Hi Larry,
Yes, the output in print format for that report is pretty basic (it imbeds SCKRCARL member CKALFDES); there is a lot more detail when you generate an interactive report (which imbeds SCKRCARL member CKADFDRA, which is pretty extensive).
I think you are looking for the INTENT field.
From CKADFDRA, for EVENT=ACCESS:
000313 / / 'Event identification'(ch),
000314 / eventdesc(p,0,wordwrap,noretain),
000315 / eventqual(p,0),
000316 / descriptor(p,0,explode,hor,et),
000317 / reason(p,0,explode,hor,et),
000318 / racfauth(p,0,explode,hor,et),
000319 / intent(p),
000320 / access(p),
000321 / logstr(p,0,wordwrap,et,noretain),
Regards,
------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
------------------------------
Original Message:
Sent: Wed December 08, 2021 01:27 PM
From: Larry Barnett
Subject: RACF Events - Warnings
I have recently put a lot of dataset rules in Warning mode as the updated DISA STIG's are requiring more dataset rules to not have UACC=READ. I have run the listing under EVents > Warnings, and the output only shows that there was a Warning messages, the UserID and the dataset name. There are some other fields, but not really useful for my needs. I need to know what the attempted access was, that generated the Warning - READ, Update or ALTER. I feel certain that information is in the SMF record, I just don't know what would need to be added to the Carla statement to get it to show for each record shown.
------------------------------
Larry Barnett
------------------------------