RA.4.4 Delete user via batch

View Only

Expand all | Collapse all

1. RA.4.4 Delete user via batch

0 Like
David Low
Posted Mon February 19, 2024 02:12 PM

Reply
We are migrating to RACF and zSecure and looking for a batch delete user solution. I'm aware of RACF utility IRRRID00 but I'm wondering if I can utilize zSecure instead. Is it possible to access some of the built-in product features such as RA.4.4 via batch job? I've searched around in CKR.SCKRCARL library but haven't found anything.

------------------------------
David Low
------------------------------
2. RE: RA.4.4 Delete user via batch

1 Like
Jeroen Tiggelman
Posted Tue February 20, 2024 03:15 AM
Edited by Jeroen Tiggelman Tue February 20, 2024 03:15 AM

Reply
Hi David,

Yes, you can. But indeed there is no sample in SCKRCARL.

What you can do is run RA.4.4 with whatever options you like, then afterwards look on the RESULTS panel to the COMMANDS that were generated by the panel, that is, the CARLa statement that you could also run in batch.

Depending on the options you select, these might be as simple as

SUPPRESS MANAGERACFVARS
REMOVE USER=TEST

Regards,

------------------------------
Jeroen Tiggelman
IBM - Software Development Manager IBM Security zSecure Suite
Delft
------------------------------

Original Message
3. RE: RA.4.4 Delete user via batch

1 Like
IBM Champion

Rob van Hoboken
Posted Tue February 20, 2024 07:13 AM
Edited by Rob van Hoboken Tue February 20, 2024 07:15 AM

Reply
As Jeroen points out, the CARLa command to remove a user from RACF is REMOVE USER=xxxxxxx

If you wish to remove multiple users, just add more REMOVE USER=yyyyyyyy commands in the same SYSIN data set.

You can generate the JCL to run this in batch as follows.

Go to menu option CO.C, enter one or more CARLa commands in the editor, enter SUB in the command line.

There are sample jobs in data set CKRJOBS, and JCL skeletons in SCKRPROC. One of those procs executes a CARLa program and executes the generated RACF commands in the next (IKJEFT01) job step (as with all irreversible actions you gotta keeps asking yourself if you feel lucky today).

As for running reports in batch, many of the zSecure panels have "Output/run options" and one of these is "Print format". If you select this check mark and press Enter, another option is enable "Background run". This generates JCL to execute the report in batch.

------------------------------
Rob van Hoboken
------------------------------
4. RE: RA.4.4 Delete user via batch

0 Like
David Low
Posted Tue February 20, 2024 08:20 AM

Reply
This is great, Thanks. Honestly I don't know where I'd be without zSecure for this RACF migration.

------------------------------
David Low
------------------------------

Original Message
5. RE: RA.4.4 Delete user via batch

1 Like
Tom Zeehandelaar
Posted Tue February 20, 2024 04:08 AM

Reply
Hi David,

there might be a hybrid solution that you might want to check out for bulk deleting user IDs with zSecure.

When you use option RA.U, you can specify the search arguments/filters that select the target user IDs that you want to 'bulk delete' using a batch job. When you enter appropriate selection filters, the display shows all user IDs that fit your filters in ISPF format.

Next, you can put a block delete line command "DD" in the first and last line of your list of selected user IDs to indicate that you want to delete all user IDs within the DD-block. If applicable, you can also use multiple DD-blocks and single D commands to delete single user IDs from your selection list like so:

On the next 'User Delete' panel, you can specify whether you also want to delete the resources (data sets, dataset profiles, RACF variables, catalog entries, etc.) that are associated with the user IDs that you want to delete.

After pressing Enter, you return to your user ID selection overview report. In the top right corner of your display, you see the message "Queued in CKRCMD". When you press F3, you access your CKRCMD work data set that contains the generated commands to delete the user IDs (and optionally their resources when you opted to also delete these resources). I would suggest that you eyeball the generated commands prior to issuing the "SUB" or "SUBMIT" command in the command line to generate a batch job to delete the user IDs.

Before deleting the user IDs, you might also want to create a RACF backup copy or zSecure Unload data set that can be used to recreate a user ID when there is a need to rebuild a user ID that you deleted.

Just my 2 cents.

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------

Original Message

IBM Security

Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity.

IBM Security Z Security

RA.4.4 Delete user via batch

David LowMon February 19, 2024 02:12 PM

Jeroen TiggelmanTue February 20, 2024 03:15 AM

Rob van HobokenTue February 20, 2024 07:13 AM

David LowTue February 20, 2024 08:20 AM

Tom ZeehandelaarTue February 20, 2024 04:08 AM

1. RA.4.4 Delete user via batch

2. RE: RA.4.4 Delete user via batch

3. RE: RA.4.4 Delete user via batch

4. RE: RA.4.4 Delete user via batch

5. RE: RA.4.4 Delete user via batch

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.