The following document discusses setting up Cleanup for ACF2 to undo changes made by Cleanup.

Cleanup report utility AT5#RPT not only generates the ACF2 commands to remove unused LOGONID records and RULES, but it will also generate ACF2 commands to back out the changes.

When setting up your Cleanup JCL to remove unused records, specify the BACKOUT DD statement and the CMDS DD statement in the JCL.

The CMDS DD contains the ACF2 commands to cleanup unused LOGONIDS and RULES. The BACKOUT DD contains the ACF2 commands to undo the cleanup of unused records. For each command that is created in the CMDS DD, there is an equivalent command to back-out that command in the BACKOUT DD.

Note: The CMDS DD and BACKOUT DD must be present in the JCL and the UNREF= parameter must be specified for commands to be generated. The ACF2 commands generated to remove the security records and recover the security records should be kept for future reference.

Sample JCL:

//DBRPT JOB ACCT,REPORT,CLASS=A,MSGCLASS=X
//*---------------------------------------------
//* REPORT UNREFERENCED ENTRIES OVER 30 DAYS
//*---------------------------------------------
//S1 EXEC PGM=AT5#RPT,REGION=4M,PARM='UNREF=030'
//STEPLIB DD DISP=SHR,DSN=CAI.CAILIB
//DBASE DD DISP=SHR,DSN=CAI.ETCL.DB
//SYSPRINT DD SYSOUT=*
//SUMMARY DD SYSOUT=* Optional output file
//UNLOAD DD SYSOUT=* Optional output file
//* OTHER OPTIONAL FILES FOLLOW
//*
// CMDS  DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0)
// BACKOUT DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0)
//CFILE DD DISP=SHR,DSN=CAI.CFILE
//*
//SORTWK01 DD UNIT=SYSDA,SPACE=(CYL,5)
//

If a LOGONID is to be deleted, the command in the BACKOUT DD will be an ACF INSERT command.

For example,
The CMDS DD will show

ACF
SET LID
DELETE ACFUSER NORULE
END

The BACKOUT DD will show

ACF
SET LID
INSERT ACFUSER -
ACCOUNT -
ACCTPRIV -
ALLCMDS -
CONSOLE -
DFT-SOUT(X)-
DFT-SUBC(C)-
INTERCOM -
JCL -
JOB -
KERB-VIO(0)-
LGN-ACCT -
LGN-MSG -
LGN-PERF -
LGN-PROC -
LGN-RCVR -
LGN-SIZE -
LGN-TIME -
LGN-UNIT -
MAIL -
MOUNT -
NAME(COMPUTER ASSOCIATES )-
NOTICES -
OPERATOR -
PHONE(708-505-6750)-
PREFIX(ACFUSER)-
PROMPT -
PSWD-INV(0)-
PSWD-VIO(0)-
REFRESH -
SEC-VIO(0)-
SECURITY -
TSO -
TSOPROC(PROCZ15)-
TSORGN(4000)-
TSOSIZE(4000)-
WTP -
END

If an access rule or a resource rule is to be deleted, then the command in the BACKOUT DD will be an ACF COMPILE command.

For example.
The CMDS DD will show

ACF
SET RULE
DELETE ABC
END

The equivalent command in the BACKOUT DD will be

ACF
SET RULE
COMPILE * STORE NOLIST NOFORCE
$KEY(ABC)
XYZ UID(DECRO02 DEFAULT A)
ZYX UID(DECRO02 DEFAULT BB) READ(A) EXEC(A)
END

If a rule line entry is to be deleted only - instead of deleting the full rule, the CMDS DD may look like this:

ETCLNRUL KEY(BPX) TYPE(FAC) -
DEL ( -
SUPERUSER UID(*) NEXTKEY(BPXSUPER) PREVENT-
) NOLIST NOVERIFY

The BACKOUT DD may look like this:

ETCLNRUL KEY(BPX) TYPE(FAC) -

ADD(-
SUPERUSER UID(*) NEXTKEY(BPXSUPER) PREVENT-
) NOLIST NOVERIFY

There are special considerations when LOGONIDS have been removed and need to be recovered.

1. PASSWORDS are not specified on the recovery commands and will need to be added manually to the command in the BACKOUT DD if you have PSWDREQ specified in the CONTROL(GSO) PSWD record. (This option states that a password MUST be specified on an insert.) It must also be mentioned that normal password content controls are in force and so the password you add must conform to site standards.
   
   
2. If a field in the LOGONID record is defined in the ACFFDR @CFDE macro with FLAGS=NONE this means that the field will never be displayed for a formatted list of the logonid record. When Cleanup creates the insert command for a logonid record it issues an ACF LIST command - therefore, any fields with FLAGS=NONE will NOT be included in the insert command and will need to be added manually to the command.