I can not get Email Action for the ALERT Component for a signon violation, why?

Document ID : KB000013344
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

I can not get Email Action for the ALERT Component for a signon violation, why?

Answer:

When creating a Policy Statement with a condition with CODE1 and CODE2 values be sure that the code values are correct for the ESM(ACF2, TopSecret or RACF) are valid for the type of signon violation that is occurring.

For example with ESM ACF2 the CODE1 values 10, 12 and 13 correspond to the following types of signon violations.

     Violation CODE1: 12 indicates PASSWORD NOT MATCHED

     Violation CODE1: 13 indicates LOGONID lid SUSPENDED BECAUSE OF PASSWORD VIOLATIONS

     Violation CODE1: 10 indicates LOGONID lid CANCELLED

Also with ESM ACF2 the CODE1 values correspond to the ACF010xx messages for example:

     Violation CODE1: 12 corresponds to ACF01012 PASSWORD NOT MATCHED.

If a site is not sure of the ESM CODE1 signon violations values create a Policy Statement as follows.

  • Create a singe condition ESM = xxxx      (where xxxx is one of the ESMs: ACF2, TOP SECRET or RACF)
  • Create either a WTO or EMAIL action with the following string to display the userid and CODE1 and CODE2 values:
    %USERID% Violation CODE1: %CODE1% CODE2: %CODE2%
  • Test signons with various type of signon violations and evaluate the WTO or EMAIL Actions triggered to determine 
    the CODE1 and CODE2 values for each type of signon violation.