The resource rule FACILITY-BPX.SMF controls the ability to write SMF records from UNIX (OMVS) processes. ACF2 protects this resource by default.
IBM details on the BPX.SMF Facility class resource:
BPX.SMF or BPX.SMF.type.subtype
Permit user access to write an SMF record or to test if an SMF type or subtype is being recorded.
- The BPX.SMF profile permits the a user the authority to write or test for any SMF record that is being recorded. The program-controlled attribute is not required if BPX.SMF is used
- For more granular access to writing SMF records, BPX.SMF.type.subtype permits a user the authority to write or test only the SMF record of the specific type and subtype contained in the FACILITY class profile name.
The BPX.SMF.type.subtype FACILITY class profile requires a clean program-controlled environment.
The smf_record syscall verifies that the address space has not loaded any executables that are uncontrolled and any future loads or execs to files that reside in uncontrolled libraries are prevented. Note that type and subtype in the FACILITY class name do not ave leading zeros.
Some examples are as follows:
RACF commands to set up the permissions:
RDEFINE FACILITY BPX.SMF UACC(NONE)
PERMIT BPX.SMF CLASS(FACILITY) ID(user001) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
Sample ACF2 equivalent:
RECKEY BPX ADD(SMF UID(UID string for user001) SERVICE(READ) ALLOW)
* NOTE: If access is allowed to BPX.SMF the caller(application that calls smf_record callable service BPX1SMF) does not need to be APF-authorized