope record initialization failed.
    • INV-JSL-the program pathing code was unable to correctly determine the library for the job step program. An invalid return code was detected from one of the information gathering routines of BLDL. The library is defaulted to SYS1.LINKLIB.
    • INV-TMP-the control block structure for the TSO TMP was found to be invalid. One of the programs that make up the TMP or front-ends the TMP was not from an APF-authorized library.
    • I/O-ERR-access denied because TAPE OPEN intercept could not read the tape label.
    • KEYEXCES-access denied because more than 25 levels of NEXTKEY found.
    • MP-LOG-access was permitted because CA ACF2 was in LOG mode due to failure of LMP Product Key verification.
    • LOG-access permitted because CA ACF2 is in LOG mode.
    • MAINT-access to this data set permitted because the requester has the MAINT logonid authority and the environment (program and library) matched a GSO MAINT record entry.
    • MAX-VIO-specifies that access was denied because the maximum number of violations for this job has been reached.
    • NKEYLOOP-access denied because the NEXTKEY parameter on one of the rules pointed directly or indirectly to itself.
    • NOACCESS-an access rule prevented access.
    • NOACUCB-access to the data set permitted because no ACUCB available to validate the request.
    • NO-CDE-no CDE available to determine the active program name for program pathing. Normally, this happens during a dump to a program-pathed data set for S806 abends.
    • NOMODEAB-access to the data set denied because the site is in RULE mode and the no-$mode parameter in the GSO OPTS MODE record indicated ABORT.
    • NOMODELG-access to the data set permitted and logged because the site is in RULE mode and the $no-mode parameter in the GSO OPTS MODE record indicated LOG.
    • NOMODEQT-access to the data set permitted because the site is in RULE mode and the $no-mode parameter in the GSO OPTS MODE record indicated QUIET.
    • NOMODEWR-access to the data set permitted and logged because the site is in RULE mode and the no-$mode parameter in the GSO OPTS MODE record indicated WARN.
    • NON-APF-one of the programs used by a TSO command did not come from an APF-authorized library.
    • NON-CNCL-access to this data set permitted because the requester has the NON-CNCL logonid privilege.
    • NORECAB-access to the data set denied because the site is in RULE mode, no rule set applied, and the no-rule parameter in the GSO OPTS MODE record indicated ABORT.
    • NORECLG-access to the data set permitted and logged because the site is in RULE mode, no rule set applied, and the no-rule parameter in the GSO OPTS MODE record indicated LOG.
    • NORECORD-no access rule set existed that matched the environment. The site was in ABORT, LOG, or WARN mode (not RULE mode), and the access rule set did not exist when access was attempted. Alternatively, for a program name validation, the user's logonid attributes did not match the access conditions required by the GSO PPGM record and, in this case, no access rule set is validated.
    • NORECQT-access to the data set permitted because the site is in RULE mode, no rule set applied, and the no-rule parameter in the GSO OPTS MODE record indicated QUIET.
    • NORECWR-access to the data set permitted because the site is in RULE mode, no rule set applied, and the no-rule parameter in the GSO OPTS record indicated WARN.
    • NORULE-an access rule in a rule set is not located to match the environment.
    • NOTEST-an invalid path for data set access exists. A rule permitted access to a data set through program pathing but the program was executed under TSO TEST.
    • NOTPPGM-a program name only check was made and the program was not in the GSO PPGM list.
    • OWNED-access permitted because the high-level index of the data set accessed matched the PREFIX field of the logonid of the user making the request.
    • PATHERR-unknown program pathing error.
    • PPGMVIO-the user request to execute a program listed in the GSO PPGM record denied. The user does not have the required authority.
    • QUIET-access permitted because CA ACF2 is in QUIET mode.
    • READALL-access permitted to this data set because the requester has the READALL logonid privilege.
    • RULELOG-access permitted and logged because a rule indicated allow and log access.
    • SCOPFAIL-external scope processing failed.
    • SCOPESEC-access permitted because the requester is a scoped security officer and the data set high-level index is within the officer's scope.
    • SECURITY-access is permitted to this data set because the requester has the SECURITY logonid privilege.
    • SPECIAL-access permitted because of “special” authority associated with this request. This request normally applies to some implicit operation done on behalf of a user who did not directly request the action.
    • SYNTAX-an invalid parameter list is passed to the access rule interpreter.
    • TAPEUNSC-the GSO records specified by the site indicated that CA ACF2 is not to protect this tape data set.
    • WARN-access permitted because CA ACF2 is in WARN mode.
      A $MODE control statement applies when the site is in RULE mode and, based on the rule, access is otherwise denied. The rule indicated PREVENT or no rule in the rule set applied.
      The
      no-$mode
      condition applies when:
      • The site is in RULE mode.
      • Based on the rule, access is otherwise denied (that is, a rule indicated PREVENT or no rule in the rule set applied).
      • The $MODE control statement is not specified in the access rule set.
  • ROL=ROLE
    The role assigned to the user and applicable to this request if a ROLE ruleset is part of the validation path.
  • SAF
    Indicates if the logging or violation is associated with a SAF call.
  • SRC=source
    The input source that originated this access request.
  • stape
    Any special information about the access. The following keywords define the values this field can take. For more information about the GSO record related to these keywords, see Global System Option Records.
    • BLP-LOG-this access (using BLP) authorized because the TAPE-BLP or TAPE-LBL privilege is present in the logonid record associated with the access; or the program used is listed in the GSO BLPPGM record. A logging was generated because the site has specified the BLPLOG field in the GSO OPTS record.
    • BLP-PGM-the program named in the PGM field is permitted to use bypass label processing access for tapes, as defined by the GSO BLPPGM record.
    • BLP-VIO-bypass label processing is not authorized for processing this tape volume.
    • MANT-PGM-the program named in the PGM field is defined as a maintenance program by the GSO MAINT record.
    • PGM-LOG-the program named in the PGM field can be used, but access is logged as specified in the GSO LOGPGM record.
    • TAPE-the data set referenced is a tape data set.
  • stepname
    The name of the job step active at the time of the access or attempted access.
  • time
    The time of day when the access or attempted access occurred.
  • UID=uid
    The user's UID.
  • User’s DN:
    The distinguished name that is associated with the z/OS userid. This field is shown only when z/OS Identity Propagation is being used.
  • VOL=dsnvol
    The volser of the volume where the accessed data set resides.
  • VOL=libvol
    The volser of the volume where the program library is found.
    When multilevel security (MLS) is active, the following fields are captured whenever an unauthorized attempt is made to access a classified data set:
  • USR-SECL
    The 8-byte user session seclabel
  • DS-SECL
    The 8-byte data set seclabel
  • ML-MODE
    The MLS mode value from the compiled profile record if it exists; otherwise it specifies the global MLS mode.
  • SRC
    The SAF return code
  • RRC
    The RACF return code
  • RSN
    The RACF reason code
A new line was added to include the MLS-related data on the report. When a record is cut with MLS Seclabel Audit a '+' will appear in front of the seclabel being audited.