Report LAST USED / INACTIVE users.

Document ID : KB000016564
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How can i get a report with just LOGIN, NAME and LAST USER in the same line ?  

 

Answer:

You could use this command in TSSCFILE : 

TSS LIST(ACIDS) TYPE(USER) DATA(BASIC) 

The record id for the LASTUSED information is 0900. 

If you want it in report format you will need to use EARL (Easy Access Report Language) that can be used to customize reports from the TSSCFILE output (as well as TSSUTIL and TSSCPR). CA Topsecret distributes some sample EARL reports, but none of them list just the ACID and LAST USED dates, so you will need to customize the samples.

EARL is part of the CA Common Services set of products and has its own documentation https://docops.ca.com/bookshelves/ca-earl

The CA Topsecret sample EARL reports are documented in Chapter 7 of CA Topsecret Report and Tracking Guide

https://support.ca.com/cadocs/1/h000156e.pdf

Note that there are situations where an acid could signon with an id and password and NOT get the LAST USED information updated. Some examples of when LAST USED stats are not updated are ATS (automatic terminal signon) acids and ISC signons in the AOR. (This is done for performance reasons as updating the LAST USED stats for these signons would generate more I/O to the security file which may adversely affect the system's performance). 

CA Topsecret has an OPTIONS control option and you can set OPTIONS(30) to update lastused stats for ATS acids, but be aware that setting this option may adversely affect the system's performance. 

The LAST USED date is never used in determining a period of inactivity as there are too many different situations that do NOT update last used statistics for it to be correctly used as tool to determine inactivity. For example, using certificates does not update the last used date.  

What we do use is the INACTIVITY control option. When this expires then a user will become suspended. The INACTIVE parameter works in conjunction with the PWEXP parameter. This is the interval that is set to expire passwords and force a user at signon to create a new one. Once the PWEXP interval is hit, then it starts counting the interval set on the INACTIVE parameter. Once the inactive interval is reached, then the user will be suspended upon an attempt to signon. 

Please note that the acid does not become suspended until they try to signon after the inactive interval has been reached. 

For example:

PWEXP(15)

INACTIVE(15) 

If after 15 days a user does not signon to change his password, he then has 15 more days of inactivity to still signon successfully and change his password. If he does not signon within the 15 inactive days, when he does attempt to signon he will automatically be suspended and need to be unsuspended by an administrator. So in this scenario, the user would have 30 days to signon and still be able to change his password before his signing on will suspend him. Once the acid reaches the end of the INACTIVE parameter timeframe then it becomes INACTIVE. 

The supplied sample TSSEARL1 report lists all acids that are INACTIVE. This is a valid way to determine if a user is accessing the system and should be used to find acids to be deleted, rather than looking at the LAST USED date, as there are situations where an acid could signon with an id and password and NOT get the lastused information updated. 

To get a list of the users that logged in the last six months you could run a TSSUTIL report to show logons 
eg 
// EXEC TSSUTIL 
REPORT EVENT(INIT) DATE(fromdate,todate) 

but TSSUTIL runs against the AUDIT file, so you would need to have an audit file is large enough to hold 6 months worth of data. The file is a wraparound file, so if it is small, it may have been overwritten.