Using Cleanup for RACF
Includes best practices and general usage information.
This section describes how administrators use
- Set up reports for tracking and comparison purposes
- Perform a phased cleanup of your security file
- Use the load utility
- Selectively report users and resources
We recommend the following best practices when using
- RunCleanupall the time. Access from before the installation is unknown.
- Initially load theCleanupdatabase using the #AT8DBU utility using the *ALL* parameter.
- Schedule regular updates of theCleanupdatabase weekly to keep it in synch with RACF databases. This practice can be daily or weekly depending on the security system changes.
- Perform the scheduled updates with the AT8#DBU utility *ALL* function.
- Wait several months before removing unused security recordsCleanuptracks unused RACF database records over time and should run through critical processing periods such as month, quarter, and year end.Depending on when you started collecting data, you may be able to start selective cleanup as early as 180 days, but best practice recommends having data for all critical processing periods that could be up to 455 days.
- Run theCleanupreports without removing the unused security records. This practice lets you familiarize yourself with the reports and their capabilities.
- Use a phased approach to implementation. An attempt to clean up all security database at one time produces an unmanageable number of obsolete security file entries.
Security file entries are marked referenced only when they are used by the security system. Investigate early cases where “obviously needed” security file entries are not being marked referenced as expected. Consider using a tool to simulate such accesses. While investigation may reveal that
Cleanupis not as active as expected, it will likely uncover that some privilege or other access is causing the entries to become undermined and bypassed. Investigation of early
Cleanupfindings has often uncovered existing security exposures.