ACFRPTJL - Restricted Logonid Job Log

Describes the ACFRPTJL logonid job log report.
acf2src
The ACFRPTJL report contains an entry for each time a restricted logonid (with an activated RESTRICT attribute) enters the system.
The ACFRPTJL utility provides the following reporting options:
Restricted Logonid Job Log
Displays a log of all system accesses by logonids with the RESTRICT field. These IDs do not have an associated password. Because these logonids are intended primarily for use by production jobs, their use must be carefully controlled. Because the CA ACF2 default logonid is defined with the RESTRICT attribute, this log provides a summary of its usage.
The report indicates the path of submission for jobs that use a restricted logonid. This is important because logonids with RESTRICT—except for the default logonid—are required to be submitted by APF-authorized programs.
Sample Output
<acf> SECURITY - ACFRPTJL - RESTRICTED LOGONID JOB LOG - PAGE 1 DATE 07/30/98 (98.312) TIME 14.17 DATE TIME LID JNAME SUBMIT'R SOURCE PROGRAM CPU 98.312 07/30 01.01.15 SMFPROC SMFWEEK S-JOBCOPY STCINRDR *JOBCOPY SYSA
Checking Authorizations
CA ACF2 checks whether the person submitting the utility is authorized to view or manipulate the input SMF data. If you specify RPTSCOPE in the GSO OPTS record, a user is restricted to the SMF record data that matches his or her privileges and restrictions. In the default case of NORPTSCOPE, no authorization checking is done.
For the ACFRPTJL report, the following privileges and restrictions of the user running the report are validated as part of the report processing when RPTSCOPE is specified: SECURITY, ACCOUNT, or AUDIT and the UID or LID fields in the associated scope record. If the user has one of these authorities and the SMF record is in the scope of the user's logonid, the user can view the record.
Running the Report Using the ISPF Panel
You can use the ACFRPTJL ISPF panel to create your input for the report. The following parameters can be found on the ACFRPTJL ISPF panel.
JOBFROM
Produces a report displaying loggings for jobs submitted with the //*JOBROM control statement. The default is no loggings for //*JOBFORM.
TITLE
Specifies a character string added to other title information at the top of the report. This character string can be up to 35 characters in length. If you do not specify this parameter, the report generator uses the first 35 characters in the PARM field of the EXEC statement. If the character string is longer than 35 characters, only the first 35 characters are used.
LOGONID MASK
Specifies invalid or logged data set accesses for a particular logonid or group of logonids. The default is all logonids.
SUBMITTER MASK
Specifies invalid or logged data set accesses for an individual submitter's logonid or logonids for a group of submitters. The default is all submitters' logonids.
TIME
Specifies the desired format of the timestamp in report: M (default) displays HH.MM, S = HH.MM.SS or H = HH.MM.SS.TH.
OUTPUT LIST NAME:LIST ID
Specifies the 1-character to 8-character output list name. ISPF prefixes the name that you specify with the user's prefix from their profile and the characters ACF2.ACFRPTJL. For example, if you specify TEST as the output list name, your output list data set name is
dft-pfx
.ACF2.ACFRPTJL.TEST.
SPECIFY INPUT DATA SET(S) FOR ACFRPTJL
For an explanation of your options, see Reporting.
LOGSTREAM
Indicates if LOGSTREAM SMF data is retrieved. This parameter is available for z/OS1.9 and higher when the SNF data is being captured by an LGR LOGSTREAM structure. When Y is specified, an ACFRPTAL is displayed to provide specific log stream parameters.
Running the Report Using JCL
You can use JCL instead of the ISPF panel to run the ACFRPTJL report. For information about running the report, see the documentation about using sample JCL to execute reports. The following are the parameters for this report:
[MASK(
********
|
logonidmask
)]
Specifies that the report include information for a specific logonid or group of logonids. Specifying MASK(
dfltlid
) provides a listing of each use of the default logonid.
Default: All logonids
[SMASK(********|
submitter_logonidmask
)]
Specifies that the report include information for a specific submitter's logonid or the logonids of a group of submitters. Specifying SMASK(
lid
) lists each use of the logonid.
Default:
All submitters' logonids
PAGEHDR(
YES
|NO|ONCE)
Specifies how the page header is appears.
  • YES
    Header is printed at the beginning of each page.
  • NO
    No header is printed.
  • ONCE
    Header is printed only once, at the beginning of the first page.
[LINECTL|NOLINECTL]
Specifies whether to produce blank lines and/or ANSI control characters.
Common Parameters
ACFRPTJL accepts the following parameters.
  • LINECNT
  • JOBMASK
  • TITLE
  • SDATE
  • EDATE
  • STIME
  • ETIME
  • SELECT
  • SYSID
  • HEX
  • COND
  • TIME
Input and Output
SYSPRINT, SYSIN, and RECxxxxx are used by ACFRPTJL. For more information, see the documentation about input and output files for report generators.
Sort Sequence
The recommended sort sequence for the ACFRPTJL report is by logonid (major), date, and then time. Perform this sorting using your own routine or modify the prototype JCL provided with CA ACF2.
Sample Output
The following is sample output from the ACFRPTJL report with TIME(S):
<acf> SECURITY - ACFRPTJL - RESTRICTED LOGONID JOB LOG - PAGE 1 DATE 07/30/98 (98.312) TIME 14.17 DATE TIME LID JNAME SUBMIT'R SOURCE PROGRAM CPU 98.312 07/30 01.01.15 SMFPROC SMFWEEK S-JOBCOPY STCINRDR *JOBCOPY SYSA 98.312 07/30 01.02.43 O92ACF2 ACFRPTS1 S-JOBCOPY STCINRDR *JOBCOPY SYSA 98.312 07/30 01.18.05 SMFPROC SMFMONTH S-JOBCOPY STCINRDR *JOBCOPY SYSA 98.312 07/30 03.37.48 PRODBCST PRCBC23C S-JOBCOPY STCINRDR *JOBCOPY SYSA 98.312 07/30 03.42.11 PRODBCST PRCBC45C S-JOBCOPY STCINRDR *JOBCOPY SYSA
Field Descriptions
CPU
The SMF CPU ID of the CPU where job validation occurred. This CPU is not necessarily the CPU where the job was originally submitted or the one where the job was executed. For JES2 sites, job validation is done at JCL conversion time. For JES3 sites, job validation is done at input services time.
DATE
The Julian and Gregorian date when the job was validated. The format of this date is MM/DD or DD/MM, based on the DATE option in the GSO OPTS infostorage record.
JNAME
The name of the job that used the restricted logonid. Only use logonids that are marked with the RESTRICT field for background jobs.
LID
The logonid under which the job was validated.
PROGRAM
The name of the program that submitted the job using a restricted logonid. A plus (+) designates a SAF logging. An asterisk (*) preceding the name indicates that the program was APF-authorized. The program name in this field is the name of the load module that did the actual job submission and might not be the same as the program specified in the JCL EXEC statement.
SOURCE
The logical input source that submitted the job.
SUBMIT'R
The logonid that submitted the job under a restricted logonid. The characters
S-
preceding the logonid indicate that the job was submitted from a started task. The logonid following the
S-
is the started task logonid or the default started task logonid.
TIME
The time when the job was validated. The validation date and time generally differ from the reader date and time by only a fraction of a second.