The following document discusses setting up Cleanup to undo changes made by Cleanup.
How do you undo changes made by Cleanup for ACF2?
Cleanup report utility ETCL#RPT not only generates the CA-ACF2 commands to remove unused LOGONID records and RULES, but it will also generate CA-ACF2 commands to back out the changes.
When setting up your Cleanup JCL to remove unused records, please specify the BACKOUT DD statement and the CMDS DD statement in the JCL.
The CMDS DD contains the CA-ACF2 commands to cleanup unused LOGONIDS and RULES. The BACKOUT DD contains the CA-ACF2 commands to undo the cleanup of unused records. For each command that is created in the CMDS DD, there is an equivalent command to back-out that command in the BACKOUT DD.
Note: The CMDS DD and BACKOUT DD must be present in the JCL and the UNREF= parameter must be specified for commands to be generated. The CA-ACF2 commands generated to remove the security records and recover the security records should be kept for future reference.
//DBRPT JOB ACCT,REPORT,CLASS=A,MSGCLASS=X //*--------------------------------------------- //* REPORT UNREFERENCED ENTRIES OVER 30 DAYS //*--------------------------------------------- //S1 EXEC PGM=ETCL#RPT,REGION=4M,PARM='UNREF=030' //STEPLIB DD DISP=SHR,DSN=CAI.CAILIB //DBASE DD DISP=SHR,DSN=CAI.ETCL.DB //SYSPRINT DD SYSOUT=* //SUMMARY DD SYSOUT=* Optional output file //UNLOAD DD SYSOUT=* Optional output file //* OTHER OPTIONAL FILES FOLLOW //* // CMDS DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0) // BACKOUT DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0) //CFILE DD DISP=SHR,DSN=CAI.CFILE //* //SORTWK01 DD UNIT=SYSDA,SPACE=(CYL,5) //
If a LOGONID is to be deleted, the command in the BACKOUT DD will be an ACF INSERT command.
The CMDS DD will show
ACF SET LID DELETE ACFUSER NORULE END
The BACKOUT DD will show
ACF SET LID INSERT ACFUSER - ACCOUNT - ACCTPRIV - ALLCMDS - CONSOLE - DFT-SOUT(X)- DFT-SUBC(C)- INTERCOM - JCL - JOB - KERB-VIO(0)- LGN-ACCT - LGN-MSG - LGN-PERF - LGN-PROC - LGN-RCVR - LGN-SIZE - LGN-TIME - LGN-UNIT - MAIL - MOUNT - NAME(COMPUTER ASSOCIATES )- NOTICES - OPERATOR - PHONE(708-505-6750)- PREFIX(ACFUSER)- PROMPT - PSWD-INV(0)- PSWD-VIO(0)- REFRESH - SEC-VIO(0)- SECURITY - TSO - TSOPROC(PROCZ15)- TSORGN(4000)- TSOSIZE(4000)- WTP - END
If an access rule or a resource rule is to be deleted, then the command in the BACKOUT DD will be an ACF COMPILE command.
The CMDS DD will show
ACF SET RULE DELETE ABC END
The equivalent command in the BACKOUT DD will be
ACF SET RULE COMPILE * STORE NOLIST NOFORCE $KEY(ABC) XYZ UID(DECRO02 DEFAULT A) ZYX UID(DECRO02 DEFAULT BB) READ(A) EXEC(A) END
If a rule line entry is to be deleted only - instead of deleting the full rule, the CMDS DD may look like this:
ETCLNRUL KEY(BPX) TYPE(FAC) - DEL ( - SUPERUSER UID(*) NEXTKEY(BPXSUPER) PREVENT- ) NOLIST NOVERIFY
The BACKOUT DD may look like this:
ETCLNRUL KEY(BPX) TYPE(FAC) -
ADD(- SUPERUSER UID(*) NEXTKEY(BPXSUPER) PREVENT- ) NOLIST NOVERIFY
There are special considerations when LOGONIDS have been removed and need to be recovered.
Please see the Cleanup for CA-ACF2 Implementation Guide for more details.