IBM Security Z Security

 View Only

 Unable to get alerts generated for sensitive resources

Jump to  Best Answer
David Low's profile image
David Low posted Tue August 05, 2025 07:32 PM

I'm interested in getting alerts generated for RACF sensitive resources but in my testing it's not working as expected. Maybe I'm misunderstanding how this is supposed to work. I'm hoping someone can enlighten me on how to get alerts for specific resources.

In my example, I go into SE.A.S and select Sensitive Resources. In the member I enter the following:

SIMULATE CLASS=DATASET ACCESS=READ,
SENSITIVITY=Site-Dsn-R,
RESOURCE=A.B.C.D

I confirm that alerts 1212 and 1213 are enabled and destination is sent to email. Then I go to SE.A.A and refresh the configuration. Now I'm expecting that when a user attempts to read dataset A.B.C.D that Alert will generate an alert and send an email. But in my testing this isn't happening, regardless of whether the user has read access to the dataset or not, I'm not receiving any alert. I'd appreciate any insight on this, Thanks!

Mike Riches's profile image
Mike Riches posted Wed August 06, 2025 01:44 AM  Best Answer

Hello David,

The documentation for alert 1212 states:

"To generate this alert, RACF® successful read and update access must be recorded. This is the case if either AUDIT(success(read)) or GLOBALAUDIT(success(read)) is specified for the relevant profiles. When you change the audit settings for a profile, ensure that failure auditing is also set as intended."

and for alert 1213

"To generate this alert, RACF® successful update access must be recorded. This is the case if either AUDIT(success(update)) or GLOBALAUDIT(success(update)) is specified for the relevant profiles. When you change the audit settings for a profile, ensure that failure auditing is also set as intended."

Have you enabled audit event recording for the dataset profile protecting A.B.C.D?

David Low's profile image
David Low posted Wed August 06, 2025 07:13 AM

Thanks Mike, I missed that bit. I'm aware of those audit flags but hadn't thought to flip it for successful read because the failure case didn't generate an alert and for some reason I thought it should (it shouldn't.) After some testing it does resolve my issue!

Related Content