TRACE output is written to a SYSOUT trace data set with DDNAME $IOFLOG$. Multiple TRACE commands can be issued on a single IOF session. Each TRACE sequence allocates a new $IOFLOG$ SYSOUT data set.

TRACE has several options. The most useful options are shown below.

Tracing Session Initialization.

The $IOFLOG$ trace data set is allocated. IOF group assignment is traced. The trace data shows why the user is assigned to a specific group, and why the user was not assigned to other groups. Eligible ALLOW and LIMIT macros are also listed. At trace completion, the trace is automatically disabled and the $IOFLOG$ sysout data set is browsed.

Syntax:

TRACE START

Tracing an IOF Command

IOF primary commands and line commands can be traced to determine exactly why access was either granted, or denied. Two TRACE commands are issued.

The first TRACE command allocates the $IOFLOG$ sysout data set and enables the function trace.

The second TRACE command disables the trace, frees the $IOFLOG$ data set, and browses the trace data set.

Each IOF ALLOW and LIMIT macro is shown in $IOFLOG$ along with a description of it's effect on the access control decision. Calls to the system security system are also traced. The resource name, class and return code from the security system are shown. This is normally sufficient information to show exactly why a command was permitted or denied.

It is recommended that only one or two commands be issued with the trace enabled. This makes interpreting the trace easier. To trace additional functions, enter multiple TRACE command pairs.

Syntax:

TRACE
...
one or more IOF primary or line commands
...
TRACE

Clist and Rexx Exec Tracing

A few IOF clist and Rexx execs can be traced. Enabling clist/exec tracing causes the detailed instructions to be listed on the screen.

Syntax:

TRACE EXEC
...
IOF command that invokes a clist or exec
...
TRACE EXECOFF