One of our administrators deleted a few CA Top Secret profile ACIDs by mistake. Unfortunately, the profiles were deleted without doing any TSS LIST commands on the profiles. TSSAUDIT CHANGES shows the TSS DELETE commands, but there is nothing there to show how to rebuild the deleted profiles. Now, is there any way to rebuild those deleted profiles?
If a backup of the CA Top Secret security file has not been taken since the profiles were deleted, a recycle of CA Top Secret pointing to the backup files can be done and then list the profiles with ARCHIVE INTO to get the TSS commands to rebuild the profile ACIDs.
If a backup of the CA Top Secret security file has already been done, if TSSCFILE is run with TSS LIST(ACIDS) DATA(ALL) on a regular basis, the latest output from this command will show the contents of the profiles. If the output is old and the recovery file data goes back to the date of the output (or if you have backups of the recovery files from that date), the CA Top Secret recovery job (TSSRCVR1) or a TSSAUDIT CHANGES report can be to get the commands against the profiles since the TSSCFILE job was run.
If a backup has already been done and TSS LIST(ACIDS) DATA(ALL) output is not available with the profile ACIDs, an old copy of the security file (and VSAM extension) that has the profiles will need to be restored and recycle CA Top Secret pointing to these files. Then list the profiles (with ARCHIVE INTO) to get the commands needed to rebuild the profiles. Then recycle CA Top Secret pointing back to the current security file (and VSAM extension). This should probably be done on a test system to minimize the impact.
TSS LIST(profile) ARCHIVE INTO(pds.data.set.name(xxx))
ARCHIVE INTO can be used on TSS LIST and DELETE commands to archive an ACID's permissions and resources into the form of TSS commands. The produced TSS commands can be stored in a PDS data set and used to restore the user in the future.
TSS LIST(profile) ARCHIVE INTO(pds.data.set.name(xxx)) will create member 'xxx' in pds.data.set.name with the commands to recreate the profile.
Chapter 3 of the TSS r15 Command Functions Guide, section 'ARCHIVE Keyword Archive User's Security Record' has more information.
It is NOT possible to do TSS LIST(ACIDS) ARCHIVE INTO(pds.data.set.name(xxx)).
The following CA Top Secret r15 maintenance deals with ARCHIVE INTO and should be applied before doing the above:
RO59130: VARIOUS UPDATES RELATED TO LIST/ARCHIVE COMMAND OUTPUT
RO55736: INCORRECT CMDS CREATED W/ LIST INTO FOR MODEL/ARCHIVE
RO30280: ARCHIVE - IMBEDDED QUOTES NOT HANDLED ON FDT DATA
RO28526: DELETE ARCHIVE ON CPF COMMAND
RO23298: ARCHIVE INTO INCORRECTLY ALLOWED WITH ONLY READ ACCESS
RO21191 S0C4 AT TSSAUTH1+1610E WHEN LIST+ARCHIVE W/NULL INTO
Release: TOPSEC00200-15-Top Secret-Security