ACFRPTLL - Logonid Modification Log

Describes the ACFRPTLL logonid modification log report.
acf2src
1
The ACFRPTLL report generator uses the SMF records issued for CA ACF2 recovery purposes to provide an updated activity report for the Logonid database. CA ACF2 logonid records are updated for two distinct reasons. The first is maintenance of the logonid database. The second group of changes occurs during JES
x
and logon validation where the logonid access counts, time and source of the last access, and possibly the password are changed. You generally are not interested in the large volume of validation updates, so the ACFRPTLL parameters can suppress this information.
Checking Authorization
CA ACF2 checks whether the person submitting the utility is authorized to view or manipulate the input SMF data. If you specify RPTSCOPE in the GSO OPTS record, a user is restricted to the SMF record data that matches his or her privileges and restrictions. In the default case of NORPTSCOPE, no authorization checking is done.
For the ACFRPTLL report, the following privileges and restrictions of the user running the report are validated as part of the report processing when RPTSCOPE is specified: SECURITY, ACCOUNT, or AUDIT and UID or LID fields in the associated scope record, or the user's logonid. If the user has one of these authorities and the SMF record is in the scope of the user's logonid, or the user's logonid is matched, the user can view the record.
Running the Report Using the ISPF Panel
You can use the ACFRPTLL panel to create your input for the report. The following parameters can be found on the ACFRPTJL ISPF panel.
TITLE
Specifies a character string added to other title information at the top of the report. This character string can be up to 35 characters in length. If you do not specify this parameter, the report generator uses the first 35 characters in the PARM field of the EXEC statement. If this character string is longer than 35 characters, only the first 35 characters are used.
LOGONID MASK
Specifies selection of records based on the logonid(s) of the record being changed. The default is all logonids.
UPDATE
YES requests a summary of logonid modifications including any JES
x
and logon validation updates. NO (the default) causes only updates other than validation updates to be listed. NO is the default because of the volume of validation updates (one for every job and TSO session).
LID Fields
Specifies a selection of logonid fields the report will run on. The default is all fields. When specifying a bit field, the “NO” prefix used to indicate the bit is off must be omitted. Only the field name should be used.
CHANGER
If specified, the report will only report on logonid modifications made by this user. The default is all logonids
TIME
Specifies the desired format of the time stamp in report : M (default) will display HH.MM, S = HH.MM.SS or H = HH.MM.SS.TH.
LIDNAME
Specifies whether the full user name needs to be printed on the report or the LID field is only reported. N default will report only the LID field.
OUTPUT LIST NAME: LIST ID
Specify the 1-to 8-character output list name. ISPF prefixes the name you specify with the user's prefix from his profile and the characters ACF2.ACFRPTLL. For example, if you specify TEST as the output list name, your output list data set name is
dft-pfx
.ACF2.ACFRPTLL.TEST.
DETAIL/SUMM
The DETAIL parameter produces additional report lines that highlight changes made to any logonid records by the ACF INSERT, CHANGE, or DELETE subcommand. Each of these additional lines shows the name of the logonid field whose value was changed or deleted, the old value of the field, and the new value of the field.
The SUMMARY parameter produces a report with only one line of information for each INSERT, CHANGE, or DELETE subcommand entry.
SPECIFY INPUT DATA SET(S) FOR ACFRPTLL
For an explanation of your options, see Input and Output Files for Report Generators in Reporting.
LOGSTREAM
Indicates if LOGSTREAM SMF data needs to be retrieved. This parameter is available for z/OS1.9 and higher when the SNF data is being captured by a LGR LOGSTREAM structure. When Y is specified an ACFRPTAL is displayed to provide specific logstream parameters.
Running the Report Using JCL
You can use JCL to run the ACFRPTLL report. For information on running the report, see the documentation about using sample JCL to execute reports. The following are the parameters for this report.
[
SUMMARY
|DETAIL]
Specifies the format of the ACFRPTLL report. The SUMMARY parameter produces a report with only one line of information for each INSERT, CHANGE, or DELETE subcommand entry.
The DETAIL parameter produces additional report lines that highlight changes made to any logonid records by the ACF INSERT, CHANGE, or DELETE subcommand. Each of these additional lines shows the name of the logonid field whose value was changed or deleted, the old value of the field, and the new value of the field.
[MASK(
********
|
logonidmask
]
Selects update reporting for a specific logonid record or group of logonid records. This mask is compared to the logonid of the record being changed, not the logonid of the changer. The default is all logonids.
[UPDATE|
NOUPDATE
]
Requests a summary of logonid modifications including any JES
x
and logon validation updates. NOUPDATE causes only updates other than validation updates to be listed. NOUPDATE is the default because of the volume of validation updates (one for every job and TSO session).
[LIDFLDS(nnnnnnnn,…,nnnnnnnn | ********)]
Specifies a selection of logonid fields the report will run on. The default is all fields. This parameter supports up to ten LID fields. Specifying this parameter will automatically set the NOUPDATE and DETAIL options for the report. When specifying a bit field, the “NO” prefix used to indicate the bit is off must be omitted. Only the field name should be used.
[CHANGER(changermask | ********)]
If specified, the report will only report on logonid modifications made by this user. The default is all logonids. This mask is compared to the logonid of the changer for each record, not the logonid of the record being changed.
[LIDNAME|
NOLIDNAME
]
Default NOLIDNAME requests the LID field to be reported. LIDNAME requests the full user name to be reported too.
LOGON|
NOLOGON
Indicates if the report should be based on performing an update report displaying the method used for the system entry. SUMMARY format will be forced when LOGON is specified.
DEFAULT: NOLOGON
LGNTYPE(logontype)
(optional)
Allows the user to restrict the report to a specific type of system entry. Valid LGNTYPE options are: AAM, KERBEROS, MFA, NOPASSWD, PASS-TKT, PASSWORD, PHRASE, PIV-CAC and RADIUS.
Common Parameters
ACFRPTLL accepts the following parameters.
  • LINECNT
  • JOBMASK
  • TITLE
  • SDATE
  • EDATE
  • STIME
  • ETIME
  • SELECT
  • SYSID
  • HEX
  • COND
  • TIME
Input and Output Files
ACFRPTLL accepts SYSPRINT, SYSIN, and RECxxxxx. For more information, see the documentation about input and output files for report generators.
Sample Output
Three examples of the ACFRPTLL report are shown in the following.
SUMMARY
This example shows the ACFRPTLL report when the default parameters SUMMARY and TIME(H) are in in effect:
<acf> Security - ACFRPTLL - LOGONID MODIFICATION LOG - PAGE 1 DATE 05/25/05 (05.145) TIME 08.17 SUMMARY DATE TIME LOGONID/ JOBNAME CHANGER/ CHANGE CPU USING NAME NAME 05.145 05/25 06.11 TLC725 TLC454 TLC454 CHANGE CPU1 USER TLC725 USER TLC454 05.145 05/25 06.12 NEWUSR2 TLC454 TLC454 INSERT CPU1 TLC725 TEST USER NAME 2 USER TLC454 05.145 05/25 06.15 NEWUSR2 TLC454 TLC454 CHANGE CPU1 TEST USER NAME 2 USER TLC454
In this example report, the first entry was made at 6:11 a.m. on May 25. Logonid TLC454 with the name “user TLC454” changed the record for logonid TLC725 with the name “user TLC275”. The record was processed through CPU1. The next entry shows the creation by TLC454 of logonid NEWUSR2 named “TEST USER NAME 2”. This occurred on CPU1 using TLC725 as a model logonid record. Other entry is read in a similar fashion.
DETAIL
The following sample shows the ACFRPTLL report when the DETAIL and TIME(H) parameter are specified:
<acf> Security - ACFRPTLL - LOGONID MODIFICATION LOG - PAGE 1 DATE 05/25/05 (05.145) TIME 08.17 DETAIL DATE TIME LOGONID/ JOBNAME CHANGER/ CHANGE CPU USING NAME NAME FIELD OLD VALUE NEW VALUE 05.145 05/25 06.11.17.89 TLC725 TLC454 TLC454 CHANGE CPU1 USER TLC725 USER TLC454 TSOSIZE 31000 08096 05.145 05/25 06.12.15.18 NEWUSR2 TLC454 TLC454 INSERT CPU1 TLC454 TEST USER NAME 2 USER TLC454 NAME ---NULLS--- TEST USER NAME 2 PASSWORD ---NON PRINTABLE--- ---NON PRINTABLE--- 05.145 05/25 06.15.12.19 NEWUSR2 TLC454 TLC454 CHANGE CPU1 TEST USER NAME 2 USER TLC454 ACCOUNT NOACCOUNT ACCOUNT AUDIT NOAUDIT AUDIT OPERATOR NOOPERATOR OPERATOR PSWD-EXP PSWD-EXP NOPSWD-EXP REFRESH NOREFRESH REFRESH SECURITY NOSECURITY SECURITY TSO TSO TSO TSOSIZE 31000 08096
This report contains a portion of the entries shown in the previous example with a larger TIME format and shows the logonid record fields that were changed in each entry. In the first entry, the TSOSIZE field was changed into the logonid record for TLC725. Other entries are read in a similar fashion. See the field descriptions in the next section to interpret the additional fields reported under the DETAIL parameter.
DETAIL, UPDATE
When both the DETAIL and UPDATE parameters are specified together with TIME(S), the ACFRPTLL report appears as shown in the following example. In this example, logon and JESx validation updates are also included. UPDATE in the CHANGE column indicates entries for system validation updates.
<acf> SECURITY - ACFRPTLL - LOGONID MODIFICATION LOG - PAGE 1 DATE 12/18/98 (98.353) TIME 14.49 DETAIL UPDATE TIME(S) DATE TIME LOGONID JOBNAME CHANGER CHANGE CPU USING FIELD OLD VALUE NEW VALUE SIGNAL 98.352 12/17 12.12.17 PETETEST PETE315 PETE315 INSERT CPUA USRPEG NAME ---NULLS--- EXPIRE TEST 98.352 12/17 12.14.53 PETETEST PETE315 PETE315 CHANGE CPUA PASSWORD ---NON PRINTABLE--- ---NON PRINTABLE--- 98.352 12/17 12.15.12 PETE315 PETE315 PETE315 CHANGE CPUA EXPIRE ---NULLS--- 12/17/98 98.352 12/17 12.18.24 SSDRSO1 MSTJCL00 UPDATE CPUA *** NO FIELDS CHANGED *** 98.352 12/17 12.20.25 TSS123 TSSFAD TSSFAD INSERT CPUA TSSFAD RESTRICT NORESTRICT RESTRICT 98.352 12/17 12.20.31 TSS123 TSSFAD TSSFAD INSERT CPUA TSSFAD MAXDAYS 00000 00060 MINDAYS 00000 00060
Field Descriptions
CHANGE
Indicates the type of update performed.
  • INSERT-a new logonid record was inserted.
  • CHANGE-an old logonid was changed.
  • DELETE-a logonid was deleted.
  • UPDATE-the logonid was updated during logon or job validation processing. This type of record appears only if the UPDATE option is specified for ACFRPTLL processing.
CHANGER
Indicates the logonid of the user who issued the change request. This field is JES
x
for batch job validation or MSTRJCL for logon validation records.
CPU
Indicates the SMF CPU ID on which the change was made.
DATE
Indicates the Julian and Gregorian date when the update was made. The format of this date is MM/DD or DD/MM, based on CA ACF2 generation options.
JOBNAME
Indicates the name of the job under which the updates were made. If this job is a TSO session, the job name and the changer are usually the same.
LOGONID
Indicates the logonid of the updated record.
NAME
Indicates the name of the user either issuing the update when under the CHANGER field or being updated when under the LOGONID field.
TIME
Indicates the time when the update was made.
USING
Indicates the logonid of the model record specified in the USING parameter of the ACF command.
Additional Field Descriptions
An additional line of information appears on the ACFRPTLL report when the user specifies the DETAIL parameter. This additional line contains the following fields:
FIELD
Logonid record field updated by an ACF INSERT, CHANGE, or DELETE subcommand
OLD VALUE
Value of the field before the update was made
NEW VALUE
Value of the field after the update.
In certain instances, the values reported in the OLD VALUE and NEW VALUE fields appear as follows when the DETAIL parameter is in effect:
  • If the value of a field is too long, that field is continued onto more than one line of the report.
  • If a field contains no value, the message ---NULLS--- appears as the value of the field.
  • If the value of a field cannot be reconstructed (as in the case of a password), the message ---NON PRINTABLE--- is reported for the value of that field.
  • If the user printing the report does not have authorization to list the value of a particular field, the message ---NOT AUTH--- is reported for the value of the field.
  • If no fields were changed, the message *** NO FIELDS CHANGED *** is reported for the old and new values of the field.
  • If a bit field is off (for example, NONON-CNCL) and this field is turned off again (for example, you issue a CH logonid NONON-CNCL command), the report shows “NO FIELDS CHANGED.”If a field has a null value (for example, NAME()) and the field is changed to a null value again (for example, you issue a CH logonid NAME() command), the report shows “NO FIELDS CHANGED.”
SIGNAL
IBM Type 71 RACF ENF signal indicator field, which indicates whether CA ACF2 successfully sent a type 71 RACF ENF signal for an ENF-qualifying event. A value of 'YES' indicates the signal was sent.