- x
-
Event Code:
- A=Abend
- C=RACROUTE REQUEST=AUTH
- D=RACDEF access
- E=termination
- F=RACROUTE REQUEST=FASTAUTH
- I=initiation/signon
- L=RACLIST
- O=RACROUTE REQUEST=AUDIT
- P=Control option
- T=TSS command/program
- V=password verify (from JES)
- X=RACXTRT
- Y=VERIFYX call from JES
- rc
-
Security Interface Return Code (hex):
- 00-access allowed
- 04-resource not owned / ACID not defined / ACTION(PASSWORD) on data set PERMIT
- 08-access denied / signon password incorrect
- 0C-password expired
- 10-new password invalid
- 14-signon failed
- 18-initiation failed by site security exit
- 1C-initiation access failed (see DRC for explanation)
- 20-force TSO UADS password security
- 28-OID card required
- 2C-OID card not valid
- 30-terminal access rejected
- 34-application access denied
- 50-surrogate check failed
- 54-JESJOBs not authorized
- dr
-
Detail Violation Reason Code (hex):
Specific violation code that denied access or operation.
*If present, indicates that the return code 'rc' was actually passed to the caller. If blank, then a real return code of 00 was returned. A real return of 00 indicates that the user is not in FAIL MODE.
- acid
-
The name of the ACID associated with this event.
- init
-
A batch jobname, STC procname, or online userid with this event.
- f
-
Facility Code-From the Facility Matrix entry for this facility. Identifies the facility:
- T=TSO
- C=CICSPROD
- B=BATCH
- I=IMSPROD
- S=STC
- K=CICSTEST
- N=NCCF
- R=ROSCOE
See FACILITY(ID) in the Control Options Guide.
- c
-
Resource Class or Event:
Identifies the type of resource being accessed, or the operation being attempted. For example: PROGRAM, CPU, TERMINAL, DATASET, ABSTRACT, VOLUME.
- mm
-
User or Facility Mode (bit mask):
- 0=DORMANT
- 40=WARN
- 20=FAIL
- 30=IMPL,
- 01=CA Top Secret HAS EXPIRED
- rr
-
RACF SVC Flags (bit mapped):
RACINIT:
- 00ENVIR=CREATE
- 04STAT=NO
- 08PASSCHK=NO
- 40ENVIR=CHANGE
- 80ENVIR=DELETE
- C0ENVIR=VERIFY
- RACHECK:
-
- 01ENTITY=(,CSA)
-
- 02LOG=NONE
- 0831‑bit parameters
- 10VSAM dataset
- 80RACFIND=NO
- C0RACFIND=YES
- RACDEF:
-
- 00RACFIND not specified
- 20CHKAUTH=YES
- 80RACFIND=NO
- C0RACFIND=YES
- G/
-
Algorithm Data
- sw
-
Algorithm Switch:
- 00access allowed
- 04authorization not found
- 08access denied
- 0Cvolume access is create; force DSN checking
- 10volume access is (none)
- r1
-
RELATIVE RULE that allowed or denied data set (first rule is 01, second rule is 02, and so on.)
- r2
-
RELATIVE RULE that allowed or denied volume access
- dh
-
ALGORITHM HIGH LENGTH for data sets or resources
- vh
-
ALGORITHM HIGH LENGTH for volume access
- pf
-
RELATIVE SECURITY RECORD that allowed or denied access:
- 00 = USER record
- FF = ALL record
- 01‑FE = PROFILE 1‑254
- do
-
DATA SET AUTHORIZATION ORIGIN: (see vo below)
- vo
-
VOLUME AUTHORIZATION ORIGIN:
- 10 = owned (via TSS ADDTO)
- 20 = authorized (via TSS PERMIT)
- 80 = tape owned
- aa
-
ACTION from rule that authorized or allowed access (bit mask):
- 02PASSWORD or NODSN or DENY
- 08NOTIFY
- 10EXIT
- 20AUDIT
- 80FAIL
- L/
-
LOGGING INDICATORS
- l1
-
- 01do not write to SMF
- 02force message to user
- 04send specific message by id
- 08do not perform I/O
- 10audited event
- 20real return code passed
- 40forced log‑out
- 80violation
- l2
-
FLAGS (bit mask):
- 01delay after message
- 02audit update/alteration
- 04audit access if successful
- 08audit access or LOG=NOFAIL
- 10initiating control ACID
- 20reserved
- 40do not update feedback area
- 80LOG=NONE
- ee
-
EVENT CODE:
- 01job initiation
- 02resource check
- 32TSS command
- 33program change
- 34change control option
- 39DUF update
- 40operator accountability check
- F/
-
FLAG INDICATOR
- f1
-
- 01 = change propagation
- 02 = rename
- 04 = RACROUTE REQUEST=FASTAUTH logging
- 08 = JES early verify
- 10 = trace this call
- 20 = always caller
- 40 = tape data set request
- 80 = VSAM data set access
- f2
-
- 01 = ACTION(EXIT)
- 02 = no initiation resource checks
- 04 = FETCH protection required
- 08 = VTHRESH exceeded
- 10 = this is a "non" violation
- 20 = mask search performed
- 40 = resource is audited
- 80 = ACTION(PASSWORD)
- f3
-
- 01 = environment data obtained
- 02 = z/OS system
- 04 = feedback area validated
- 08 = do not perform logging
- 10 = audit this event
- 20 = simulator trace
- 40 = TSSSIM simulation
- 80 = AMODE(31) storage used
- f4
-
- 01 = PLIST is not RACF‑compatible
- 02 = this is TCBSENV
- 04 = third party RACHECK
- 08 = RACHECK invoked by FRACHECK
- 10 = at least ONE TSO message issued
- 20 = priv/exempt caller
- 40 = initiator in control
- 80 = JES2 or JES3 in control
- c1
-
- 01 = password change required
- 02 = exit continues without checks
- 04 = no password checking
- 08 = user mode used
- 10 = STCACT
- 20 = VMRDR submission
- 40 = password violation
- 80 = security bypass /job
- c2
-
- 01 = abend switch
- 02 = address space termination
- 04 = CHKAUTH=YES
- 08 = ACEE= supplied with SVC
- 10 = non 3270 device
- 20 = GAR retry
- 40 = undefined ACID
- 80 = OID card prompt
- c3
-
UNDEFINED ACID RETRY SWITCH:
- n01 = default ACID
- n02 = exit called
- aa
-
PROCESS/ABEND STATE (bit mapped):
- 01 = TSSERASE
- 02 = TSSKGAR
- 04 = logging interface
- 20 = installation exit
- 40 = invalid feedback area
- 80 = invalid parameter
- bb
-
MODULE/ABEND STATE (bit mapped)
- 01 = TSSKROUT
- 02 = TSSKEXTR
- 04 = TSSKCHG
- 08 = TSSKIXI
- 10 = TSS utility or command
- 20 = TSSKSEC
- 40 = TSSFRACK
- 80 = TSSKID
- ii
-
INSTALLATION EXIT FLAG (bit mapped):
- 01 = RESERVED
- 02 = RESERVED
- 04 = RESERVED
- 08 = User in BYPASS mode
- 10 = RESERVED
- 20 = Exit requested ACID to be suspended
- 40 = Exit requested auditing
- 80 = Exit requested MODE change
- jj
-
Return Code From Installation Exit
- kk
-
Function Code For Entry To Installation Exit