Manually remove unused connects
About this task
- Review unused connects.
- Verify that group connections are not being used.
- Delete the unused connects.
- Step 1: Reviewing unused connects
- On the command line, type AM.4 and press Enter to open the Connect usage panel.
- To report on unused connects, enter a / in the Zero counts field.
- Specify any other report selection criteria required. (See Reporting on RACF Usage for details on specifying selection
criteria.)
If you want to remove almost unused connects or connects that have not been used for a long time (stale connects), select the Advanced Criteria options to specify the applicable selection criteria to report on these types of connects.
- After entering the report selection criteria, press Enter to generate the report. Figure 1 shows a Connect Usage report with a list of unused connects.
- Step 2: Verify that group connections are not being used
The Access Monitor program only records regular access verification requests. Consequently, the use of group connections for other purposes is not recorded. For example, a group connection can also be used to define new data sets and new data set profiles to connect users to the group and even to define new groups. Most of these actions are not recorded by the Access Monitor program.
Before deleting unused connections from the unused connect list, you must verify that the group connections in the list are not being used. The authorizations required for group connections being used for unrecorded actions typically involve either a group connect-authorization higher than USE, or a non-default connect-attribute, like group-special or group-operations. You can review the connect authorization for group connects and the connect attributes for users from the Connect Usage report.- On the Connect Usage report, type S in the line command area for a group connect entry.
- Press Enter to see the detailed
information for the group connection as illustrated in Figure 2.
In this example, the SYS1 group includes the user IBMUSER with JOIN authorization. Because this authorization level is higher than USE, this group connection is not a good candidate for removal. The display also shows the default group (DFLTGRP) for the userid. The default group cannot be removed from a userid.
- To determine whether a userid has a non-default group-attribute, use the S line command to view the detailed user information. Then, use the L command to LIST the userid profile. If the user to group connections show any non-default attribute, carefully evaluate how the connect is used before deciding to delete it.
- Step 3: Remove the unused connects
- After verifying that a connection is unused, use the D line command to delete it from the Connect Usage
detail view shown in Figure 2.
- In the line command area for the entries you want to delete, type D.
- Press Enter to generate the commands.
- On the Confirm panel, verify and edit the commands as required
and set the mode to run the commands.
If you want to be able restore the connects after removal, you might want to use the automatic removal method. For details, see Automatically removing unused profiles.