|
This summary presents the steps required by RACF® and related IBM® licensed programs to delete users from RACF. Your installation might require
additional steps, depending on your security policy and the products
you have installed. - To prevent the user from entering the system, revoke the user
ID:
ALTUSER userid REVOKE
- If the user is already logged on to the system, or has a job running
on the system, ask the system operator to examine any logons (or jobs)
for the user and cancel those that should not be allowed to continue.
- Use the RACLINK LIST command to see if the user has any user ID
associations defined. If so, use the RACLINK UNDEFINE command to delete
them. You cannot delete a user ID that has any associations defined.
See The RACF remote sharing facility (RRSF) for more information.
- Use the RACMAP LIST command to see if the user has any distributed identity filters
defined. If so, use the RACMAP DELMAP command to delete them. You
cannot delete a user ID that has any distributed identity filters
defined. See Distributed identity filters for more information.
- Find all of the data sets associated with this user (that is,
data sets for which the user's user ID is the high-level qualifier
of the data set name) and perform the following steps:
- Delete or rename (with a new high-level qualifier) the user's
user data sets. If you rename or delete a data set that is protected
by a discrete profile, the discrete profile is also renamed or deleted.
Tip: You
can do this using the DATA SET LIST utility of ISPF.
- Identify all of the remaining (generic) data set profiles, create
new ones modeled on them if needed, and then delete the remaining
profiles.
Important: Make sure that you do not delete an
old profile unless it is no longer needed.
Tips: - You can use the following SEARCH command to identify the user's
data set profiles:
SEARCH MASK(userid.) CLIST('LISTDSD DA(' ') ALL')
As
specified, the CLIST operand generates a CLIST that you can run to
list all of the information in the data set profiles. This can help
you assess whether to use the profiles as models.
- You can use the FROM operand on the ADDSD command to create new
profiles modeled on the old profiles.
If the user has profiles in other classes (such as the JESSPOOL, JESJOBS, and
NODES classes) that might have the user's user ID in their profile
names, use the FILTER operand on the SEARCH command. For example: SEARCH CLASS(classname) FILTER(**.userid.**)
CLIST('RDELETE classname')
- To research the following steps, use the IRRRID00 utility to list
the occurrences of the user ID in the RACF database.
For information, see Using the RACF remove ID (IRRRID00) utility.
- If the user is the owner of group data set profiles (the user's
user ID was specified on the OWNER operand on the ADDSD or ALTDSD
command for the group data set profile), decide which user or group
is to be the new owner of the group data set profiles.
Tip: If
the user is the owner of any group data set profiles, specify the
new owner on the OWNER operand of the REMOVE command.
- If the user is a TSO user and has a SYS1.UADS entry, work
with the TSO administrator to delete the entry.
- If the user is a CICS® user
and has an entry in the CICS signon
table, work
with the CICS administrator
to delete the entry.
- Remove the user from any access lists in which the user's user
ID is specified.
Tip: To do this, use the DELETE operand
on the PERMIT command.
For example, suppose user ELVIS has update
permission to a set of data sets defined in the PROJA.** profile.
To remove ELVIS from the profile's access list, enter: PERMIT 'PROJA.**' ID(ELVIS) DELETE
- If the user owns any RACF profiles,
change the OWNER field of the profile.
Tip: To do this, use
the appropriate command for changing profiles, such as ALTUSER or
RALTER.
- After all occurrences of the user ID are deleted from the RACF database, use the DELUSER
command to delete the user profile.
For example, to delete the
profile for user ELVIS, enter: DELUSER ELVIS
|