Using CA Cleanup for RACF
Includes best practices and general usage information.
This section describes how administrators use CA Cleanup for RACF:
- Set up reports for tracking and comparison purposes
- Perform a phased cleanup of your security file
- Use the load utility
- Selectively report users and resources
We recommend the following best practices when using
CA Cleanupfor RACF.
- Run CA Cleanup all the time. Access from before the installation is unknown.
- Schedule regular updates of the CA Cleanup database weekly to keep it in synch with RACF databases. This practice can be daily or weekly depending on the security system changes.
- Perform the scheduled updates with the AT8#DBU utility *ALL* function.
- Wait several months before removing unused security records CA Cleanup tracks unused RACF database records over time and should run through critical processing periods such as month, quarter, and year end.
- Run the CA Cleanup reports without removing the unused security records. This practice lets you familiarize yourself with the reports and their capabilities.
- Use a phased approach to implementation. An attempt to clean up all of the security database at one time produces an unmanageable number of obsolete security file entries.
Security file entries are marked referenced only when they are used by the security system. Investigate early cases where “obviously needed” security file entries are not being marked referenced as expected. Consider using a tool to simulate such accesses. While investigation may reveal that CA Cleanup is not as active as expected, it will likely uncover that some privilege or other access is causing the entries to become undermined and bypassed. Investigation of early CA Cleanup findings has often uncovered existing security exposures.