How to enable logging for Resource CLASS='TSOAUTH', CLASS='JESSPOOL' or CLASS='WRITER' with LOG=NONE on RACROUTE call.
For example Resource CLASS='TSOAUTH' that grants CONSOLE.
The resource rule for TSOAUTH already has a rule entry with LOG specified:
$KEY(CONSOLE) TYPE(TSO)
$USERDATA(TSOAUTH CONSOLE)
UID(ABCD) LOG DATA(ACF2-TS-000010)
UID(*) PREVENT DATA(ACF2-TS-000010)
Release : 16.0
Component : ACF2 for z/OS
ACF2 provides an internal SAFDEF with MODE=GLOBAL for the TSOAUTH, JESSPOOL and WRITER resource classes.
For example, the RACROUTE calls for Resource CLASS='TSOAUTH' specify LOG=NONE and IBM RACROUTE documentation explains the following for LOG=NONE: "suppresses both messages and SMF records regardless of MSGSUPP=NO".
ACF2 will suppress the SMF records when the RACROUTE call specifies LOG=NONE and there will be no entries in the violation report. There are two options to enable logging:
1. Put a TRACE bit on a logonid to override the LOG=NONE and the CLASS=TSOAUTH(JESSPOOL or WRITER) calls will be logged, and the entries will appear in the ACFRPTRV report.
2. Change GSO CLASMAP records for TSOAUTH, JESSPOOL or WRITER LOG|NOLOG parameter to force logging.
SET C(GSO)
LIST LIKE(CLASMAP.-)
CHANGE CLASMAP.TSO LOG
F ACF2,REFRESH(CLASMAP)
LOG|NOLOG
Specifies whether ACF2 overrides the LOG parameter on a matching RACROUTE AUTH or FASTAUTH call and treats it as LOG=ASIS. LOG allows logging to SMF for a violation and for rule entries with LOG that are not normally logged because the RACROUTE AUTH or FASTAUTH call specified LOG=NONE, LOG=NOFAIL or LOG=NOSTAT. NOLOG is the default. LOG|NOLOG in the CLASMAP does not affect RACROUTE AUTH or FASTAUTH calls that are logged. NOLOG does not prevent loggings.