Great blog! thank you for all the replies...
I did TSS WHOHAS AUDIT and the userid in question, GPCSTF, which is generating a ton of the following SMF80 records, is not on the list. Now I'm thinking perhaps audit turned on for the master catalog, HAM.MASTER.xxxx, which I have no idea why.
I notice the record indicates +A, which says is +A=AUDIT, not sure what this means.
I dumped all profiles TSS LIST(ALL) DATA(ALL) and did not find any resembling HAM.MASTER.xxxxx. Perhaps I'm not familiar how masking works in TSS.
RACF provides a command to enter next to the filename in 3.4 to display corresponding RACF profile covering that particular dataset...is there a TSS equivalent?
Thank you for your support...bobby
DATE TIME SYSI ACCESSOR JOBNAME FFM VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC RESOURCE (TYPE & NAME)
-------- -------- ---- -------- -------- --- -- -------- -------- -------- --------------------------------------
06/13/18 15:17:49 PROD GPCSTF TFXP1B3 B F IDCAMS READ ALL OK+A CAT D ZOS1BA HAM.MASTER.xxxx
SRC/DRC = SRC=SEC'Y CODE: 00=OK +A=AUDIT +B=BYPASS +P=PW
* FOR RESOURCE ACCESS: 04 OR 08 = ACCESS DENIED
* FOR JOB INITIATION: 08=PASSWORD IS INCORRECT