Interpreting Trace Messages

The SAF Kernel may optionally write trace messages to DDPRINT (or SAFPRINT). These trace messages have the following format:

Time	  Jobname  Result     Return Code Type SAF Userid Level Resource Name   
13:19:19 DAEFCODE SEF DENIED    08040800 RQ 02 :USERA   : (02) CMD00153.FIL00005 
Field Explanation
Time Time the security check was made.
Jobname Job that requested the security check. For Adabas and Net-Work SAF Security this is the job that issued the Adabas call being checked.
Result

SEF DENIED: the security system rejected the access attempt.

SEF PERMITTED: the security system allowed the access.

Return Code

The return code consists of 4 hexadecimal bytes which contain the following information. The numbers in brackets refer to the values in the example trace message above.

  • Byte 1 (08) - R15 after RACROUTE

  • Byte 2 (04) – internal function code (see table above)

  • Byte 3 (08) – RACROUTE return code

  • Byte 4 (00) – RACROUTE reason code

The return code can be interpreted by checking the RACROUTE manual referred to above for the appropriate RACROUTE function (AUTH for an authorize function; VERIFY for authenticate). For a RACROUTE AUTH, R15 of 8 with return code 8 and reason code 0 means the user is not authorized to use the requested resource. This is a normal security violation.

For PERMITTED security checks, the return code contains 00000000 or 00000001. 00000001 indicates that the security check was satisfied from the SAF Kernel’s cache (that is, the same user had previously requested the same resource access and the SAF Kernel had cached the security system’s successful response).

Type

The internal SAF Kernel request type. This may be:

  • 01 – authorize Natural library

  • 02 – authorize Adabas access

  • 03 – authorize SYSMAIN function

  • 04 – authorize Natural system files

  • 05 – authorize Natural program execution

  • 06 – authorize Broker service

  • 07- authorize Net-Work (or Adabas cross-level) access

  • 08 – authorize SQL server access

  • 13 – authenticate user

  • 23 – authorize Natural RPC execution

SAF Userid The SAF User ID for which access was requested.
Level The access level requested:
  • 02 – read

  • 04 – update

  • 08 – control

  • 80 – alter

Resource Name

The name of the resource for which access was requested.

For successful user authentications, resource name contains:

  • XXNEWU – user successfully authenticated or

  • XX - user already logged on

In the example trace message shown above: at 13:19:19, SAF user USERA in job DAEFCODE attempted to read Adabas file 5 in database 153 but did not have the necessary security access.