Manually remove unused connects

About this task

The following process demonstrates how to remove unused connects manually based on administrator analysis and action. Make sure that you have collected sufficient usage information to declare an entry as unused. Before removing any access, verify that the Access Monitor data sets you designated as data sources cover the time period that you intended. (See Setting up zSecure to analyze and report on Access Monitor data.)
  1. Review unused connects.
  2. Verify that group connections are not being used.
  3. Delete the unused connects.
Step 1: Reviewing unused connects
  1. On the command line, type AM.4 and press Enter to open the Connect usage panel.
  2. To report on unused connects, enter a / in the Zero counts field.
  3. Specify any other report selection criteria required. (See Reporting on RACF Usage for details on specifying selection criteria.)

    If you want to remove almost unused connects or connects that have not been used for a long time (stale connects), select the Advanced Criteria options to specify the applicable selection criteria to report on these types of connects.

  4. After entering the report selection criteria, press Enter to generate the report. Figure 1 shows a Connect Usage report with a list of unused connects.
    Figure 1. Connect Usage report - Unused connects
                      Connect authority use, by group        
  Command ===> _________________________________________________ 
  Access monitor records for zero counts                                                   
     Group    Complex  InstData
  __ #EMPLOY  SYS1             
  __ #READ    SYS1             
  __ ADB210   SYS1             
  __ ADCD     SYS1             
  __ AOP      SYS1             
  __ APS330   SYS1             
  __ ASU      SYS1             
  __ AUT220   SYS1             
  __ AUT230   SYS1             
  __ CMDTEST  SYS1             
  __ CRMA     SYS1             
  __ CRMB     SYS1             
  __ C2RSERVG SYS1             
  __ C2XGRP   SYS1
Step 2: Verify that group connections are not being used

The Access Monitor program only records regular access verification requests. Consequently, the use of group connections for other purposes is not recorded. For example, a group connection can also be used to define new data sets and new data set profiles to connect users to the group and even to define new groups. Most of these actions are not recorded by the Access Monitor program.

Before deleting unused connections from the unused connect list, you must verify that the group connections in the list are not being used. The authorizations required for group connections being used for unrecorded actions typically involve either a group connect-authorization higher than USE, or a non-default connect-attribute, like group-special or group-operations. You can review the connect authorization for group connects and the connect attributes for users from the Connect Usage report.
  1. On the Connect Usage report, type S in the line command area for a group connect entry.
  2. Press Enter to see the detailed information for the group connection as illustrated in Figure 2.
    Figure 2. Connect Usage report - Connect authority use by group detail view
                     Connect authority use, by group                   
 Command ===> _________________________________________________ 
 Access monitor records for zero counts                        
    Group    Complex  InstData                                                                                               
 __ SYS1     SYS1                                   
    Userid   Access  Name                 RI DfltGrp InstData
 __ BPXOINIT USE     BPXOINIT                SYS1    
 __ CICSDFLT USE     CICS DEFAULT          Y SYS1    
 __ CICSUSER USE                             SYS1    
 __ DB8GRFSH USE                             SYS1    
 __ DB9GENV5 USE                           Y SYS1    
 __ DB9GRFSH USE                           Y SYS1    
 __ DSN1WLM1 USE                             SYS1    
 __ FTPD     USE     FTPD                    SYS1    
 __ IBMUSER  JOIN    NAME                 Y  SYS1    
 __ IMS71CR1 USE     IMS                   Y SYS1    
 __ IMS71DL1 USE     IMS                   Y SYS1

    In this example, the SYS1 group includes the user IBMUSER with JOIN authorization. Because this authorization level is higher than USE, this group connection is not a good candidate for removal. The display also shows the default group (DFLTGRP) for the userid. The default group cannot be removed from a userid.

  3. To determine whether a userid has a non-default group-attribute, use the S line command to view the detailed user information. Then, use the L command to LIST the userid profile. If the user to group connections show any non-default attribute, carefully evaluate how the connect is used before deciding to delete it.
Step 3: Remove the unused connects
After verifying that a connection is unused, use the D line command to delete it from the Connect Usage detail view shown in Figure 2.
  1. In the line command area for the entries you want to delete, type D.
  2. Press Enter to generate the commands.
  3. On the Confirm panel, verify and edit the commands as required and set the mode to run the commands.

    If you want to be able restore the connects after removal, you might want to use the automatic removal method. For details, see Automatically removing unused profiles.