Except when processing certain security commands (see Security checking using the QUERY SECURITY command), CICS issues security authorization requests with the logging option. This means that RACF writes SMF type 80 log records to SMF. Which events are logged depends on the auditing in effect. For example, events requested by the AUDIT or GLOBALAUDIT operand in the resource profile, or by the SETROPTS AUDIT or SETROPTS LOGOPTIONS command, can be logged.
In addition to the SMF TYPE 80 log record, RACF issues an ICH408I message to consoles designated to receive messages for route code 9.
For more information on auditing, including how to use the RACF report writer to review SMF type 80 log records, see the z/OS Security Server RACF Auditor's Guide.