The command is not a cancel command but a REVOKE.
The reason for the command is a schedule that was defined for the user with the name 'CANCEL'.
Original Message:
Sent: Mon November 24, 2025 04:45 PM
From: Danielle Craig
Subject: Re: "zSecure Scheduled actions"
One other note, we have reports that are delivered daily showing us what commands are issued. I cannot find where any ID issues any cancel commands on the IDs I listed in my first post.
------------------------------
Danielle Craig
Original Message:
Sent: Mon November 24, 2025 04:40 PM
From: Danielle Craig
Subject: Re: "zSecure Scheduled actions"
Apologies, I have been on PTO and not reviewing emails. We used to have an automation job that would run for terminations. That has not been done in some time. We have Sailpoint doing that work now. Sailpoint does issue the same commands, but would only do so if it received a ticket. There is no indication where the Sailpoint service ID issued the cancel command required. The strange thing is one of these is also a service ID. We don't typically hard revoke service IDs due to their sensitive nature and ability to create outages. Also, this ID was logging on daily and able to work up until Friday 11/14. The hard revoke was not there. The only other time the cancel commands get issued is when we are reviewing stale IDs. That doesn't get done until the last day or two of the month. Simply put, the ID did not have a hard revoke on it and then suddenly it did with a date back in 2021. This prevented them from being able to reset the password and use the ID. I will do some digging to see if any CKGRACF jobs are running but I do not believe there are and why would it issue a hard revoke (cancel) from 2021?
------------------------------
Danielle Craig
Original Message:
Sent: Wed November 19, 2025 04:22 AM
From: Jeroen Tiggelman
Subject: Re: "zSecure Scheduled actions"
Sorry for opening a new thread, but I have tried to answer the other thread for some days now, and cannot get the "Post" button to work on my reply...
====
Hi Danielle,
Terminology-wise I would prefer to speak of "queued commands" and "revoke/resume schedules" and "scheduled events".
Queued commands can be timed and temporary, there you would actually schedule a particular command for a particular date etc.
Here we are talking about revoke/resume schedules, with events on the schedule(s), and potentially a command or action resulting from the combination of all the schedules.
It appears you have a schedule called CANCEL.
This might be the only schedule you have on this user, so it might determine the overall revoke/resume setting.
I think the Audit Trail here is from zSecure Command Verifier (while the schedules are from the CKGRACF component of zSecure Admin).
This reflects actual commands that were issued.
This field is derived from the USR field and contains the date after which a CKGRACF REFRESH command is required; undefined if the profile does not contain scheduled revoke/resume actions or queued commands.
So I guess my first question is if the daily job is in fact running.
> to essentially "hard revoke" user IDs so only we can reinstate them
The way this works is that there can be multiple schedules, and only some people are authorized to set events on a particular schedule.
So insofar CKGRACF controls who is resumed and revoked, this means it won't resume users that are 'hard revoked'.
Note this does not mean that someone else cannot be authorized to do a direct RESUME in RACF.
But you'd expect another REVOKE to occur if the user is still hard-revoked at the next refresh.
I hope this begins to help.
Regards,
Jeroen
------------------------------
Jeroen Tiggelman
IBM - Software Development Manager IBM zSecure
Delft
------------------------------