The SAF Kernel may optionally write trace messages to DDPRINT (or SAFPRINT). These trace messages have the following format:
Time Jobname Result Return Code Type SAF Userid Level Resource Name 13:19:19 DAEFCODE SEF DENIED 08040800 RQ 02 :USERA : (02) CMD00153.FIL00005 |
| Field | Explanation |
|---|---|
| Time | Time the security check was made. |
| Jobname | Job that requested the security check. For Adabas and Net-Work SAF Security this is the job that issued the Adabas call being checked. |
| Result |
SEF DENIED: the security system rejected the access attempt. SEF PERMITTED: the security system allowed the access. |
| Return Code |
The return code consists of 4 hexadecimal bytes which contain the following information. The numbers in brackets refer to the values in the example trace message above.
The return code can be interpreted by checking the RACROUTE manual referred to above for the appropriate RACROUTE function (AUTH for an authorize function; VERIFY for authenticate). For a RACROUTE AUTH, R15 of 8 with return code 8 and reason code 0 means the user is not authorized to use the requested resource. This is a normal security violation. For PERMITTED security checks, the return code contains 00000000 or 00000001. 00000001 indicates that the security check was satisfied from the SAF Kernel’s cache (that is, the same user had previously requested the same resource access and the SAF Kernel had cached the security system’s successful response). |
| Type |
The internal SAF Kernel request type. This may be:
|
| SAF Userid | The SAF User ID for which access was requested. |
| Level | The access level requested:
|
| Resource Name |
The name of the resource for which access was requested. For successful user authentications, resource name contains:
|
In the example trace message shown above: at 13:19:19, SAF user USERA in job DAEFCODE attempted to read Adabas file 5 in database 153 but did not have the necessary security access.
