CARLa Delete inactive IDs

So, how do you delete those user IDs that are inactive for a long period?

After revoking the pertinent user IDs, it is suggested to leave a contingency period from the time of revocation to the time of actual deletion. The length of this contingency period varies from organization to organization. In the next sample, you use CARLa to effectively post process the work done in the previous exercise.

You might wish to experiment with this next piece of CARLa code, which is a “so called” two-pass CARLa query. A Two-pass CARLa program is split into two passes through the information source. The first pass executes a CARLa program that generates CARLa statements and writes them to the designated zSecure CARLa work data set named “CKR2PASS”.

In the second pass, these generated CARLa statements are then executed. They can result in a report that is written to the REPORT work data set. However, in this example, RACF commands are generated and written to the designated CKRCMD work data set. It must be noted that two-pass CARLa programming requires an advanced level of CARLa knowledge. However, this CARLa program is a relatively simple two-pass program:

This CARLa program generates CARLa commands (REMOVE=<userid>) to remove the pertinent user IDs from the RACF database. This command generation is done conditionally for user IDs that are inactive for at least 120 days and are owned by group DELETE.

Remember that in the previous exercise, you changed the owner to DELETE for user IDs that are inactive for 90 days or more. Note: because you did not run the generated commands from the previous exercise, the “owner=DELETE” filter is entered as a comment only!

The first output from running this CARLa program in CKR2PASS must look like this screen capture:

The CARLa REMOVE USER=<userid> specification generates the appropriate RACF commands to fully remove the pertinent user ID from RACF.

To also successfully remove the appropriate catalog pointers and user data sets (starting with the pertinent user IDs as HLQ) a recent CKFREEZE must be allocated. In the first program lines, ALLOC statements for both the active RACF database and the recent CKFREEZE data set are generated.

The output of running the generated CARLa in the CKR2PASS work data set (with line-command “R” on the results panel) might look similar to:

Nearly 16 thousand RACF commands are generated to remove all user IDs on this ED01 system that are not used for more than 120 days. The CKRCMD work data set ends with the appropriate SETROPTS REFRESH commands for classes affected by this clean up.

Continue with Talking to the OPERATOR

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.