Removing ACF2 logonids with ACC-DATE(00/00/00)
search cancel

Removing ACF2 logonids with ACC-DATE(00/00/00)


Article ID: 259600


Updated On:




Does the ACF2 logonid  ACC-DATE(00/00/00) field mean the ID never logged in from TSO, IMS, etc  and can be removed from ACF2 database ?



Release : 16.0


The ACC-DATE will be updated if there has system entry processing done for the logonid however there are some instances where logonids ACC-DATE is not updated. For example logonids not used for actual system entry. The OMVS default id, for example, is only used as a pointer to another profile record, nothing ever "runs" under its UID string so no system entry request is ever done for it. Another example is the CICSPLT logonid and the Endevor "alternate id". 

The logonids identified that have ACC-DATE(00/00/00) should be reviewed to verify that there are no special logonids that may be being used that have not had their logonid ACC-DATE updated. The ACFRPTRX can be used to help determine the possible use of a logonid by reporting on all rule sets that apply to that specific logonid (LID). Once the list of logonids have been verified, it is best to first SUSPEND the logonids and monitor for a period of time to insure there is not impact before actually deleting the logonids. When deleting the logonid the the DELETE subcommand 'ARCHIVE' and 'INTO' parameters can be used build the commands that can used to recreate the logonid user.

The DELETE 'INTO(DSNAME(MEMBER))' parameter specifies a specific dataset name and member that would be used to store the output of the archive. Required when archive is specified on a delete command.

Note that Cleanup for ACF2 product can be used to identify any logonid that is actually not used without relying on the ACC-DATE.

Cleanup for ACF2 product  provides automated, continuous, and unattended security file cleanup by monitoring security system activity to identify security definitions that are used and unused. It identifies access unused beyond a specified threshold and generates commands to remove that access. Specifically, it identifies and removes unused user IDs and permissions that each user has but does not use. Cleanup effectively resolves the accumulation of obsolete and excessive access rights that otherwise occurs within a security file over time.