Implementing CA Cleanup for RACF: The First Steps

Document ID : KB000055248
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The following document involves "Best Practices" after installing Cleanup for RACF.

Solution:

Cleanup has been installed for the first time on your system. What is the next step?

Cleanup will track usage of system resources, such as logonid and dataset access, going forward. Access from before the install is unknown. For this reason, Cleanup should be run all the time, and the only thing that should be done is re-synch the files on a weekly basis. This is done with the ETCL#DBU utility, as when the initial load job was done with sample job I#08DB, supplied in the SAMPJCL library. Nothing else needs to be done for several months after the install.

After several months, you can start running reports. At the beginning, all you need to view is the optional SUMMARY DD.

//DBRPT JOB ACCT,REPORT,CLASS=A,MSGCLASS=X 
//*--------------------------------------------- 
//* REPORT UNREFERENCED ENTRIES OVER 30 DAYS 
//*--------------------------------------------- 
//S1 EXEC PGM=ETCL#RPT,REGION=4M,PARM='UNREF=030' 
//DBASE DD DISP=SHR,DSN=CAI.ETCL.DB 
//SYSPRINT DD SYSOUT=* 
//SUMMARY DD SYSOUT=* Optional output file 
//UNLOAD DD SYSOUT=* Optional output file 
//* 
//* OPTIONAL INPUT FOR SELECTIVE REPORTING 
//* 
//INCLUDE DD * 
 USERIDA                    
 USERIDB                    
 CLASS(CLASS1)              
 CLASS(USERID) NAME(ABC)    
/* 
//* 
//* OTHER OPTIONAL FILES FOLLOW 
//* 
//CMDS DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0) 
//BACKOUT DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0) 
//* 
//SORTWK01 DD UNIT=SYSDA,SPACE=(CYL,5) 
//

Watch the SUMMARY file for a leveling off. That is the point where you can actually start doing some actual cleanup.

Week 2, the summary report shows 82% unused. 
Week 3 shows 79% unused.
Week 4 shows 72% unused.
Week 5 shows 70% unused.
Week 6 shows 69% unused.
Week 7 shows 68% unused.
Week 8 shows 68% unused.
Week 9 shows 67% unused.
Week 10 shows 67% unused.
Week 11 shows 67% unused.
Week 12 shows 66% unused.
Week 13 shows 66% unused.
Week 14 shows 66% unused.
Week 15 shows 66% unused.

Week 15 would be a good time to start the cleanup process.

Any attempt to clean up an entire security file at one time will produce an overwhelming and unmanageable number of obsolete security file entries. Therefore, a phased approach is recommended. These reports will help you plan a phased approach.

The sample JCL below will report on all logonids that have been unreferenced for nn days via PARM='UNREF=nn'

//S1      EXEC PGM=ETCL#RPT,REGION=4M,PARM='UNREF=nn'     
//DBASE     DD DISP=SHR,DSN=CAI.ETCL.DB                   
//*                                                        
//SYSPRINT  DD SYSOUT=*                                   
//SORTWK01  DD UNIT=3390,SPACE=(CYL,15)         
//SORTWK02  DD UNIT=3390,SPACE=(CYL,15)         
//INCLUDE DD *                   
 CLASS(USERID) NAME(*) 
/*
//

The amount of UNREF days to use should be based on your company security document, in consultation with your company auditors.

The same implementation should take place for datasets and resources, starting with the system datasets like SYS1, SYS2, etc., and resources for widely used types, like SAF or FAC.

This approach will assist in the planning of a phased clean up of the security records. By breaking up the unused security records into smaller groups, the clean up of security records will be more manageable. This allows for testing after each phase and quick recovery, if necessary.

Please see the Cleanup for RACF Implementation Guide for more details about reporting program ETCL#RPT.