IBM Security Z Security

 View Only

 RACF Mass ID' Removals

Floyd Womble's profile image
Floyd Womble posted Tue August 12, 2025 03:16 PM

Is there some sort of carl that I can used to perform massive RAC IDs Removals, like several 100's?

Tom Zeehandelaar's profile image
Tom Zeehandelaar posted Wed August 13, 2025 02:34 AM

Hi Floyd,

for your information, the bulk deletion of RACF user IDs is supported in the regular zSecure Admin UI. When you run a query to list the user IDs that you intend to delete, you can use the block delete line command (DD) to indicate which block of user IDs you want to delete. When your initial RA.U query does also yield user IDs that you do not want to delete you can use a combination of DD and D line commands to specify which user IDs you want to delete and which ones you want to preserve.

I hope this helps. 

Best regards, Tom Zeehandelaar 

Rob van Hoboken's profile image
Rob van Hoboken IBM Champion posted Wed August 13, 2025 03:36 AM

Furthermore, after you have used the DD ... DD command that Tom mentioned, or you have entered several D line commands before pressing Enter, you can inspect the CARLa code generated by the panels as follows.

If you are still looking at a profile display, press F3 first to end up in the selection/query panels.  If you have just seen the RACF commands, press F3 to get to the RESULTS panel.

Otherwise, type RESULTS in the command line and press Enter.  This gives you a selection list with several DD names where you can Browse or Edit the files.

Enter E in front of the COMMANDS DD name.  This gives you the CARLa statements used for the display/report/command generation.  If you're looking to generate a batch job, enter SUBMIT in the command line while in Edit of the commands, or enter a J (job) in front of the DD name.

Jeroen Tiggelman's profile image
Jeroen Tiggelman posted Sat August 16, 2025 04:23 AM

Hi Floyd, 

Essentially removing IDs is request by 

REMOVE USER=id

In the UI the block command that Tom mentioned is probably the easiest option.

If you want to do something like this in the batch, then you can write a CARLa that generates a lot of these commands, like

newlist type=racf nopage
select class=user segment=base <the rest of your selection here>
sortlist 'REMOVE USER=' | key

Regards,
Jeroen

Rob van Hoboken's profile image
Rob van Hoboken IBM Champion posted Sat August 16, 2025 05:33 AM

If you wish to delete a dozen or so user IDs, you could just enter the same number of REMOVE commands in your CARLa program, like so:

REMOVE USER=u1
REMOVE USER=u2

and when you run this program, RACF commands are generated.  This is what happens when you enter several D line commands or a DD ... DD block in RA.U.

If you need to select user IDs with a selection rule as Jeroen suggested, you need one CARLa step to evaluate the selection and generate (hundreds of) REMOVE commands, and a second step to run these commands to generate the RACF commands.  This could be done with a CARLa program under ISPF that writes to CKR2PASS, like so (in case you wanted to delete all users that had not logged on in the last 2 years):

newlist type=racf nopage dd=ckr2pass
select class=user segment=base ljdate<>never ljdate<today-730
sortlist 'REMOVE USER=' | key

Writing to CKR2PASS under ISPF option CO.C automatically displays the generated CARLa commands, where you can type GO in the command line to execute those in turn.

You can do the same in JCL with a job like this.  Note, replace the SYS1 prefix with the value(s) your installation used to store CKRPARM and SCKRPROC:

// JCLLIB ORDER=(SYS1.CKRPARM,SYS1.SCKRPROC)
//STEP1    EXEC C2RC
//CKR2PASS DD DISP=(,PASS),DSN=&&CKR2PASS
//SYSIN    DD *
newlist type=racf nopage dd=ckr2pass
select class=user segment=base ljdate<>never ljdate<today-730
sortlist 'REMOVE USER=' | key
//STEP2    EXEC C2RC
//SYSIN    DD DISP=OLD,DSN=&&CKR2PASS

If you add a CKFREEZE DD to your STEP2, zSecure will use this to find any catalog alias definitions and data sets for the user IDs, and generate IDCAMS DELETE commands to delete these.

Finally, if you have a (sizable) list of user IDs in a sequential data set, you could use these to generate REMOVE commands like this.  In STEP1 we must add an ALLOC command for the RACF database, because the ALLOC for the INPUT DD stops automatic allocation of the RACF input source.

// JCLLIB ORDER=(SYS1.CKRPARM,SYS1.SCKRPROC)
//STEP1    EXEC C2RC
//CKR2PASS DD DISP=(,PASS),DSN=&&CKR2PASS
//INPUT    DD *
user1
user2
//SYSIN    DD *
alloc type=racf active
deftype type=$input
alloc type=$input dd=input
newlist type=$input nopage dd=ckr2pass
  define id as word(record,1)
  select exists(id:dfltgrp)
  sortlist 'REMOVE USER=' | id
newlist type=$input dd=ckreport,
  toptitle='User ID does not exist in RACF'
  select missing(id:dlftgrp)
  sortlist id
//STEP2    EXEC C2RC
//SYSIN    DD DISP=OLD,DSN=&&CKR2PASS

Related Content