Normally RACF commands are extracted using RACFICE but when you want to see command keywords it gets a little bit more complicated. Keywords of each commands extracted by IRRADU exits are stored on different position, for example: - ADDGROUP - 494-Group Name, 503-Command Keywords - ALTDSD - 520-Profile Name, 565-Command Keywords - RALTER - 512-Resource Name, 768-Command Keywords This makes RACF command audit a messy job. This script solves the problem. //*-------------------------------------------------------------------- //* RACF COMMANDS EXTRACTOR //* //* INSTRUCTIONS: //* - SUPPLY OUTPUT DATA SET //* - SUPPLY SMF LOGS //* - CHANGE THE DEFAULT SEPARATOR IF NEEDED //*-------------------------------------------------------------------- //OUTPUT SET OUTPUT=&SYSUID..IRRADU.RACFCMD1 <-- OUTPUT //*-------------------------------------------------------------------- //DEL EXEC PGM=IEFBR14 //DELDD DD DSN=&OUTPUT,SPACE=(TRK,1),DISP=(MOD,DELETE) //*-------------------------------------------------------------------- //REXXCOPY EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSIN DD DUMMY //SYSUT2 DD DSN=&&REXXTEMP(RACFCMD),DISP=(,PASS), // SPACE=(TRK,(1,1,2)),LRECL=80,RECFM=FB,BLKSIZE=8000 //SYSUT1 DD * PARSE ARG SEP . IF LENGTH(SEP) <> 3 THEN SEP="|" ELSE SEP=SUBSTR(SEP,2,1) SAY "- """SEP""" SEPARATOR WILL BE USED" SAY TIME()" - REXX PROCESSING STARTED" RL.1 = 520 ; RN.1 = 'ADDSD ' ; RL.12 = 503 ; RN.12 = 'PERMIT ' RL.2 = 494 ; RN.2 = 'ADDGROUP' ; RL.13 = 980 ; RN.13 = 'RACDCERT' RL.3 = 504 ; RN.3 = 'ADDUSER ' ; RL.14 = 586 ; RN.14 = 'RACLINK ' RL.4 = 520 ; RN.4 = 'ALTDSD ' ; RL.15 = 468 ; RN.15 = 'RACMAP ' RL.5 = 494 ; RN.5 = 'ALTGROUP' ; RL.16 = 512 ; RN.16 = 'RALTER ' RL.6 = 518 ; RN.6 = 'ALTUSER ' ; RL.17 = 512 ; RN.17 = 'RDEFINE ' RL.7 = 494 ; RN.7 = 'CONNECT ' ; RL.18 = 512 ; RN.18 = 'RDELETE ' RL.8 = 520 ; RN.8 = 'DELDSD ' ; RL.19 = 494 ; RN.19 = 'REMOVE ' RL.9 = 494 ; RN.9 = 'DELGROUP' ; RL.20 = 485 ; RN.20 = 'RVARY ' RL.10 = 494 ; RN.10 = 'DELUSER ' ; RL.21 = 485 ; RN.21 = 'SETROPTS' RL.11 = 494 ; RN.11 = 'PASSWORD' IFC = "ADDSD ADDGROUP ADDUSER ALTDSD ALTGROUP ALTUSER " IFC = IFC"CONNECT DELDSD DELGROUP DELUSER PASSWORD PERMIT " IFC = IFC"RACDCERT RACLINK RACMAP RALTER RDEFINE RDELETE " IFC = IFC"REMOVE RVARY SETROPTS " HEAD = "DATE "SEP"TIME "SEP"CMD TYPE"SEP"RESULT "SEP HEAD = HEAD"USER ID "SEP"JOBNAME "SEP"COMMAND" PUSH HEAD "EXECIO 1 DISKW OUT" C=0 EOF=0 DO WHILE EOF=0 "EXECIO 1 DISKR IN" IF RC<>0 THEN EOF=1 DO PARSE PULL RECIN TYPE = SUBSTR(RECIN,1,8) IF POS(TYPE,IFC) <> 0 THEN DO DO I=1 TO 21 IF TYPE = RN.I THEN DO KEYWORDS = SUBSTR(RECIN,RL.I,1000) PARSE VAR KEYWORDS TEMP1 TEMP2 KEYWORDS = STRIP(TYPE)" "STRIP(TEMP1)" "STRIP(TEMP2) RECOUT=SUBSTR(RECIN,28,10)""SEP""SUBSTR(RECIN,19,8) RECOUT=RECOUT""SEP""SUBSTR(RECIN,1,8)""SEP""SUBSTR(RECIN,10,8) RECOUT=RECOUT""SEP""SUBSTR(RECIN,59,8) RECOUT=RECOUT""SEP""SUBSTR(RECIN,180,8)""SEP""KEYWORDS PUSH RECOUT "EXECIO 1 DISKW OUT" LEAVE END END END C = C+1 IF C//10000 = 0 THEN SAY TIME()" - "C" RECORDS PROCESSED" END END SAY TIME()" - "C" RECORDS PROCESSED IN TOTAL" RETURN 0 //*-------------------------------------------------------------------- //ADUEXTR EXEC PGM=IFASMFDP,REGION=0M,COND=(0,NE) //SMFIN DD DISP=SHR,DSN=LOG.SMF.G0129V00 <-- SMF LOGS // DD DISP=SHR,DSN=LOG.SMF.G0130V00 //SMFOUT DD DUMMY //OUTDD DD DSN=&&ADUTEMP,DISP=(MOD,CATLG),RECFM=VB, // SPACE=(CYL,(500,500),RLSE),BLKSIZE=32760,LRECL=32756 //SYSPRINT DD SYSOUT=* //ADUPRINT DD SYSOUT=* //SYSIN DD * INDD(SMFIN,OPTIONS(DUMP)) OUTDD(SMFOUT,TYPE(0:255)) ABEND(NORETRY) USER2(IRRADU00) USER3(IRRADU86) //*-------------------------------------------------------------------- //REXXEXEC EXEC PGM=IKJEFT01,REGION=0M,COND=(0,NE) //SYSEXEC DD DISP=SHR,DSN=&&REXXTEMP //SYSTSPRT DD SYSOUT=* //IN DD DISP=SHR,DSN=&&ADUTEMP //OUT DD DISP=(MOD,CATLG),DSN=&OUTPUT,RECFM=VB, // SPACE=(CYL,(20,20),RLSE),LRECL=255,BLKSIZE=27998 //SYSTSIN DD * <-- CHOOSE COLUMN SEPARATOR %RACFCMD '|'