Top Secret - SMF question

Document ID : KB000116847
Last Modified Date : 08/10/2018
Show Technical Document Details
Introduction:
write audited user administration commands like add/delete MVS user ID's and grants to resources to SMF
Question:
Is it possible to configure TSS to write audited user administration commands like add/delete MVS user ID's and grants to resources to SMF?
If yes, how, and which SMF record number? 
Environment:
z/os
Answer:
According to CA's own reference page: https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/product-information/ca-top-secret-version-16-product-enhancements TSS does write commands to SMF.
We need commands in SMF in order to feed them to our QRadar SIEM.
And indeed it works, as on our z/OS 2.1 LPARs TSS successfully writes commands to SMF80, event-type 50 (see TSS #SMF80 macro).
On z/OS 2.3 Lpar, I did a command TSS MODI(FAC(STC=LOG(CMDS,INIT,SMF,MSG,SEC9))):
TSS9188I The Facility CMDS Log Option has been set for STC
TSS9188I The Facility INIT Log Option has been set for STC
TSS9188I The Facility SMF Log Option has been set for STC
TSS9188I The Facility MSG Log Option has been set for STC
TSS9188I The Facility SEC9 Log Option has been set for STC
TSS0300I MODIFY FUNCTION SUCCESSFUL
I figured out why it did not work on z/OS 2.3 Lpar.
We have NOTYPE(80,…) in member SMFPRM. I've deleted type 80 from NOTYPE and now it works fine.