I am trying to better understand how Access Monitor processing works with address spaces marked PRIVILEGED. My understanding is that Access Monitor gathers its information from hooks in the RACF exits. However, the Systems Programmers manual for RACF tells me that for a RACROUTE REQUEST=AUTH call with an ACEE marked as PRIVILEGED no RACF exits are called.
At the same time I see in the description of the GUGSOPGX field in Access monitor records that the P flag represents a task that is Trusted or Privileged.
I also see a statement in the Access Monitor chapter in "zSecure Admin and Audit for RACF" saying, "The privileged or Trusted flag (Priv/Trust assigned) is only set for started tasks, as reflected by the authentication method Started". So are records being collected for privileged started tasks?
Also, I am dealing with third party utility program which is altering its ACEE to set the Privileged bit ACEEPRIV even though it is NOT a started task. I am trying to find access records for the job running this program, and failing to find them. Is there any way I can see what this program is gaining access to?
Thanks
Lennie