IBM Mainframe Forum

I was asked to delete unnecesary RACF rule profiles (with no alias no datasets and no user connected). I understand that means to identity genrral profiles without alias, datasets and users but is difficult to understand how to find out them. Could you help me?

If you don't know how to administrate RACF you have no business administrating RACF...

prino wrote:If you don't know how to administrate RACF you have no business administrating RACF...

Take it easy on the guy, Robert. I suspect every mature RACF data base has many effectively expired profiles in it. Deleting them is relatively easy, though time consuming. Identifying them, though, is another story.

First, you have to define exactly what you mean by an "expired" profile. I can think of a number of definitions; none of which are very easy to track down. This is the first thing gdchipi has to do. Gdchipi is probably going to run into some political problems here. The terminology in the first post here seems to indicate he has a problem with the scope.

Having defined what is meant by an "expired" profile gdchipi needs to find them. I have a couple ideas here, but I'm not even going to research them. It will mean a lot of work.

Having identified the profiles, gdchipi needs to delete them. Not so easy, but not so difficult, either.

Good luck.

steve-myers wrote:

prino wrote:If you don't know how to administrate RACF you have no business administrating RACF...

Take it easy on the guy, Robert.

A RACF administrator posting on "A Help & Support Forum for Mainframe Beginners and Students", gimme a break...

How long would we let someone like this rummage around on "that" system?

Agreed. It's probably safe to look, but an adult should probably oversee profile deletions.

Juveniles have to start somewhere Robert, and adults are hard to find in the security business. Most employers won't hire an adult anyway. Too expensive. Even an adult is going to goof.

I need to identify rule profiles (I understand means groups) having no user-datasets connected and having no alias. Is hard for me identify groups without alias. Do you know the way?

If you have a tool like SAS or Easytrieve available, you might want to extract a sequential file from the RACF data base using IRRDBU00 and use the various record types to identify what you can get rid of. I don't recall which manual in the Security bookshelf talks about IRRDBU00 and its output record types, but it should be easy enough to find. If you don't have such a tool available, you are going to have a very tough time doing what you want to accomplish since you'll be looking for negatives (things that are not connected) instead of positives.

Yes: I can use REXX to get the info from the database but I couldnt identify a record identifying the ALIAS there.

The usual meaning of the word "alias" in this context is an alias entry for a userid or group name in the master catalog. "Alias" is not a RACF concept. The only way I know to test if an alias exists is to execute a LISTCAT ENT('xxx') IDCAMS command and check the return code. If the return code is 0, there is an alias entry, unless it is for something else.

Thank you very much. I could identify the alias. Thanks again.