Rebuild Deleted ACID?

book

Article ID: 19833

calendar_today

Updated On:

Products

CA Cleanup CA Datacom - DB CA Datacom CA Datacom - AD CA Datacom - Server CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE

Issue/Introduction

Description:

One of our administrators deleted a few CA Top Secret profile ACIDs by mistake. Unfortunately, the profiles were deleted without doing any TSS LIST commands on the profiles. TSSAUDIT CHANGES shows the TSS DELETE commands, but there is nothing there to show how to rebuild the deleted profiles. Now, is there any way to rebuild those deleted profiles?

Solution:

If a backup of the CA Top Secret security file has not been taken since the profiles were deleted, a recycle of CA Top Secret pointing to the backup files can be done and then list the profiles with ARCHIVE INTO to get the TSS commands to rebuild the profile ACIDs.

If a backup of the CA Top Secret security file has already been done, if TSSCFILE is run with TSS LIST(ACIDS) DATA(ALL) on a regular basis, the latest output from this command will show the contents of the profiles. If the output is old and the recovery file data goes back to the date of the output (or if you have backups of the recovery files from that date), the CA Top Secret recovery job (TSSRCVR1) or a TSSAUDIT CHANGES report can be to get the commands against the profiles since the TSSCFILE job was run.

If a backup has already been done and TSS LIST(ACIDS) DATA(ALL) output is not available with the profile ACIDs, an old copy of the security file (and VSAM extension) that has the profiles will need to be restored and recycle CA Top Secret pointing to these files. Then list the profiles (with ARCHIVE INTO) to get the commands needed to rebuild the profiles. Then recycle CA Top Secret pointing back to the current security file (and VSAM extension). This should probably be done on a test system to minimize the impact.

TSS LIST(profile) ARCHIVE INTO(pds.data.set.name(xxx))

ARCHIVE INTO can be used on TSS LIST and DELETE commands to archive an ACID's permissions and resources into the form of TSS commands. The produced TSS commands can be stored in a PDS data set and used to restore the user in the future.

TSS LIST(profile) ARCHIVE INTO(pds.data.set.name(xxx)) will create member 'xxx' in pds.data.set.name with the commands to recreate the profile.

Chapter 3 of the TSS r15 Command Functions Guide, section 'ARCHIVE Keyword Archive User's Security Record' has more information.

It is NOT possible to do TSS LIST(ACIDS) ARCHIVE INTO(pds.data.set.name(xxx)).

The following CA Top Secret r15 maintenance deals with ARCHIVE INTO and should be applied before doing the above:
RO59130: VARIOUS UPDATES RELATED TO LIST/ARCHIVE COMMAND OUTPUT
RO55736: INCORRECT CMDS CREATED W/ LIST INTO FOR MODEL/ARCHIVE
RO30280: ARCHIVE - IMBEDDED QUOTES NOT HANDLED ON FDT DATA
RO28526: DELETE ARCHIVE ON CPF COMMAND
RO23298: ARCHIVE INTO INCORRECTLY ALLOWED WITH ONLY READ ACCESS
RO21191 S0C4 AT TSSAUTH1+1610E WHEN LIST+ARCHIVE W/NULL INTO

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: