IBM Security Z Security

Expand all | Collapse all

Access Monitor filtering out records as result of LOG=NONE

  • 1.  Access Monitor filtering out records as result of LOG=NONE

    Posted 12 days ago
    There are a number of software products that make calls to the ESM to predetermine a user's access (i.e. for the purposes of building a menu). Typically these calls use LOG=NONE so that no access violation messages appear in your system log / SMF.    However Access Monitor does report on these calls to RACF.    Is there a way to filter out those records on my select / exclude statements.

    I know the data for Access Monitor should not be used in the place of SMF reporting, but I am being asked to look historically at our users and what type of access violations they have received.    I really don't want to report on these access failures that are not typically logged anyway.

    I am aware of some of these calls are flagged as 'Retrieval of Access Allowed' and I can filter them out, but there are some made by SDSF, NDM, and others that I would like to filter out since they appear to be made via LOG=NONE.

    ------------------------------
    Linnea Sullivan
    ------------------------------


  • 2.  RE: Access Monitor filtering out records as result of LOG=NONE

    Posted 10 days ago
    Edited by Rob van Hoboken 10 days ago
    Linnea
    If you know of classes that are used by applications, and they clutter your reports, you could just exclude those classes entirely (or for specific resources using masks), by adding

    exclude class=xxxx resource=(aa.bb, aa.cc, bb.**)

    If you happen to have an indicator in your current RACF database, stored in profiles that you would want to omit from reports, you could use the SIM_PROFILE capability and implicit lookup in ACCESS newlists to retrieve this indicator, and use it to exclude ACCESS events that would have been covered by the profile. 

    Note:
    One of the SIM_ fields must be referenced in the SORTLIST command.
    CSDATA fields are not supported.

    For example, if you tag these profiles with string LOG=NONE in the installation data field, you could use this as a filter using

    exclude :instdata=:"LOG=NONE"c

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: Access Monitor filtering out records as result of LOG=NONE

    Posted 8 days ago
    Thanks for the suggestions.    I was hoping that there was some flag/indicator in the Access Monitor data that I could use that indicated the RACROUTE was a LOG=NONE.   Similar to the way you can filter out RETALL.


    ------------------------------
    Linnea Sullivan
    ------------------------------