Use Reports with CA Cleanup for RACF

The following reports are included with  for RACF.
cleanup
The following reports are included with
CA Cleanup
for RACF.
2
2
UNLOAD Report
The AT8#RPT UNLOAD file is a variable-blocked file containing multiple record types. Each record type describes a user, group, resource profile, or permission. All fields contain character data. Fields are separated by blanks.
Date fields are formatted as YYYY.DDD
DDD is the day number of the year (Julian date). Date fields contain blanks when the DATEOK field contains ‘N’.
Numeric fields, such as “number of days”, are right-justified and padded on the left with zeros. The numbers are in character format.
Indicator fields contain a ‘Y’ or ‘N’ character.
Record Descriptions
The following table describes the user ID and group ID record:
Name
Position
Length
Description
RECID
0001
0004
Record ID'0100'
LDATE
0006
0008
Load date
RDATE
0015
0008
Reference date
LDAYS
0024
0004
Number of days since last referenced
DATEOK
0029
0001
'Y' if the dates are valid. 'N' if the dates are invalid and LDAYS could not be calculated.
ID
0031
0008
User ID or group ID
CLASS
0040
0008
Contains value 'USERID' or 'GROUP'
NAME
0049
0020
User name or the first 20 characters of the group installation data
UGRPID
0070
0004
User ID tracking group number
The following table describes the user ID and group ID connection record:
Name
Position
Length
Description
RECID
0001
0004
Record ID '0101'
LDATE
0006
0008
Load date
RDATE
0015
0008
Reference date
LDAYS
0024
0004
Number of days since last referenced
DATEOK
0029
0001
'Y' if the dates are valid. 'N' if the dates are invalid and LDAYS could not be calculated
ID
0031
0008
User ID or group ID
CLASS
0040
0008
Contains value 'GROUPS' or 'USERLIST'
CONNID
0049
0008
When class is 'GROUPS' contains the group ID that is connected to the user. When class is 'USERLIST' contains the user ID that is connected to the group
The following table describes the DATASET profile record:
Name
Position
Length
Description
RECID
0001
0004
Record ID '0200'
LDATE
0006
0008
Load date
RDATE
0015
0008
Reference date
LDAYS
0024
0004
Number of days since last referenced
DATEOK
0029
0001
'Y' if the dates are valid. 'N' if the dates are invalid and LDAYS could not be calculated
ID
0031
0008
Contains '*PROF*' indicating a resource profile
CLASS
0040
0008
Contains value 'DATASET'
DATASET
0049
0044
DATASET volume if a discrete profile
DVOLUME
0094
0006
DATASET volume if a discrete profile
D$REF01
0119
0001
'Y' if referenced by tracking group 1
D$REF02
0121
0001
'Y' if referenced by tracking group 2
D$REF03
0123
0001
'Y' if referenced by tracking group 3
D$REF04
0125
0001
'Y' if referenced by tracking group 4
D$REF05
0127
0001
'Y' if referenced by tracking group 5
D$REF06
0129
0001
'Y' if referenced by tracking group 6
D$REF07
0131
0001
'Y' if referenced by tracking group 7
The following table describes the DATASET permission record:
Name
Position
Length
Description
RECID
0001
0004
Record ID '0202'
LDATE
0006
0008
Load date
RDATE
0015
0008
Reference date
LDAYS
0024
0004
Number of days since last referenced
DATEOK
0029
0001
'Y' if the dates are valid. 'N' if the dates are invalid and LDAYS could not be calculated
ID
0031
0008
User ID or group ID
CLASS
0040
0008
Contains value 'DATASET'
DATASET
0049
0044
DATASET profile name
DVOLUME
0094
0006
DATASET volume if a discrete profile
DCCLASS
0101
0008
DATASET conditional access class
DCNAME
0110
0008
DATASET conditional access name
D$REF01
0119
0001
'Y' if referenced by tracking group 1
D$REF02
0121
0001
'Y' if referenced by tracking group 2
D$REF03
0123
0001
'Y' if referenced by tracking group 3
D$REF04
0125
0001
'Y' if referenced by tracking group 4
D$REF05
0127
0001
'Y' if referenced by tracking group 5
D$REF06
0129
0001
'Y' if referenced by tracking group 6
D$REF07
0131
0001
'Y' if referenced by tracking group 7
The following table describes the resource profile record:
Name
Position
Length
Description
RECID
0001
0004
Record ID '0300'
LDATE
0006
0008
Load date
RDATE
0015
0008
Reference date
LDAYS
0024
0004
Number of days since last referenced
DATEOK
0029
0001
'Y' if the dates are valid. 'N' if the dates are invalid and LDAYS could not be calculated
ID
0031
0008
Contains '*PROF*' indicating a resource profile
CLASS
0040
0008
Resource class name
RESNAME
0049
0246
Resource profile name
R$REF01
0314
0001
'Y' if referenced by tracking group 1
R$REF02
0316
0001
'Y' if referenced by tracking group 2
R$REF03
0318
0001
'Y' if referenced by tracking group 3
R$REF04
0320
0001
'Y' if referenced by tracking group 4
R$REF05
0322
0001
'Y' if referenced by tracking group 5
R$REF06
0324
0001
'Y' if referenced by tracking group 6
R$REF07
0326
0001
'Y' if referenced by tracking group 7
The following table describes the resource grouping member record:
Name
Position
Length
Description
RECID
0001
0004
Record ID '0301'
LDATE
0006
0008
Load date
RDATE
0015
0008
Reference date
LDAYS
0024
0004
Number of days since last referenced
DATEOK
0029
0001
'Y' if the dates are valid. 'N' if the dates are invalid and LDAYS could not be calculated
ID
0031
0008
Contains '*PROF*' indicating a resource profile
CLASS
0040
0008
Resource class name
RESNAME
0049
0246
Resource group profile name
MEMBER
0296
0255
Resource group member name
M$REF01
0552
0001
'Y' if reference by tracking group 1
M$REF02
0554
0001
'Y' if reference by tracking group 2
M$REF03
0056
0001
'Y' if reference by tracking group 3
M$REF04
0558
0001
'Y' if reference by tracking group 4
M$REF05
0060
0001
'Y' if reference by tracking group 5
M$REF06
0562
0001
'Y' if reference by tracking group 6
M$REF07
0564
0001
'Y' if reference by tracking group 7
The following table describes the resource permission record:
Name
Position
Length
Description
RECID
0001
0004
Record ID '0302'
LDATE
0006
0008
Load date
RDATE
0015
0008
Reference date
LDAYS
0024
0004
Number of days since last referenced
DATEOK
0029
0001
'Y' if the dates are valid. 'N' if the dates are invalid and LDAYS could not be calculated
ID
0031
0008
User ID or group ID
CLASS
0040
0008
Resource class name
RESNAME
0049
0246
Resource profile name
RECCLAS
0296
0008
Resource conditional access class
RCNAME
0305
0008
Resource conditional access name
R$REF01
0314
0001
'Y' if reference by tracking group 1
R$REF02
0316
0001
'Y' if reference by tracking group 2
R$REF03
0318
0001
'Y' if reference by tracking group 3
R$REF04
0320
0001
'Y' if reference by tracking group 4
R$REF05
0322
0001
'Y' if reference by tracking group 5
R$REF06
0324
0001
'Y' if reference by tracking group 6
R$REF07
0326
0001
'Y' if reference by tracking group 7
INCLUDE and EXCLUDE
You can use the INCLUDE and EXCLUDE files to report users, groups, and resources selectively.
  • These files replace use of the SYSIN file. The SYSIN file still accepts input in the old format, but a future release may drop support.
  • If the INCLUDE file is specified, the SYSIN file is ignored.
  • The files must be fixed-blocked with a record length of 80.
  • All input must begin in column 1 and end before column 72.
INCLUDE and EXCLUDE accept specific eight-character user IDs and group IDs.
INCLUDE and EXCLUDE accept resource class names and an optional resource name prefix:
  • When specified alone, CLASS selects all resources within that class.
  • When specified with CLASS, NAME selects all resources within the class that match the NAME prefix.
  • A blank within NAME is significant. NAME(ABC) selects all resources that begin with ABC; NAME(ABC ) with a trailing blank selects only resource ABC.
  • The “(“ and “)” characters cannot be within the CLASS or NAME value.
  • The CLASS value can be from 1 to 8 characters.
  • The NAME value can be from 1 to 40 characters.
Any character string value that follows a valid input parameter is treated as a comment.
Example INCLUDE and EXCLUDE Reports
This example loads or synchronizes your CA Cleanup database with your security file:
//INCLUDE DD * *ALL*
This example deletes USERA from the CA Cleanup database:
//EXCLUDE DD * USERA
This example refreshes USERB (re-synchronizes with the security file), retaining tracking history, leaving all other items unchanged:
//INCLUDE DD * USERB
This example removes and reloads USERC, resetting tracking history for USERC, leaving all other items unchanged:
//EXCLUDE DD * USERC //INCLUDE DD * USERC
This example refreshes existing IDs, without adding new IDs, and removes two users:
//EXCLUDE DD * USERA USERB //INCLUDE DD * *RELOAD*
This example refreshes all IDs from the security file and removes two users:
//EXCLUDE DD * USERA USERB //INCLUDE DD * *ALL*
This example removes resource class FACILITY permissions from one group:
//EXCLUDE DD * CLASS(FACILITY) //INCLUDE DD * GROUPA
This example removes two resource classes from the CA Cleanup database:
//EXCLUDE DD * CLASS(class1) CLASS(class2) //INCLUDE DD * *RELOAD*
This example eliminates all dataset permissions that begin with SYS3 from the CA Cleanup database:
//EXCLUDE DD * CLASS(DATASET) NAME(SYS3.) //INCLUDE DD * *ALL*
Report Utility JCL
Sample JCL for the report utility follows.
//AT8DBR JOB ACCT,REPORT,CLASS=A,MSGCLASS=X //*--------------------------------------------- //* REPORT UNREFERENCED ENTRIES OVER 30 DAYS //*--------------------------------------------- //S1 EXEC PGM=AT8#RPT,REGION=4M,PARM='UNREF=030' //STEPLIB DD DISP=SHR,DSN=CAI.CDY1LINK //DBASE DD DISP=SHR,DSN=CAI.AT8.DB //SYSPRINT DD SYSOUT=* //SUMMARY DD SYSOUT=* Optional output file //UNLOAD DD SYSOUT=* Optional output file //* //* OPTIONAL INPUT FOR SELECTIVE REPORTING //* //INCLUDE DD * ASTRO2 Name any Userid and Group MARSGRP Name any Userid and Group //* //* OTHER OPTIONAL FILES FOLLOW //* //CMDS DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0) //BACKOUT DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0) //RDBU DD DISP=SHR,DSN=SECURITY.FILE.UNLOAD //* //SORTWK01 DD UNIT=SYSDA,SPACE=(CYL,5) //SORTWK02 DD UNIT=SYSDA,SPACE=(CYL,5) //
In this example:
  • When the report is executed, a PARM value is used to specify criteria for the report. In this example, PARM=’UNREF=30’ indicates that security file entries that are unreferenced for 30 days or more should be reported upon.
  • The SUMMARY file is optional and allows the summary report to be produced separately from the report output. This behavior allows the summary information to be easily accessed and retained. When not specified, the summary report appears at the end of the SYSPRINT report.
  • The UNLOAD file is optional and produces the report in an unloaded format. The format is a blank-delimited fixed-column format that allows creation of customized reports or to otherwise leverage cleanup information. Fields that are truncated due to the limitations of the printed report appear in their entirety in the UNLOAD file.
  • The INCLUDE file is optional and allows selective reporting. While the default is to report all items, you can use the INCLUDE and EXCLUDE files to report items selectively as shown in the previous example.
  • The CMDS, BACKOUT, and RDBU statements are optional and are needed only when producing command output. If these files are not present, a report is produced without command file output. The RDBU statement should point to a copy of the security database in unload format as created by RACF IRRDBU00 utility.
  • The generation of command files is optional, but when selected for an UNREF report two files always generate. One contains cleanup commands and the other contingency commands that can be used to restore the cleanup. For example, if the cleanup file contains commands to delete a user ID, the contingency file contains the commands that are needed to recreate the user ID.
  • Internally, the report utility invokes the system SORT utility. SORTWORK statements are often unneeded and dependent upon the volume of data being processed.
  • Command output is formatted as fixed-length command lines that are continued if necessary. If one-line command output in a variable-length format is needed, use the SAMPJCL sample job AT8FB2VB. This utility converts the fixed-length commands into one-line commands without continuations.
Input Parameters
The PARM value is used to specify criteria for the report. The PARM value indicates the number of days for reporting items as referenced or unreferenced. The PARM value must be enclosed in single quotes. The PARM values are:
  • UNREF=
    nnn
    Specifies the number of days that an item must be unreferenced for selection.
  • UNREF=ALL
    Specifies that all items should be selected. This parameter can be used to generate commands to clean up everything, including those items that are referenced and still in use. Because all items are being requested as unreferenced, the summary report shows 100 percent unreferenced for all items.
  • REF=
    nnn
    Specifies that items that are referenced within that number of days are selected.
  • REF=ALL
    Specifies that all items should be selected. This parameter can be used to generate commands to completely “clone” a user or group including those items that have not been referenced.
  • PARM=’BOTH’
    Reports the entire tracking file, both referenced and unreferenced items, without producing commands.
Authority and Scope
When running the AT8DBR job for reports, the ACID does not need any administrative authorities or scope.
Sample Report and Command Files
Each example shows both the cleanup and contingency command file.
Sample report in RACF security format:
2003/03/31 (03.090) 09:47 Entries Unreferenced Over 100 Days Date Date Days Item Item Userid Loaded Referenced Unused Class Name -------- ------ ---------- ------ -------- ----------------------------- *PROF* 02.300 02.314 141 DATASET SYS2.TX.* P390G 02.300 02.354 101 USERID SUSAN POPE TGRP 02.300 02.350 105 GROUP U01507 02.300 . 155 GROUPS IS U01507 02.300 . 155 GROUPS SYS2 U01507 02.300 . 155 TSOAUTH OPER U01507 02.300 . 155 DATASET SYS3.**
Sample command file output in RACF format:
DELDSD 'SYS2.TX.*' GENERIC PERMIT SY CLASS(ACCTNUM) ID(P390G) ACC(READ) DELETE PERMIT JCL CLASS(TSOAUTH) ID(P390G) ACC(READ) DELETE PERMIT $ISPF CLASS(TSOPROC) ID(P390G) ACC(READ) DELETE REMOVE P390G GROUP(TGRP) OWNER(IBMUSER) DELUSER P390G DELGROUP TGRP REMOVE U01507 GROUP(IS) OWNER(IS) REMOVE U01507 GROUP(SYS2) OWNER(SYS2) PERMIT OPER CLASS(TSOAUTH) ID(U01507) ACC(READ) DELETE PERMIT 'SYS3.**' CLASS(DATASET) ID(U01507) ACC(READ) DELETE ADDGROUP TGRP OWNER(IBMUSER) SUPGROUP(SYS1) ADDUSER P390G DFLTGRP(TGRP) OWNER(IBMUSER) NAME('SUSAN POPE') ALTUSER P390G TSO(PROC($ISPF) SIZE(4096) MAXSIZE(6000) ACCTNUM(SY)) PASSWORD USER(P390G) INTERVAL(030) CONNECT P390G GROUP(TGRP) OWNER(IBMUSER) UACC(NONE) AUTH(USE) PERMIT SY CLASS(ACCTNUM) ID(P390G) ACC(READ) PERMIT JCL CLASS(TSOAUTH) ID(P390G) ACC(READ) PERMIT $ISPF CLASS(TSOPROC) ID(P390G) ACC(READ) ADDSD 'SYS2.TX.*' OWNER(ITTD) UACC(NONE) PERMIT 'SYS2.TX.*' ID(P618B) WHEN(JESINPUT(INTRDR)) ACC(READ) PERMIT 'SYS2.TX.*' ID(*) WHEN(PROGRAM(IEBGENER)) ACC(UPDATE) CONNECT U01507 GROUP(IS) OWNER(IS) UACC(NONE) AUTH(USE) CONNECT U01507 GROUP(SYS2) OWNER(SYS2) UACC(NONE) AUTH(USE) PERMIT OPER CLASS(TSOAUTH) ID(U01507) ACC(READ) PERMIT 'SYS3.**' CLASS(DATASET) ID(U01507) ACC(READ)
Sample Reports
The SAMPJCL library contains sample JCL to run reports. Modify these samples to meet your sites standards.
To create a custom report:
  • Add an //UNLOAD DD statement to your JCL.
  • Feed the generated file into a report product, such as
    CA Easytrieve Report Generator
    to customize. The DCB information is not needed for the file creation.
AT8DBR Job - Report on the Database
The SAMPJCL library contains sample JCL to run reports. Modify these samples to meet your sites standards.
To create a custom report:
  • Add an //UNLOAD DD statement to your JCL.
  • Feed the generated file into a report product, such as
    CA Easytrieve Report Generator
    to customize. The DCB information is not needed for the file creation.
AT8DBRC Job - Build Command File
Use this sample job to report on the CA Cleanup database and build command files to remove unused security file entries. The first step refreshes the database so that obsolete entries are removed before command generation.
To use this job:
  • Change all occurrences of "@@@@" to name an appropriate dataset name prefix
  • Change all occurrences of "??????" to name an appropriate volume for output datasets
  • Change all occurrences of "####" to name your RACF database (shown by command RVARY LIST).
  • Update the parm= statement to specify:
    • The number of days threshold
    • Either referenced or unreferenced items
AT8DBUEX Job - Extract Subset from Data Set
Use this sample job to extract a subset of the RACF database unload dataset. A RACF group name is specified as a parameter. Using a full RACF unload dataset, this group, all subgroups, default connected users, and resources that are owned by any of these groups or users are extracted to create a new unload file.
This subset can be used to create a CA Cleanup database and to create CA Cleanup commands when used with the report utility.
To use this job:
  • SET CURDBU=####
  • ####
    Specifies your current RACF unload dataset name:
  • SET NEWDBU=XXXX
    • xxxxx
      Specifies your new RACF unload dataset.
  • SET [email protected]@@@.CDY1EXEC
    • @@@@
      Specifies the dataset containing the AT8DBUEX rexx exec.
  • Change the string *group* in the last step to the highest group name information is extracted from.
AT8DBR01 Job - Split AT8 RPT Output
Use this sample job to split AT8#RPT output into "groups" of output. The GROUPIN file specifies user IDs and assigns each a "group name" for reporting. AT8#RPT output is reorganized and presented by each assigned group name. User IDs with no assigned reporting group appear under a group name of $$none$$. Each group is printed to a separate, dynamically allocated SYSOUT file.
To use this job:
  • SET UNREF=XX
  • xx
    Specifies the reporting threshold in number of days.
  • SET [email protected]@@@
    • @@@@
      Specifies your CA Cleanup dataset prefix.
  • SET RDBU=####
    • ####
      Specifies your RACF unload dataset name.
  • Run AT8#RPT and pass the report output on.
  • Use SORT to create a lrecl=80 output file containing the RACF group and user names with their owner as the grouping name.
    This step can be modified to produce other values as the grouping name.
  • Use the sort output as the userid/group file.
    Additional userid/group information can be concatenated to groupin.
If you create your own userid/group file, run this job with just the first and last steps.
AT8DBR02 Job - Rearrange AT8 RPT Output
Use this sample job to rearrange AT8#RPt output into "groups" of output. The groupin file specifies user IDs and assigns each a "group name" for reporting. AT8#rpt output is reorganized and presented by each assigned group name. User IDs with no assigned reporting group appear under a group name of $$none$$. The output is then written as one file to sysprint. Each group is separated by a page break. Many report distribution systems can route these groups to various recipients.
To use this job:
  • SET UNREF=XX
  • XX
    Specifies the reporting threshold in number of days.
  • SET [email protected]@@@
    • @@@@
      Specifies your CA Cleanup dataset prefix.
  • SET RDBU=####
    • ###
      Specifies your RACF unload dataset name.
  • Run AT8#RPT.
  • Use SORT to create a lrecl=80 output file containing the RACF group and user names with their owner as the grouping name.
    This step can be modified to produce other values as the grouping name
  • Use the SORT output as the userid/group file.
    Additional userid/group information can be concatenated to groupin.
If you create your own userid/group file, this job can be run with just the first and last steps.
AT8DBR03 Job - Report on Resources
Use this sample job to report on resources instead of user ids and groups.
To use this job:
  • SET UNREF=XX
    • xx
      Specifies the reporting threshold in number of days.
  • SET [email protected]@@@
    • @@@@
      Specifies your CA Cleanup dataset prefix.
  • SET RDBU=####
    • ####
      Specifies your RACF unload dataset name.
Selection Criteria
Selection criteria can be a list of user IDs, class names, and resource names. You can use any or all of the keywords and can specify one or more of each. The keyword format is:
textClass(
class name
) name(
resource name prefix
)
Class names are exactly matched. Resource names are matched as a prefix value, only the number of characters that are specified as input are compared. To match an exact name, add a trailing blank in the input keyword.
Example: matching resources
This example matches resource ABC only:
NAME(ABC )
This example matches any resource that starts with ABC:
NAME(ABC)