A user profile does not change when the user has not logged on in a number of days. There is no RACF event or SMF record to mark the change. The user only becomes REVOKED when it attempts to logon, and the last logon date is more than Inactive number of days ago, this is when RACF denies the logon, changes the user's profile to REVOKED and writes an SMF record.
Before this logon attempt, the output of LISTUSER does not identify the user as "INACTIVE," you would have to combine the user's Last Use Date, today's date and the value in the INACTIVE field from SETROPTS LIST to determine this. That is why tools like zSecure have added a pseudo status for this state.
Since there is no SMF record, or WTO, you cannot use the standard alert mechanism. However, you can also use RACF profiles as the source of alerts. If an alert has the newlist type RACF (or actually, any value other than SMF or WTO) as the data source, they will be evaluate right at the start of the alert cycle, when the environment interval starts. For most installations that means, once every hour.
So, you could create an installation defined alert, say alert ID 4001, and specify Data source RACF. Then create a skeleton with a RACF specific selection:
)CM Alert condition
)SEL &C2PEPASS = N
)IM C2PSGNEW
select class=user revoke_inactive=Yes
)ENDSEL
Don't you hate it that you write select class=user revoked but you must add =Yes for revoke_inactive?
Also, build the message text at the top of the skeleton:
)SETF C2PXNAME = &STR(Revoke_inactive)
)SETF C2PXMSG = &STR('User ID' user(0) 'is inactive')
)SETF C2PXDES = &STR('User has not logged on for' :system.inactive 'days and will be revoked when they try to logon.')
and remove lines 3 - 5 from the EMAIL message template, leaving only the alert ID and the system name. You can keep the date and time information by referencing :run.datetime instead of date and time.
If you try an alert like this, you will see the alert(s!) generated the first time when the configuration is refreshed and every hour after that.
Also, you will see ALL inactive users flagged, even when they have been inactive for years.
That may be more than you asked for...
We can fix problem 2 by making this into a two-pass alert. Find the "Pass one query" block and change this into
)CM Pass one query
)SEL &C2PEPASS = Y
n type=system outlim=1 nopage
select inactive<>0
sortlist,
"define inactive_user_selector true where",
"class=user ljdate=today-" | inactive(0)
)ENDSEL
and then change the alert condition to
)CM Alert condition
)SEL &C2PEPASS = N
)IM C2PSGNEW
select ifdefined(inactive_user_selector)
)ENDSEL
This finds only the users that had the exact number of inactive days.
I cannot remember the trick to make the alert only fire once in the day. But there is something you can do with newlist type=run. You should add this AFTER you have the basic alert working (every hour).
In the pass one query block, add
n type=run outlim=1 nopage
define time as convert(datetime,internaldatetime,smftime)
select time<0100
sortlist,
"define first_run true where complex==complex"
and change the select statement in the alert condition block to
select ifdefined(inactive_user_selector) ifdefined(first_run)