How do you undo changes made by Cleanup?
Cleanup report utility ETCL#RPT not only generates the TSS commands to remove unused security records, but it can also generate TSS commands to back out the changes.
When setting up your Cleanup JCL to remove unused security records, please specify the BACKOUT DD statement and the CMDS DD statement in the JCL.
CMDS DD contains the TSS commands to cleanup unused security records. BACKOUT DD contains the TSS commands to undo the cleanup of unused security records.
Note: CMDS DD must be present in the JCL for the BACKOUT DD output to be generated. If no BACKOUT DD statement is present, no TSS commands will be generated to undo the changes. It is highly recommended that the BACKOUT DD statement be present anytime old security records are being removed. The TSS commands generated to remove the security records and recover the security records should be kept for future reference.
//DBRPT JOB ACCT,REPORT,CLASS=A,MSGCLASS=X
//* REPORT UNREFERENCED ENTRIES OVER 30 DAYS
//S1 EXEC PGM=ETCL#RPT,REGION=4M,PARM='UNREF=030'
//STEPLIB DD DISP=SHR,DSN=CAI.CAILIB
//DBASE DD DISP=SHR,DSN=CAI.ETCL.DB
//SYSPRINT DD SYSOUT=*
//SUMMARY DD SYSOUT=* Optional output file
//UNLOAD DD SYSOUT=* Optional output file
//* OPTIONAL INPUT FOLLOWS FOR SELECTIVE REPORTING
//INCLUDE DD * ASTRO2 Name any User or Profile MARSPROF Name any User or Profile
//* OTHER OPTIONAL FILES FOLLOW
//CMDS DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0)
//BACKOUT DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0)
//CFILE DD DISP=SHR,DSN=CAI.CFILE
//SORTWK01 DD UNIT=SYSDA,SPACE=(CYL,5)
There are special considerations when unused PROFILEs have been removed and need to be recovered.
- PROFILEs removed from an acid.
When a profile is to be added back based on a monitored user, the TSS commands will be generated with valid ordering criteria taken from the TSSCFILE input list of the user. This will ensure the profile is added back in the proper sequence. If the first profile from the current list needs to be added, it will include the 'FIRST' keyword. All other profiles to be added will include the 'AFTER(xxxxxxxx)' keyword, where 'xxxxxxxx' represents the prior profile from the list.
- PROFILEs removed from the security file.
When a profile is to be added back based on a monitored profile, the TSS commands cannot be generated with ordering criteria, since the TSSCFILE input for a listed profile does not include the order of any attached user's profile list, it only contains the list of attached users. Since the necessary order data cannot be obtained, the REM request will be commented out as follows:
/*TSS REM(ETCLUR1) PROFILE(ETCLPRFZ)
/* ADD has no profile order
Some action must now be taken by the administrator to review the ADD command that corresponds to this REMove command and insert ordering criteria if required, and to remove the comment data from the REMove command to allow it to execute. This should only be a concern if profiles are monitored and users are not monitored. If the users are monitored as described in Step 1, then the research required for Step 2 is minimized.
Please refer to the CA Cleanup for CA TOP SECRET Product Guide for more details.