Report LAST USED / INACTIVE Users In Top Secret
search cancel

Report LAST USED / INACTIVE Users In Top Secret

book

Article ID: 16564

calendar_today

Updated On:

Products

Top Secret - VSE Top Secret

Issue/Introduction

Is there a way to get a report with just LOGIN, NAME and LAST USED date and time on the same line ?  

Environment

Release:
Component: TSSMVS, TSSVSE

Resolution

You could use this command in TSSCFILE : 

TSS LIST(ACIDS) TYPE(USER) DATA(BASIC) 

The record id for the LASTUSED information is 0900. 

If you want it in report format you will need to use EARL (Easy Access Report Language) that can customize reports from the TSSCFILE output (as well as TSSUTIL and TSSCPR). Top Secret distributes some sample EARL reports, but none of them list just the ACID and LAST USED dates, so you will need to customize the samples.

EARL is part of the CA Common Services set of products.

The Top Secret sample EARL reports are documented here:

Earl Utilities

Note that there are situations where an acid could signon with an id and password and NOT get the LAST USED information updated. Some examples of when LAST USED stats are not updated are ATS (automatic terminal signon) acids and ISC signons in the AOR. (This is done for performance reasons as updating the LAST USED stats for these signons would generate more I/O to the security file which may adversely affect the system's performance). Top Secret has an OPTIONS control option and you can set OPTIONS(30) to update lastused stats for ATS acids, but be aware that setting this option may adversely affect the system's performance. 

The LAST USED date is never used in determining a period of inactivity as there are too many different situations that do NOT update last used statistics for it to be correctly used as tool to determine inactivity. For example, using certificates does not update the last used date.  

What is used is the INACTIVITY control option. When this expires, a user becomes suspended. The INACTIVE parameter works in conjunction with the PWEXP parameter. This is the interval that is set to expire passwords and force a user at signon to create a new one. Once the PWEXP interval is hit, then it starts counting the interval set on the INACTIVE parameter. Once the inactive interval is reached, then the user will be suspended upon an attempt to signon. 

Please note that the acid does not become suspended until they try to signon after the inactive interval has been reached. 

For example:

PWEXP(15)

INACTIVE(15) 

If after 15 days a user does not signon to change his password, he then has 15 more days of inactivity to still signon successfully and change his password. If he does not signon within the 15 inactive days, when he does attempt to signon he will automatically be suspended and need to be unsuspended by an administrator. So in this scenario, the user would have 30 days to signon and still be able to change his password before his signing on will suspend him. Once the acid reaches the end of the INACTIVE parameter timeframe then it becomes INACTIVE. 

The supplied sample TSSEARL1 report lists all acids that are INACTIVE. This is a valid way to determine if a user is accessing the system and should be used to find acids to be deleted, rather than looking at the LAST USED date, as there are situations where an acid could signon with an id and password and NOT get the lastused information updated. 

To get a list of the users that logged in the last six months you could run a TSSUTIL report to show logons 
eg 
// EXEC TSSUTIL 
REPORT EVENT(INIT) DATE(fromdate,todate) 

but TSSUTIL runs against the AUDIT file, so you would need to have an audit file is large enough to hold 6 months worth of data. The file is a wraparound file, so if it is small, it may have been overwritten.