The name of the report.
The page number of this page of this report.
The date CA ACF2 for z/VM produced this report (in Julian and Gregorian format).
The time CA ACF2 for z/VM produced this report.
The subtitle the user specified. If you did not specify a subtitle, this field is blank.
The logonid of the user who attempted the action. For group machines, this is the group user. LIDMASK and NLIDMASK select on this field.
The date (in Julian and Gregorian format) of the attempted access.
The time of the attempted access.
The VM user ID of the virtual machine where the user was logged on. For group machines, this is the group ID. JOBMASK selects on this field.
The JES2 or JES3 assigned job number (CA ACF2 for z/VM Security for z/OS sites only).
The user exit or specification that allowed the logging. Valid entries are:
DSNGEN
The data set name generator exit requested CA ACF2 for z/VM to journal the access.
DSNPOST
The data set postvalidation exit requested CA ACF2 for z/VM to journal the access.
NON‑CNCL
CA ACF2 for z/VM allowed the access because the user has the NON‑CNCL attribute.
PRE‑VALD
The user prevalidation exit requested CA ACF2 for z/VM to journal the access.
READ‑ALL
CA ACF2 for z/VM allowed the access because the user has the READALL attribute.
SEC‑OFF
CA ACF2 for z/VM allowed the access because the user is a security officer.
VIO‑EXIT
The user violation exit requested CA ACF2 for z/VM to journal the access.
The name of the job step active when the access was attempted (CA ACF2 for z/VM Security for z/OS and CA‑ACF2 for VSE sites only).
This field is only used for DASD ATTACH or DEDICATE validation. It indicates the volume serial number of the volume being attached.
This field is only used for DASD ATTACH or DEDICATE validation. It indicates the logonid of the user who issued the ATTACH command for the DASD device. If the DASD device was automatically attached at IPL through a DEDICATE VM directory statement, this field is the same as the logonid field.
The name of the file of the attempted access. This is the actual name used for validation and rule interpretation. If this name is invalid, CA ACF2 for z/VM prints the entire record in hexadecimal notation. The structure of the data set name depends on the type of file. Possible formats are:
The $KEY of the access rule set CA ACF2 for z/VM used to validate the request (normally the logonid or VM user ID of the owner of the minidisk).
The virtual device address of the minidisk.
The $KEY of the access rule set that validated the request (normally the logonid or VM user ID of the CMS file owner).
The virtual device address of the minidisk.
The actual CMS filename.
The actual CMS filetype.
Always SYSTEM
The device's channel address (c), the control unit number (u) for the device, and the device's unit number (u).
Represents the real address of the device.
The volser of the volume where CA ACF2 for z/VM found the program library. (Only applies to CA ACF2 for z/VM Security for z/OS sites.)
The program name.
For CA ACF2 for z/VM Security for VM, DDR or FORMAT.
For CA ACF2 for z/VM Security for VSE, the name of a logged or protected phase. The protected program or logged program lists define these phases.
For CA ACF2 for z/VM Security for z/OS, the name of the program requested the access. This is the CA ACF2 for z/VM translated name of a multimodule program if you defined a structured model. The name in the report is the true program name, not the name of the active load module.
The library where the user loaded the program. (For CA ACF2 for z/VM Security for z/OS sites only.)
The system or CA ACF2 for z/VM component where the user attempted access. Valid values are:
ALLOC
Request for new data set allocation.
CATLG
AMS or CMS issued the request (CA ACF2 for z/VM Security for z/OS sites only).
CVOL
The catalog management CVOL processing issued for this request. To determine the type of CVOL request being made, see the minor field below (CA ACF2 for z/VM Security for z/OS sites only).
DA‑EOV
DADSM E‑O‑V issued the request.
DA‑OPN
Open issued the request.
DELETE
DADSM file scratch requested.
EXTRNL
This is an external request for a multiple user address space subsystem (MUSASS).
INSTALL
This violation is in response to a user security request.
PRGNAM
This request was for program execution authorization by the initiator (CA ACF2 for z/VM Security for z/OS sites only).
RENAME
DADSM rename operator requested (to and from names are indeterminate).
REN‑FR
DADSM rename operation requested (original filename).
REN‑TO
DADSM rename requested (new filename).
TP‑EOV
Tape EOV issued the request.
TP‑OPN
The request was for a tape open.
TP‑XOV
This exit is taken for E‑O‑V processing after CA ACF2 for z/VM validates all internal O‑C‑E workarea control blocks. (CA ACF2 for z/VM Security for z/OS sites only).
TP‑XPN
This exit is taken after all final volume verification and label processing has occurred and the system has updated all O‑C‑E workarea control blocks (CA ACF2 for z/VM Security for z/OS sites only).
TP‑XTD
Tape open processing during volume verification. This occurs after volume mount and label verification processing (CA ACF2 for z/VM Security for z/OS sites only).
VS‑OPN VSAM
Open issued the request.
The type of access performed. The major and minor fields combine to detail the exact name of the data set access environment. Possible values are:
ALTER
CMS functions, modifying a catalog entry.
BLDA
CVOL build alias request that assigns an alias to an index (CA ACF2 for z/VM Security for z/OS sites only).
BLDG
CVOL build GDG index request that builds an index for generation data groups (CA ACF2 for z/VM Security for z/OS sites only).
BLDX
CVOL build index request that creates a new index in the catalog (CA ACF2 for z/VM Security for z/OS sites only).
**BLP**
Access to a tape data set. The JCL specified bypass label processing access through the LABEL=(,BLP) DD statement parameter (CA ACF2 for z/VM Security for z/OS sites only).
CATLG
CVOL catalog request that generates an entry in the index of the catalog (CA ACF2 for z/VM Security for z/OS sites only).
DEFINE
CMS functions, creates a catalog entry (CA ACF2 for z/VM Security for z/OS sites only).
DELETE
CMS functions, deletes a catalog entry. Does not require deletion of the data set (CA ACF2 for z/VM Security for z/OS sites only).
DLTA
CVOL delete alias request that deletes an alias previously assigned to an index (CA ACF2 for z/VM Security for z/OS sites only).
DLTX
CVOL delete index request that removes an index from the catalog (CA ACF2 for z/VM Security for z/OS sites only).
DRPX
CVOL disconnect request that connects two volumes (CA ACF2 for z/VM Security for z/OS sites only).
EXECUTE
Executed the program (CA ACF2 for z/VM Security for z/OS and CA‑ACF2 for VSE sites only).
IN/OUT
Opened the data set for input and output processing. You can specify LABEL=(,,,IN) on the appropriate DD statement to modify the JCL for the program to specify only input processing. This access type is standard for FORTRAN files and results in a security violation if CA ACF2 for z/VM only allows read access and you did not specify the JCL LABEL parameter (CA ACF2 for z/VM Security for z/OS sites only).
INPUT
The processed file is read only.
LINKX
CVOL link request that connects two volumes (CA ACF2 for z/VM Security for z/OS sites only).
OUT/IN
This access writes and reads the data set. You can specify LABEL=(,,,OUT) in the LABEL parameter in the JCL to access in write mode. (CA ACF2 for z/VM Security for z/OS sites only).
OUTPUT
The accessed file is write only.
RDBACK
The processed file is for input and being read backwards.
RECT
CVOL recatalog request that replaces an entry in the index of the catalog (CA ACF2 for z/VM Security for z/OS sites only).
UNCAT
CVOL uncatalog request that removes an entry from the index of the catalog (CA ACF2 for z/VM Security for z/OS sites only).
UNKNOWN
Unknown request (none of the above).
UPDATE
The access reads records from the file and updates them in place.
The rule set key validates the data access. This field appears only when a rule record other than the one under the high level index validates the request, such as a NEXTKEY rule parameter.
The return code from the CA ACF2 for z/VM access rule record manager and interpreter.
ACCESS
An access rule matched the environment and the rule specified access to allow or allow and log access. ACCESS can also indicate CA ACF2 for z/VM found a rule that did not allow the access, but it overrode the rule due to external factors (user was SECURITY or NON‑CNCL).
KEYEXCES
The NEXTKEY facility directed CA ACF2 for z/VM to the appropriate access rule. CA ACF2 for z/VM imposes a limit of 25 NEXTKEYs per validation call. This message indicates a pointer to a 26th rule set. Check the NEXTKEY line to determine the rule sets referenced and correct the error.
NKEYLOOP
The NEXTKEY facility directed CA ACF2 for z/VM to the appropriate access rule. The rule directed CA ACF2 for z/VM to check the same rule set twice, a loop condition. Check the NEXTKEY line to determine the rule sets referenced and correct the error.
NOACCESS
An access rule matched the environment, but the rule prevented access.
NORECORD
The access rule did not match the high level index or CA ACF2 for z/VM could not find the user exit.
NORULE
No access rule matched the environment.
SYNTAX
CA ACF2 for z/VM found a syntax error in the filename.
The name of the user attempting the access.
The ID of the executing VM CPU. CA ACF2 for z/VM does not display this field if you selected the TERMINAL format with the NOEXTEND parameter.
The input source for this request. CA ACF2 for z/VM does not display this field if you selected the TERMINAL format with the NOEXTEND parameter.
Program pathing restrictions the applicable rule placed on this access (CA ACF2 for z/VM Security for z/OS sites only). CA ACF2 for z/VM does not display this field if you selected the TERMINAL format with the NOEXTEND parameter. Valid values are:
LIB
You specified the library, but no specific program.
PGM
You specified a specific program, without a library. This can indicate an improperly constructed rule set.
LIB‑PGM
You specified the library and program parameters.
**TEST**
Applicable program pathing functions were disabled because the user issued the TSO TEST command during program execution. (CA ACF2 for z/VM Security for z/OS sites only).
The user's User Identification string (UID). CA ACF2 for z/VM does not display this field if you selected the TERMINAL format with the NOEXTEND parameter.
The type of security record formatted. Below are various keywords that CA ACF2 for z/VM can display in this field. The keywords are abbreviated as shown in parentheses below in the printer output format.
DATASET (DSET)
The access is to a file (data set).
INVPARMS
The access request validation parameter list was invalid. CA ACF2 for z/VM displays all available information. The record prints in hexadecimal notation.
LOGGING (LOG)
CA ACF2 for z/VM allowed the access but logged it because the access rule requested logging or the user was a security officer or noncancellable.
LOG/VIO
The violation the access rule issues was reset to a logging record. Refer to the description of the LOG return code of the RMRC field.
PROGRAM (PROG)
CA ACF2 for z/VM issued the record for program access validation (CA ACF2 for z/VM Security for z/OS sites only).
TRACE (TRC)
The user was marked with the TRACE attribute in his logonid record. A logging or violation record can accompany this record, depending on the access rules. CA ACF2 for z/VM automatically writes a trace record when a KEYEXECS or NKEYLOOP condition occurs.
VIOLATION (VIO)
CA ACF2 for z/VM generated this record because the access violated CA ACF2 for z/VM access controls.
VOLUME (VOL)
CA ACF2 for z/VM validated the access at a volume level. The data set name can be @volser.VOLUME, as defined by CA ACF2 for z/VM volume protection.
Special information regarding the access. Valid keywords are shown below:
BLP‑PGM
Uses bypass label processing access for tapes, as defined by the @BLPPGM specification at CA ACF2 for z/VM generation. (CA ACF2 for z/VM Security for z/OS sites only).
MAINT‑PGM
A maintenance program defined in the VMO MAINT record at CA ACF2 for z/VM generation.
PGM‑LOG
Defined by an @LOGPGM specification in the CA ACF2 for z/VM Field Definition Record. (CA ACF2 for z/VM Security for z/OS sites only).
SEC‑TAPE
Secured tape volume as defined by the SECVOLS option during CA ACF2 for z/VM generation or by the user's DSNGEN exit. This tape volume received special processing and the violation or logging is a result of that processing. This is not set if the tape was validated as a result of the TAPEDSN=YES option.
The $KEY of the access rule set that processed this request. This information is optional in the terminal format report. CA ACF2 for z/VM displays it only if the rule set used is not the same as the file high level index.
Specifies a SFS filepool. CA ACF2 for z/VM does not display this field if you selected the TERMINAL format with the NOEXTEND parameter.
Specifies a SFS directory. CA ACF2 for z/VM does not display this field if you selected the TERMINAL format with the NOEXTEND parameter.
Lists the $KEY of every rule set that CA ACF2 for z/VM checked during access validation. The report lists these $KEYs in the order they were referenced. CA ACF2 for z/VM only displays this field for NEXTKEY trace records when you specify the TERMINAL or PRINTER format options. This line is useful for debugging purposes when an NKEYLOOP or KEYEXECS condition occurs.
This report also generates a Cross‑Reference Table at the end. An explanation of these fields follows:
The high‑level index of the data set.
The total number of attempts reported on this report.
The logonid of the user who attempted the action. For group machines, this is the group user. LIDMASK and NLIDMASK select on this field.
The number of attempts by the logonid.
If you selected Extended terminal output ==> N, the report displays only the first four lines of output.
The high level index of the data set.
The total number of attempts reported on this report.
The logonid of the user who attempted the action. For group machines, this is the group user. LIDMASK and NLIDMASK select on this field.
The number of attempts by the logonid.
If you selected Extended terminal output ==> N, CA ACF2 for z/VM displays only the first four lines of output.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|