z/OS Security Server RACF Callable Services
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Parameters

z/OS Security Server RACF Callable Services
SA23-2293-00

Work_area
The name of a 1024-byte work area for SAF and RACF® usage. The work area must be in the primary address space.
ALET
The name of a word containing the ALET for the following parameter. Each parameter must have an ALET specified. Each ALET can be different. The words containing the ALETs must be in the primary address space.
SAF_return_code
The name of a 4–byte area in which the SAF router returns the SAF return code.
RACF_return_code
The name of a 4–byte area in which the service routine stores the return code.
RACF_reason_code
The name of a 4–byte area in which the service routine stores the reason code.
Num_parms
The name of a 4-byte area containing the number of parameters in the parameter list, including the Num_parms parameter. This parameter must be in the primary address space. It must be initialized to 26.
ACEE_ALET
The name of a 4-byte area containing the ALET for the ACEE pointed to named by the ACEE_ptr parameter. The 4-byte area must be in the primary address space.
ACEE
The name of an area containing the ACEE belonging to the RACF user that should appear in the log record. An ACEE may only be specified by a caller in supervisor state or system key. The ACEE must begin with eyecatcher "ACEE". Otherwise, the area must contain binary zeros in the first 4 bytes. When the area contains binary zeros, RACF uses the task-level ACEE if found, or the address space ACEE.
Parm_ALET
The name of a 4-byte area containing the ALET for the remaining parameters in the parameter list and any data areas referenced by parameter list pointers. The word containing the ALET must be in the primary address space.
Option_word
The name of a 4-byte area containing binary zeros. This area is reserved for future use.
Link_value
The name of an 8-byte area containing a value used to mark related SMF records. Since a single event may result in multiple calls to R_auditx for logging, you can logically link the records by specifying a common value such as a time stamp. Otherwise, fill the area with binary zeros.
Attributes
The name of a 4-byte area containing flags set by the caller. Possible attribute values are the following:
x'80000000'
Event Result. Used to indicate if the event was a success or a failure. Success if flag is set. Failure if flag is not set.
x'40000000'
Authentication Event. Use logging defaults for authentication events described in the usage notes.
x'20000000'
Authorization Event. Use logging defaults for authorization events described in the usage notes.
x'10000000'
Always log successes.
x'08000000'
Always log failures.
x'04000000'
Never log successes.
x'02000000'
Never log failures.
x'01000000'
Check warning mode.
Set any combination of attributes flags except the following pairs that directly conflict with each other: 
'Authentication Event' & 'Authorization Event'
'Always log successes' & 'Never log successes'
'Always log failures' & 'Never log failures'
'Never log success' & 'Never log failures'
Refer to the usage notes for additional information about the priority of these flags for logging determination.
Component
The name of an area that consists of a 4-byte length field followed by character data. The character data is the name of the product or component calling the R_auditx service. The length represents the length of the character data. The maximum length of the data is 255. The component is required, therefore, the length must be greater than zero.
FMID
The name of a 7-byte area containing the FMID of the product or component calling the R_auditx service.
Subtype
The name of a 4-byte integer with the SMF type 83 record subtype assigned to the component. The value may range from 2 to 32767, but should match the subtype assigned to the component. Assigned subtypes are:
Subtype z/OS® component
2 Enterprise identity mapping
5 WebSphere® Application Server
6 Tivoli® Key Lifecycle Manager (TKLM)
Event
The name of a 4-byte integer which the caller initializes with the event code. The value may range from 1 through 255.
Qualifier
The name of a 4-byte integer which the caller initializes with the event code qualifier. The value may range from 0 through 255.
Class
The name of an 8-byte area containing a RACF class name. If not specified, the area must contain all blanks. Otherwise, the class name is assumed to have the following characteristics:
  • Left justified
  • Padded to the right with blanks
  • Specified in uppercase
  • A static IBM® class name, a statically defined installation class name, or a dynamically defined installation class name
  • A general resource class
The class cannot be USER, GROUP, or DATASET. It must also be active and RACLISTed.
Resource

The name of an area that consists of a 4-byte length field followed by a resource name covered by a profile defined in the RACF class specified above. The length represents the length of the resource name. The maximum length is 246. The resource name is ignored if the length is zero. Ensure the letter case of the resource matches that defined for profiles in the class. For the RAUDITX class, profiles must be uppercase so the resource name must be folded to uppercase before being passed to this service. Some classes preserve case sensitivity for profiles and corresponding resource names should not be folded. Refer to z/OS Security Server RACF Macros and Interfaces for more information about class definitions.

Log_string
The name of an area that consists of a 4-byte length field followed by character data to be written with the audit information. The length represents the length of the character data. The maximum length of the log string is 255. If character data is not specified, the length must equal zero.
Relocate_count
The name of a 4-byte area containing the number of relocate sections. The maximum number of relocate sections is 512. The minimum is 0.
Relocate_ptr
The name of an area containing the address of an array of relocate sections. For 31-bit callers, this area is 4-bytes long. For 64-bit callers, this area is 8-bytes long. The area is 4-bytes long. This parameter is ignored when the Relocate_count parameter is zero. The number of entries in the array must equal the value in the Relocate_count. The relocate is not added to the log record when the length is zero. When the length is greater than zero, the relocate data pointer must not be zero. An array entry for a 31 bit caller is:
Dec Offset Hex Offset Type Len Name(Dim) Description
0 (0) STRUCTURE 16 RAUX_RELOCATE A row in the array of relocate sections. It describes a single field value.
0 (0) FIXED 2 RAUX_RELO_TYPE The relocate section type. The value must not be less than 100 or greater than 65535.
2 (2) FIXED 2 * Reserved
4 (4) FIXED 4 RAUX_RELO_LEN The length of the data portion of the relocate section. The sum of the relocate lengths plus an additional four bytes for each relocate field must not exceed 20480 bytes.
8 (8) FIXED 4 * Reserved
C (C) ADDRESS 4 RAUX_RELO_DATA_PTR The address of the data for the relocate section
An array entry for a 64 bit caller is:
Dec Offset Hex Offset Type Len Name(Dim) Description
0 (0) STRUCTURE 16 RAUX64_RELOCATE A row in the array of relocate sections. It describes a single field value.
0 (0) FIXED 2 RAUX64_RELO_TYPE The relocate section type. The value must not be less than 100 or greater than 65535.
2 (2) FIXED 2 * Reserved
4 (4) FIXED 4 RAUX64_RELO_LEN The length of the data portion of the relocate section. The sum of the relocate lengths plus an additional four bytes for each relocate field must not exceed 20480 bytes.
8 (8) ADDRESS 8 RAUX_RELO_DATA_PTR The address of the data for the relocate section
Fields marked 'Reserved' must be filled with binary zeros.
Message_count
The name of a 4-byte integer containing the number of message segments that form the message. The maximum number of segments is 16. The service issues no message if Message_count is 0.
Message_ptr

The name of an area containing zero or the address of an array. For 31-bit callers, this area is 4-bytes long. For 64-bit callers, this area is 8-bytes long. This parameter is ignored when the Message_count parameter is zero. Otherwise, the number of entries in the array must equal the Message_count value.

The array contains the length and addresses of message segments are combined to form a message that is directed to the security console and the job log. Each message segment text, referenced by the segment pointer in each array entry, should be composed of valid uppercase characters that will display properly at the console. The length for each message segment must not exceed 70 characters. The first message segment should begin with a component message identifier of 15 characters or less.

For each array entry, the message segment is not included when its segment length is zero. When the segment length is greater than zero, the segment pointer must not be zero.

An array entry for a 31-bit caller is:
Dec Offset Hex Offset Type Len Name(Dim) Description
0 (0) STRUCTURE 16 RAUX_SEGMENT One phrase in the message
0 (0) FIXED 4 * Reserved
4 (4) FIXED 4 RAUX_SEG_LEN The length of the message segment. The value must not exceed 70.
8 (8) FIXED 4 * Reserved
12 (12) ADDRESS 4 RAUX_SEG_PTR The address of message segment
Fields marked 'Reserved' must be filled with binary zeros.
An array entry for a 64-bit caller is:
Dec Offset Hex Offset Type Len Name(Dim) Description
0 (0) STRUCTURE 16 RAUX64_SEGMENT One phrase in the message
0 (0) FIXED 4 * Reserved
4 (4) FIXED 4 RAUX64_SEG_LEN The length of the message segment. The value must not exceed 70.
8 (8) ADDRESS 8 RAUX64_SEG_PTR The address of message segment
Fields marked 'Reserved' must be filled with binary zeros.
Parent topic: R_auditx (IRRSAX00 or IRRSAX64): Audit a security-related event

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014