Cleanup Top Secret Security File Without Cleanup For Top Secret
search cancel

Cleanup Top Secret Security File Without Cleanup For Top Secret

book

Article ID: 203850

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Top Secret has been running for many years. Is there a way without Cleanup to find obsolete, unused resources, ACIDs, etc in Top-Secret? For example, profiles that are not used by anyone as well as other resources that have been defined and permitted over the years that are now obsolete. 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

If not using Cleanup for Top Secret for this task, the best approach to take to determine for which user ACIDs are no longer being used is to use both the LASTUSED date and the password expiration date. If an acid has either a very old password expiration date, or 1/1/80 (the default when an ACID is created), consider the ACID for deletion, however, do NOT automate the process. Each ACID should be reviewed on an individual basis. Unfortunately, a large number of ACIDs makes this a more difficult task, however, this is the best way to ensure that an ACID that gets deleted does not turn out to be something that is in fact being used.

Information from TSSCFILE reports can be used to make a list of ACIDs that fit the criteria on both ends (LASTUSED, and password expires date), as a starting point for consideration as to whether the ACID should be deleted or not.

NOTE: There are situations where an ACID could signon with an ACID and password and NOT get the LASTUSED information updated. It is entirely up to the caller (whoever is driving the signon) as to whether or not these stats are updated. The LASTUSED stats will (or won't) be updated based on what the STAT= option is set to on the RACROUTE,REQ=VERIFY,ENVIR=CREATE request, which is what drives a signon.

Some examples of when LASTUSED stats are not updated are ATS (automatic terminal signon) ACIDs and ISC signons in the AOR. (This is done for performance reasons. Updating the LASTUSED stats for these signons would generate more I/O to the security file which may adversely affect the system's performance.) Top Secret has an OPTIONS control option and you can set OPTIONS(30) to update LASTUSED stats for ATS ACIDs, but be aware that setting this option may adversely affect the system's performance.

LASTUSED stats are not CPF'd either. Again, this is done for performance reasons. If systems A and B CPF to each other, and the user only signs on to system A, the LASTUSED stats won't be updated on system B. If the TSS LIST command is done on system B, a LASTUSED date won't be seen.

As far determining profiles or groups that haven’t been used without using Cleanup, Top Secret does not track these so there is no way to determine what profiles or groups haven’t been used in a long time.

The same is true for permits, facilities, etc without using Cleanup, Top Secret does not track these either so there is no way to determine what permits, facilities, etc haven’t been used in a long time.