As an auditor, you want to see all activity that occurs by a user or ticket number from elevation to de-elevation or elevation time-out. A unique session ID (TAMID) is assigned at elevation time and carried through each elevation and de-elevation event.

Release : 1.1

Component : TAMz

The TAMRPTTZ audit utility reads the TAMR SMF records used to build the reports from the TAMRSMF job, including the TAMR commands, IBM RACF commands, and resource access reports. All activity that occurs by a user or TAMID from elevation to de-elevation or elevation time-out is added to the CSV file. By default, the report is sorted by TAMID then timestamp.

To build the CSV file, the TAMRPTTZ job runs the TAMRSMF reports and aggregates into a single CSV file. Optionally, you can include an extra job step that generates a JSON format of the CSV report that is offloaded into JSON consumers. For information on available filter criteria, see the documentation included in the TAMRPTTZ job. The SMF 80 subtype general records are listed first, followed by the SMF 80 subtype access records. Both are sorted by TAMID followed by the timestamp.

To generate a comprehensive “Start-Activity-Stop” report, import the CSV into your desired CSV-tool and sort by TAMID followed by date and time.

The following sample output is the CSV file that is generated by TAMRPTTZ:

Type,Date,Time,Event,Result,UserId,Group,System,Terminal,Jobname,Resource_Name,Resource_Class,SECLABEL,TAMID,Command_Is
T,2021-09-01,17:21:30,GENERAL,,TCRAC01,SYS1,XE41,,TC545TST,,,,0901202117212928,ELEVATE,TCRAC50,MORTALS,"TEST",,00,00,,
T,2021-09-01,17:22:43,GENERAL,,TCRAC01,SYS1,XE41,,TC570TST,,,,0901202117212928,DEELEVATE,TCRAC50,MORTALS,"TEST",,00,00,
A,2021-09-01,17:22:34,ACCESS,SUCCESS,TCRAC50,SYS1,XE41,,TC569TST,TCRACF.WORK.DATASET,DATASET,,0901202117212928,,,MORTAL:

The following sample output is the JSON file that is generated by TAMRPTTZ:

[ { "Type": "T", "Date": "2021-09-01", "Time": "17:21:30", "Event": "GENERAL", "UserId": "XXXXXXX", "Group": "SYS1", "System": "XXXX", "Jobname": "TC545TST", "TAMID": "0901202117212928", "Command_Issued": "ELEVATE", "Elevated_User": "XXXXXXX", "Tam_Class": "MORTALS", "Tam_Reason": "TEST", "RC": "00", "RSN": "00" },

{ "Type": "T", "Date": "2021-09-01", "Time": "17:22:43", "Event": "GENERAL", "UserId": "XXXXXXX", "Group": "SYS1", "System": "XXXX", "Jobname": "TC570TST", "TAMID": "0901202117212928", "Command_Issued": "DEELEVATE", "Elevated_User": "TCRAC50", "Tam_Class": "MORTALS", "Tam_Reason": "TEST", "RC": "00", "RSN": "00" },

{"Type": "A", "Date": "2021-09-01", "Time": "17:22:34", "Event": "ACCESS", "Result": "SUCCESS", "UserId": "XXXXXXX", "Group": "SYS1", "System": "XXXX", "Jobname": "TC569TST", "Resource_Name": "TCRACF.WORK.DATASET", "Resource_Class": "DATASET", "TAMID": "0901202117212928", "Tam_Class": "MORTALS", "Access_By_Group_Priv": "MORTLGRP" } ]