Hi Patrick,
I am going to assume that you are aware of the sample batch jobs C2RJ* in the SCKRSAMP data set and are mostly asking about the CARLa commands to produce the right command output. I am also going to assume that you mean to do this simply on the basis of the information in the RACF database (as opposed to going through event logs).
You might be aware of the "last logon details" reports in AU.S - RACF user, which gives a breakdown of users by how long ago they were last used. This is backed by the CKRDLGAD (display) and CKRLLGAD (print output) members in the SCKRCARL data set. A comment in those members is:
* On the use of LAST_CONNECT_DATE: * for the RDS this is the maximum of the CGLJDATEs: * - this value is less susceptible to other updates (such * as ALTUSER) besides RACINITs than LJDATE * - on the other hand, if the user's most recent logon group * is deleted, the estimate may be set back in time * - RACF uses LJDATE to determine the inactivity interval, so * some other LG* samples must not use this field * for the non-RDS this is simply the LJDATE Let's forget about the non-restructured RACF data set format from the previous century; but the point is being made here that you can either use the LJDATE (last use date) field in the USER profile, or look at the last logon to any of the connected groups as recorded, and this might work slightly differently.
Using LJDATE, the basic CARLa to generate the ALU commands might look like this:
newlist type=racf nopage
select class=user segment=base ljdate<dumpdate-120
sortlist 'ALU' key(8) 'REVOKE'
And if you want to direct the output to a particular DD-name, then you might add "DD=
name" on the NEWLIST statement.
Note that I use DUMPDATE, which for an UNLOAD is the date that the file was created. You can alternatively use TODAY. For a live source that should do the same.
(The NOPAGE keyword suppresses page headers and column headers, which you might want in a report but not for generating commands.)
I would assume, though, that you would also want to select on users not being revoked yet, to prevent issuing spurious ALUs, that is, add a NOT(REVOKE) clause on the SELECT statement as well. So you would get something along the lines of:
newlist type=racf dd=ckrcmd nopage
select class=user segment=base ljdate<dumpdate-120 not(revoke)
sortlist 'ALU' key(8) 'REVOKE'
Best regards,
------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
------------------------------
Original Message:
Sent: Wed April 21, 2021 03:58 PM
From: Patrick Cravens
Subject: Automatically Revoking of RACF users
Does anyone have coding for running a batch Job that can produce a list of ID's that have been inactive for 120 day and then submit the ALU command to Revoke the ID?
Thanks
------------------------------
Patrick Cravens
------------------------------