








	*SMF Tools*

SMF Type 80 Record

This table shows the record layout for type 80 SMF records
(Security Product (RACF) Processing).

List of other SMF record layouts available.
List of sample SMF reports.

Purpose: Record type 80 is produced during Resource Access Control Facility (RACF) processing and Public Key Infrastructure (PKI) Services processing.

Unauthorized attempts to enter the system
Authorized accesses or unauthorized attempts to access RACF-protected resources
Authorized or unauthorized attempts to modify profiles on a RACF data base
Successful or unsuccessful partner LU verification.

PKI Services writes a record for each CRL that is successfully published to LDAP. RACF and PKI Services write one record for each event.

It's easy to report on SMF 80 data! (Jump to sample reports)

We have a low-cost 4GL report writer especially for SMF files. It's called Spectrum SMF Writer.

Spectrum SMF Writer handles the difficult SMF record parsing for you automatically. You just specify which fields you want to see.

Spectrum SMF Writer also converts the arcane date and time fields and reformats them into an attractive report.

Plus, Spectrum SMF Writer can export SMF data as comma delimited files to use on your PC.

SMF Type 80 Record -- Security Product (RACF) Processing
Offset (Dec.)	Offset (Hex)	Name	Length	Format	Description
0	0	SMF80LEN	2	binary	Record length. This field and the next field (total of four bytes) form the RDW (record descriptor word). See “Standard SMF Record Header” on page 13-1 for a detailed description.
2	2	SMF80SEG	2	binary	Segment descriptor (see record length field).
4	4	SMF80FLG	1	binary	System indicator: Bit Meaning When Set 0-2 Reserved 3-6 Version indicators* 7 Reserved.*See “Standard SMF Record Header” on page 13-1 for a detailed description.
5	5	SMF80RTY	1	binary	Record type 80 (X'50').
6	6	SMF80TME	4	binary	Time since midnight, in hundredths of a second, that the record was moved into the SMF buffer.
10	A	SMF80DTE	4	packed	Date when the record was moved into the SMF buffer, in the form 0cyydddF. See “Standard SMF Record Header” on page 13-1 for a detailed description.
14	E	SMF80SID	4	EBCDIC	System identification (from the SID parameter).
18	12	SMF80DES	2	binary	Descriptor flags Bit Meaning When Set 0 The event is a violation 1 User is not defined to RACF 2 Record contains a version indicator (see SMF80VER) 3 The event is a warning 4 Record contains a version, release, and modification level number (see SMF80VRM) 5-15 Reserved.
20	14	SMF80EVT	1	binary	Event code. For information about RACF event codes, see z/OS Security Server RACF Macros and Interfaces.
21	15	SMF80EVQ	1	binary	Event code qualifier. For information about RACF event codes, see z/OS Security Server RACF Macros and Interfaces.
22	16	SMF80USR	8	EBCDIC	Identifier of the user associated with this event (jobname is used if the user is not defined to RACF).
30	1E	SMF80GRP	8	EBCDIC	Group to which the user was connected (stepname is used if the user is not defined to RACF).
38	26	SMF80REL	2	binary	Offset to the first relocate section from beginning of the record header.
40	28	SMF80CNT	2	binary	Count of the number of relocate sections.
42	2A	SMF80ATH	1	binary	Authorities used for processing commands or accessing resources Bit Meaning When Set 0 Normal authority check (resource access) 1 SPECIAL attribute (command processing) 2 OPERATIONS attribute (resource access, command processing) 3 AUDITOR attribute (command processing) 4 Installation exit processing (resource access) 5 Failsoft processing (resource access) 6 Bypassed-userid = BYPASS (resource access) 7 Trusted attribute (resource access).
43	2B	SMF80REA	1	binary	Reason for logging. These flags indicate the reason RACF produced the SMF record Bit Meaning When Set 0 SETROPTS AUDIT(class) - changes to this class of profile are being audited. 1 User being audited 2 SPECIAL users being audited 3 Access to the resource is being audited due to the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACHECK exit routine, or because the operator granted access during failsoft processing. 4 RACINIT failure 5 This command is always audited 6 Violation detected in command and CMDVIOL is in effect 7 Access to entity being audited due to GLOBALAUDIT option.
44	2C	SMF80TLV	1	binary	Terminal level number of foreground user (zero if not available).
45	2D	SMF80ERR	1	binary	Command processing error flag Bit Meaning When Set 0 Command had error and RACF could not back out some changes 1 No profile updates were made because of error in RACF processing 2-7 Reserved.
46	2E	SMF80TRM	8	EBCDIC	Terminal ID of foreground user (zero if not available).
54	36	SMF80JBN	8	EBCDIC	Job name. For RACINIT records for batch jobs, this field can be zero. The job name, time, and date that the reader recognized the JOB card (for this job) constitute the job log identification, or transaction name (for APPC output).
62	3E	SMF80RST	4	binary	Time since midnight, in hundredths of a second, that the reader recognized the JOB statement for this job. For RACINIT records for batch jobs, this field can be zero.
66	42	SMF80RSD	4	packed	Date the reader recognized the JOB statement for this job, in the form 0cyydddF. See “Standard SMF Record Header” on page 13-1 for a detailed description. For RACINIT records for batch jobs, this field can be zero.
70	46	SMF80UID	8	EBCDIC	User identification field from the SMF common exit parameter area. For RACINIT records for batch jobs, this field can be zero.
78	4E	SMF80VER	1	binary	Version indicator (8 = Version 1, Release 8 or later). As of RACF 1.8.1, SMF80VRM is used instead.
79	4F	SMF80RE2	1	binary	Additional reasons for logging Bit Meaning When Set 0 Security level control for auditing 1 VMEVENT Auditing 2 Class being audited due to SETROPTS LOGOPTIONS 3 Entity audited due to SETROPTS SECLABELAUDIT 4 Reserved. 5-7 Reserved.
80	50	SMF80VRM	4	EBCDIC	RACF version, release, and modification level number in the form VRRM (for example, 1081 represents RACF 1.8.1).
84	54	SMF80SEC	8	EBCDIC	Security label of the user.
92	5C	SMF80RL2	2	binary	Offset to extended-length relocate sections.
94	5E	SMF80CT2	2	binary	Count of extended-length relocate sections.
96	60	SMF80AU2	1	binary	Authority used continued. Bit Meaning When Set 0 OpenEdition superuser 1 OpenEdition system function 2-7 Reserved.
97	61	SMF80RSV	1	binary	Reserved.
Relocate Section(Offset from beginning of record: SMF80REL)
0	0	SMF80DTP	1	binary	Data type. For description of the variable data elements of the relocate section, see z/OS Security Server RACF Macros and Interfaces.
1	1	SMF80DLN	1	binary	Length of data that follows.
2	2	SMF80DTA	variable	binary	For description of the variable data elements of the relocate section, see z/OS Security Server RACF Macros and Interfaces.
Extended-Length Relocate Section(Offset from beginning of record: SMF80RL2)
0	0	SMF80TP2	2	binary	Data type.
2	2	SMF80DL2	2	binary	Length of data that follows.
4	4	SMF80DA2	variable	EBCDIC	Data.

The table above is based on the description provided by IBM in its "MVS Systems Management Facilities (SMF)" manual.

Spectrum SMF Writer - the 4GL SMF Report Writer.

Sample RACF Event Report from SMF 80 Records

The sample SMF report below was created with Spectrum SMF Writer, the low-cost 4GL SMF report writer.

It reads as input the SMF file and selects just the type 80 (RACF Processing) records. (See SMF 80 record layout.)

We print a report showing each RACF processing event, with a description of what the event was, and the outcome. Note that the actual SMF record just contains codes for the event and its status. Our Spectrum SMF Writer definitions include code to expand those numeric values into descriptive texts.

Spectrum SMF Writer also uses a special exit to parse the variably formatted "relocation" fields at the end of the SMF 80 record. This lets us easily print such hard-to-access details as resource name (DSNAME), authority requested and authority allowed.

These events are grouped by unique JOB and printed in JOB/timestamp order.

All of this with just a few lines of code!
Why not install a Spectrum SMF Writer trial right now and start making your own SMF reports!

These Spectrum SMF Writer Statements:

INPUT:  SMF80

INCLUDEIF: SMF80RTY = 80

COLUMNS:
     SMF80JBN('JOBNAME')
     SMF80TME
     SMF80_EVENT_NAME(20 'SMF80 EVENT NAME')
     SMF80_EVENT_QUAL_DESC(18 'EVENT QUALIFIER')
     SMF80USR('USER')
     SMF80GRP('GROUP')
     SMF80DTA_1('RESOURCE|NAME' 16)
     SMF80DTA_3_WORD("AUTH|REQUEST")
     SMF80DTA_4_WORD("AUTH|ALLOWED")
     SMF80DTA_17('CLASS')

SORT:  SMF80_JOBID
BREAK: SMF80_JOBID NOTOTALS SPACE(1)

TITLE: #DATE #TIME /'RACF EVENT LOG BY JOB ON' SMF80DTE  / 'PAGE' #PAGE

Produce This SMF Report:

 07/04/13  4:53 AM                           RACF EVENT LOG BY JOB ON 07/24/06                                    PAGE  1
                                                      
                                                                                    RESOURCE       AUTH     AUTH
 JOBNAME   SMF80TME     SMF80 EVENT NAME    EVENT QUALIFIER     USER    GROUP         NAME        REQUEST  ALLOWED CLASS
 ________ ___________ ____________________ __________________ ________ ________ ________________ _________ _______ ______

 CICS3A8A 12:00:03.85 JOB INITIATION / TSO Successful RACINIT CICSUSER SYS1                      CONTROL   CONTROL

 GARRETY  11:52:12.95 RESOURCE ACCESS      Successful access  GARRETY  GEOTEAM  MVS.STOP.STC.WT4 UPDATE    CONTROL OPERCM
 GARRETY  11:52:18.39 RESOURCE ACCESS      Successful access  GARRETY  GEOTEAM  MVS.VARY.WLM

 IMSREPLY 11:30:01.32 RESOURCE ACCESS      Successful access  IMSUSER  SYS1     MVS.DISPLAY.R

 JES2     11:46:09.09 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.MODIFY.STC.F UPDATE    ALTER   OPERCM
 JES2     11:45:08.70 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.MODIFY.STC.F UPDATE    ALTER   OPERCM
 JES2     11:52:15.32 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.MODIFY.STC.F UPDATE    ALTER   OPERCM

 NETX123  11:42:11.97 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.CONTROL.E
 NETX123  11:42:12.00 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.CONTROL.S
 NETX123  11:32:58.74 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.DISPLAY.CONS READ      ALTER   OPERCM
 NETX123  11:33:35.44 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.DISPLAY.OMVS READ      ALTER   OPERCM
 NETX123  11:56:35.35 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.MODIFY.STC.Z UPDATE    ALTER   OPERCM

 USER031  11:30:10.60 CHECK ACCESS TO DIRE Not authorized     USER031  OEDFLTG                   CONTROL   CONTROL DIRACC
 USER031  11:30:10.60 CHECK ACCESS TO DIRE Not authorized     USER031  OEDFLTG                   CONTROL   CONTROL DIRACC
 USER031  11:30:26.92 CHECK ACCESS TO DIRE Not authorized     USER031  OEDFLTG                   CONTROL   CONTROL DIRACC

 USER048  11:36:19.20 CHECK ACCESS TO FILE Not authorized     USER048  OEDFLTG                   CONTROL   CONTROL FSOBJ

 USER097  11:30:39.32 CHECK ACCESS TO FILE Not authorized     USER097  OEDFLTG                   CONTROL   CONTROL FSOBJ

 XH4AMGS  11:47:18.81 JOB INITIATION / TSO Password not valid WITADM4  WITADMGP                  CONTROL   CONTROL

 XH7ADM   11:35:45.41 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC
 XH7ADM   11:35:45.41 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC
 XH7ADM   11:55:21.94 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC
 XH7ADM   11:55:21.94 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC
 XH7ADM   11:32:43.57 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC
 XH7ADM   11:32:43.57 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC

...

See other sample SMF reports.