Using CA Cleanup for RACF

Includes best practices and general usage information.
cleanup121
This section describes how administrators use CA Cleanup for RACF:
  • Set up reports for tracking and comparison purposes
  • Perform a phased cleanup of your security file
  • Use the load utility
  • Selectively report users and resources
Best Practices
We recommend the following best practices when using
CA Cleanup
for RACF.
  • Run CA Cleanup all the time. Access from before the installation is unknown.
  • Initially load the
    CA Cleanup
    database using the #AT8DBU utility using the *ALL* parameter.
  • Schedule regular updates of the CA Cleanup database weekly to keep it in synch with RACF databases. This practice can be daily or weekly depending on the security system changes.
  • Perform the scheduled updates with the AT8#DBU utility *ALL* function.
  • Wait several months before removing unused security records CA Cleanup tracks unused RACF database records over time and should run through critical processing periods such as month, quarter, and year end.
    Depending on when you started collecting data, you may be able to start selective cleanup as early as 180 days, but best practice recommends having data for all critical processing periods that could be up to 455 days.
  • Run the CA Cleanup reports without removing the unused security records. This practice lets you familiarize yourself with the reports and their capabilities.
  • Use a phased approach to implementation. An attempt to clean up all security database at one time produces an unmanageable number of obsolete security file entries.
Security file entries are marked referenced only when they are used by the security system. Investigate early cases where “obviously needed” security file entries are not being marked referenced as expected. Consider using a tool to simulate such accesses. While investigation may reveal that CA Cleanup is not as active as expected, it will likely uncover that some privilege or other access is causing the entries to become undermined and bypassed. Investigation of early CA Cleanup findings has often uncovered existing security exposures.