Kolusu, Thank you very much for your JCL.
I have tweaked it a little to modify the column layout, moving the "who did it" to the end of the line, and keeping "what happened" at the start. Some minor displacement corrections also. Very useful JCL. Thank you very much. Bruce //ITSXSA3U JOB (ACCT#),'RACF USER=CSMADMIN', // CLASS=U, // MSGCLASS=W, // MSGLEVEL=(1,1), // NOTIFY=&SYSUID //* //******************************************************************* //* THIS WILL READ THE SMF EXTRACT DATASET OF RACF RELATED SMF //* RECORDS (TYPES 30, 80, 81, 82, 83) AND USE THE SORT TOOL //* TO SORT THE DATA AND GENERATE A REPORT. //* //* THIS JOB WILL REPORT ALL SMF EVENTS FOR A SELECTED USERID. //* //******************************************************************* //* // SET USERNAME='CSMADMIN' // SET REPORT='ITSXSA3.RACFICE.REPORT.CSMADMIN.REFORMAT' //* //***************************************************************** //* Unload the SMF data for RACF records and format them using ** //* IRRADU00 ** //***************************************************************** //SMFDUMP EXEC PGM=IFASMFDP //SYSPRINT DD SYSOUT=* //ADUPRINT DD SYSOUT=* //SMFDATA DD DISP=SHR,DSN=ITSXSA3.SMFACCUM.CPBK.HB // DD DISP=SHR,DSN=ITSXSA3.SMFACCUM.CPRD.HB //OUTDD DD DSN=&&IRASMF,DISP=(NEW,PASS), // SPACE=(CYL,(100,100),RLSE), // UNIT=(SYSDA,4), // BLKSIZE=32760 //SMFOUT DD DUMMY //SYSIN DD * INDD(SMFDATA,OPTIONS(DUMP)) OUTDD(SMFOUT,TYPE(000:255)) ABEND(NORETRY) USER2(IRRADU00) USER3(IRRADU86) /* //***************************************************************** //* create the consolidated report for an user based on the ** //* Event type using DFSORT. The username can be dynamically ** //* passed. Look at the SET statment up above for the username ** //* The following Event Types are reported ** //* ADDUSER/ALTUSER/CONNECT/PASSWORD/PERMIT/RALTER/RDEFINE ** //***************************************************************** //UAREPORT EXEC PGM=SORT,PARM='JP1"&USERNAME"' //* //PRINT DD DSN=&REPORT., // DISP=(NEW,CATLG,DELETE), // UNIT=3390, // SPACE=(TRK,(15,15)) //* //SYSOUT DD SYSOUT=* //SYMNOUT DD SYSOUT=* //SYMNAMES DD * RDW,1,4,BI EVENT_TYPE,*,8,CH SKIP,1 EVENT_QUAL,*,8,CH SKIP,1 TIME_WRITTEN,*,8,CH SKIP,1 DATE_WRITTEN,*,10,CH SKIP,1 SYSTEM_SMFID,*,4,CH SKIP,1 VIOLATION,*,4,CH SKIP,1 USER_NDFND,*,4,CH SKIP,1 USER_WARNING,*,4,CH SKIP,1 EVT_USER_ID,*,8,CH SKIP,1 EVT_GRP_ID,*,8,CH SKIP,1 AUTH_NORMAL,*,4,CH SKIP,1 AUTH_SPECIAL,*,4,CH SKIP,1 AUTH_OPER,*,4,CH SKIP,1 AUTH_AUDIT,*,4,CH SKIP,1 AUTH_EXIT,*,4,CH SKIP,1 AUTH_FAILSFT,*,4,CH SKIP,1 AUTH_BYPASS,*,4,CH SKIP,1 AUTH_TRUSTED,*,4,CH SKIP,1 LOG_CLASS,*,4,CH SKIP,1 LOG_USER,*,4,CH SKIP,1 LOG_SPECIAL,*,4,CH SKIP,1 LOG_ACCESS,*,4,CH SKIP,1 LOG_RACINIT,*,4,CH SKIP,1 LOG_ALWAYS,*,4,CH SKIP,1 LOG_CMDVIOL,*,4,CH SKIP,1 LOG_GLOBAL,*,4,CH SKIP,1 TERM_LEVEL,*,3,CH SKIP,1 BACKOUT_FAIL,*,4,CH SKIP,1 PROF_SAME,*,4,CH SKIP,1 TERM,*,8,CH SKIP,1 JOB_NAME,*,8,CH SKIP,1 READ_TIME,*,8,CH SKIP,1 READ_DATE,*,10,CH SKIP,1 SMF_USER_ID,*,8,CH SKIP,1 LOG_LEVEL,*,4,CH SKIP,1 LOG_VMEVENT,*,4,CH SKIP,1 LOG_LOGOPT,*,4,CH SKIP,1 LOG_SECL,*,4,CH SKIP,1 LOG_COMPATM,*,4,CH SKIP,1 LOG_APPLAUD,*,4,CH SKIP,1 LOG_NONOMVS,*,4,CH SKIP,1 LOG_OMVSNPRV,*,4,CH SKIP,1 AUTH_OMVSSU,*,4,CH SKIP,1 AUTH_OMVSSYS,*,4,CH SKIP,1 USR_SECL,*,8,CH SKIP,1 RACF_VERSION,*,4,CH //SORTIN DD DISP=SHR,DSN=&&IRASMF /* //SYSIN DD * OPTION VLSCMP INCLUDE COND=(01,8192,SS,EQ,JP1,AND, (EVENT_TYPE,EQ,C'ADDUSER ',OR, EVENT_TYPE,EQ,C'ALTUSER ',OR, EVENT_TYPE,EQ,C'CONNECT ',OR, EVENT_TYPE,EQ,C'PASSWORD',OR, EVENT_TYPE,EQ,C'PERMIT ',OR, EVENT_TYPE,EQ,C'RALTER ',OR, EVENT_TYPE,EQ,C'RDEFINE ')) INREC BUILD=(01,1000) $ BUILD REQD DATA SORT FIELDS=(EVENT_TYPE,A) $ SORT EVENT TYPE OUTREC IFTHEN=(WHEN=(5,8,CH,EQ,C'ADDUSER'), OVERLAY=(1001:508,008, $ USERID 1011:08X, $ OWNER 1021:08X, $ CLASS 1031:35X, $ RESOURCE 1071:295,020, $ USER NAME 1095:517,138)), $ KEYWORDS IFTHEN=(WHEN=(5,8,CH,EQ,C'ALTUSER'), OVERLAY=(1001:522,008, $ USERID 1011:286,008, $ OWNER 1021:08X, $ CLASS 1031:35X, $ RESOURCE 1071:295,020, $ USER NAME 1095:531,127)), $ KEYWORDS IFTHEN=(WHEN=(5,8,CH,EQ,C'CONNECT'), OVERLAY=(1001:498,008, $ USERID 1011:08X, $ OWNER 1021:08X, $ CLASS 1031:35X, $ RESOURCE 1071:295,020, $ USER NAME 1095:507,138)), $ KEYWORDS IFTHEN=(WHEN=(5,8,CH,EQ,C'PASSWORD'), OVERLAY=(1001:08X, $ USERID 1011:286,008, $ OWNER 1021:08X, $ CLASS 1031:35X, $ RESOURCE 1071:295,020, $ USER NAME 1095:498,138)), $ KEYWORDS IFTHEN=(WHEN=(5,8,CH,EQ,C'PERMIT'), OVERLAY=(1001:08X, $ USERID 1011:08X, $ OWNER 1021:286,008, $ CLASS 1031:507,035, $ RESOURCE 1071:304,020, $ USER NAME 1095:763,100)), $ KEYWORDS IFTHEN=(WHEN=(5,8,CH,EQ,C'RALTER',OR, 5,8,CH,EQ,C'RDEFINE'), OVERLAY=(1001:08X, $ USERID 1011:295,008, $ OWNER 1021:286,008, $ CLASS 1031:516,024, $ RESOURCE 1071:304,020, $ USER NAME 1095:772,100)) $ KEYWORDS OUTFIL FNAMES=PRINT,REMOVECC,VTOF, BUILD=(001:DATE_WRITTEN, 014:TIME_WRITTEN, 025:SYSTEM_SMFID, 033:EVENT_QUAL, 044:EVENT_TYPE, 055:1001,008, $ USERID 065:1011,008, $ OWNER 075:1021,008, $ CLASS 085:1031,035, $ RESOURCE 122:1095,138, $ KEYWORDS 262:EVT_USER_ID, 272:EVT_GRP_ID, 282:TERM, 292:JOB_NAME, 302:1071,020, $ USER NAME 500:X), SECTIONS=(EVENT_TYPE, HEADER3=(/, 001:'RACF ', 006:EVENT_TYPE, 015:'Command Report', 037:DATE=(4MD/), 055:TIME=(24:),8X, 120:'Page', 125:PAGE,/,/, 001:'DATE', 014:'TIME', 025:'SMFID', 033:'RESULT', 044:'COMMAND', 055:'USER ID', 065:'OWNER', 075:'CLASS', 085:'RESOURCE', 122:'KEYWORDS USED', 262:'ISSUER', 272:'GROUP', 282:'TERMINAL', 292:'JOB NAME', 302:'USER NAME'/, 001:010'-', 014:008'-', 025:004'-', 033:008'-', 044:008'-', 055:008'-', 065:008'-', 075:008'-', 085:035'-', 122:138'-', 262:008'-', 272:008'-', 282:008'-', 292:008'-', 302:020'-')) /* ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN