Set Logging Options

The Connector Interceptors detect changes made to security definitions and record these changes so that they can be reported to IdentityIQ. To detect these changes, RACF should be set to log all RACF commands that are issued in the system, and SMF should be set to collect these records.

For more information regarding Connector Interceptors, see Overview of Connector for RACF Interceptors.

1 – Set RACF Global Options

RACF global options SAUDIT and AUDIT control RACF command logging as follows:

Global Options	Description
SAUDIT	Instructs RACF to log commands that are issued by users with the SPECIAL or group-SPECIAL attribute
Audit (User Group)	Instructs RACF to log commands, which modify user and group profiles, that are issued by users without the SPECIAL or group-SPECIAL attribute

Set RACF to log these events by issuing the following RACF command:

SETROPTS SAUDIT AUDIT (USER GROUP)

Note
Your RACF user ID must be defined with the Auditor and SPECIAL attributes to be able to issue this command.

2 – Set SMF Parameters

RACF generates audit information regarding RACF commands in SMF record type 80 (and 30 if TSO LOGON events

are relevant). These records are passed to the SMF record exit (IEFU83 and IEFU84), which transfers information regarding the commands to the Online Interceptor.

To ensure that these records are collected for future processing and are passed to SMF exit IEFU83 and optionally IEFU84, SMF parameters must be set to collect generated records of type 80 and optionally 30.

2A – Edit the SMFPRMnn Member

Edit the SMFPRMnn member in your SYS1.PARMLIB library. This member specifies which SMF records are collected by SMF.

nn is the number specified in member IEASYS in SYS1.PARMLIB, or 00, if it was not specified.
Make sure parameter TYPE specifies that record type 80 is collected for all subsystems.

For more information on SMFPRMnn parameters, refer to the z/OS Initialization and Tuning Reference Guide.
Save the member (if it was modified).

2B – Activate SMF Parameters

If you modified member SMFPRMnn in Step "2A–Edit the SMFPRMnn member", refresh SMF definitions by issuing the following operator command:

SET SMF=nn

where nn is the suffix of the SMFPRMnn member that was updated.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Set Logging Options

1 – Set RACF Global Options

2 – Set SMF Parameters

2A – Edit the SMFPRMnn Member

2B – Activate SMF Parameters

Documentation Feedback