Using
Cleanup
for RACF

Includes best practices and general usage information.
cleanup121
This section describes how administrators use
Cleanup
for RACF:
  • Set up reports for tracking and comparison purposes
  • Perform a phased cleanup of your security file
  • Use the load utility
  • Selectively report users and resources
Best Practices
We recommend the following best practices when using
Cleanup
for RACF.
  • Run
    Cleanup
    all the time. Access from before the installation is unknown.
  • Initially load the
    Cleanup
    database using the #AT8DBU utility using the *ALL* parameter.
  • Schedule regular updates of the
    Cleanup
    database weekly to keep it in synch with RACF databases. This practice can be daily or weekly depending on the security system changes.
  • Perform the scheduled updates with the AT8#DBU utility *ALL* function.
  • Wait several months before removing unused security records
    Cleanup
    tracks unused RACF database records over time and should run through critical processing periods such as month, quarter, and year end.
    Depending on when you started collecting data, you may be able to start selective cleanup as early as 180 days, but best practice recommends having data for all critical processing periods that could be up to 455 days.
  • Run the
    Cleanup
    reports without removing the unused security records. This practice lets you familiarize yourself with the reports and their capabilities.
  • Use a phased approach to implementation. An attempt to clean up all security database at one time produces an unmanageable number of obsolete security file entries.
Security file entries are marked referenced only when they are used by the security system. Investigate early cases where “obviously needed” security file entries are not being marked referenced as expected. Consider using a tool to simulate such accesses. While investigation may reveal that
Cleanup
is not as active as expected, it will likely uncover that some privilege or other access is causing the entries to become undermined and bypassed. Investigation of early
Cleanup
findings has often uncovered existing security exposures.