Using the RACF remove ID (IRRRID00) utility

The RACF® remove ID (IRRRID00) utility can help you keep your RACF database current. You can use this utility to remove all references to group IDs and user IDs that no longer exist in or are about to be removed from the RACF database. Also, you can specify a replacement ID for those IDs that will be removed.

The remove ID utility processes the output of the RACF database unload (IRRDBU00) utility. You need to have read access to this output. To get this output, run the database unload utility against a copy of the RACF database. See Using the RACF database unload utility (IRRDBU00) for more information.

The remove ID utility:
  • Uses the DFSORT utility (or an equivalent program) to create lists of IDs from the output of the database unload (IRRDBU00) utility or from user input in a SYSIN file.
  • Compares these IDs to the user IDs and group names contained in such RACF data fields as:
    • Standard access list
    • Conditional access list
    • Profile names in the FACILITY class and certain general resource member classes
    • OWNER fields
    • NOTIFY fields
    • APPLDATA fields of certain general resource profiles.
    Note: See Finding residual IDs for more information about the fields searched by the remove ID utility.
  • Generates as output a TSO/E CLIST consisting of commands that change or remove each reference to residual IDs that no longer exist or to the IDs you specify in the SYSIN data set. For example, the output could include:
    • PERMIT commands to delete references on an access list
    • DELDSD or RDELETE commands to delete all data set and general resource profiles when the profile name contains the reference as a qualifier
    • ALTDSD and RALTER commands to change references to other values when an ID value is required.
Figure 1. Using the remove ID utility
Using the remove ID utility
As shown in Figure 1, here's how to use the remove ID utility:
  1. Use the database unload utility to produce a flat file. This file is the main input to the remove ID utility. You should use a copy of the production RACF database as input to the database unload utility.
  2. Optionally, you can specify a SYSIN file.

    If this file is empty or does not contain any valid input, or if it is allocated as DUMMY, the remove ID utility searches for residual references to user IDs or group names that do not exist as a user profile or a group profile. See Running IRRRID00 with an empty SYSIN for an example.

  3. The remove ID utility does one of the following:
    1. Finds the residual IDs, sorts them, and then uses this list of IDs to produce output that contains the appropriate RACF commands.

      See Finding residual IDs for more information about this step.

    2. Uses a list of user IDs and group names that are specified in the SYSIN file to produce output that contains the appropriate RACF commands.

      See Creating commands to remove IDs for more information about this step.

  4. The remove ID utility creates an OUTDD file, which contains commands to change or remove the occurrences of these IDs.

    You should review the commands the remove ID utility generates and, if necessary, edit them.

    If you run the remove ID utility with no SYSIN file, or do not specify a replacement ID, the output shows any references to an ID that requires a replacement as ?id. This might be the case, for example, in places where a residual user ID was the owner of other profiles. You should change all occurrences of ?id, if any, to an existing user ID or group name.

  5. As long as you have sufficient authority, you can now run these commands on the production RACF database. See z/OS Security Server RACF Command Language Reference for the specific authority requirements for RACF commands.
Note:
  1. The remove ID utility deals with profiles in the RACF database. So, keep in mind that the remove ID utility does not produce any commands to delete, or rename the resources these profiles protect. You must delete, rename, or make sure other profiles protect those resources that were once protected.

    You can use DFSMSdss to rename data sets for IDs that you will be removing from the RACF database.

  2. If you delete profiles before you delete or rename the data sets themselves and PROTECTALL is in effect, you might need some extra authority to remove these data sets.
  3. If you remove a user ID that had been cross-linked with a DCE principal, contact the cell's DCE administrator to determine whether the DCE principal should be deleted from the cell.
  4. If a residual ID is found in a NOTELINK or NDSLINK profile, an RDELETE command will be produced to delete the profile. However, if the profile name contains lower case characters, the RDELETE command cannot be executed successfully. To delete the profile, you must issue an ADDUSER command for the user ID specifying the corresponding LNOTES SNAME or NDS UNAME. Then, a DELUSER can be issued to delete the user profile and the NOTELINK or NDSLINK profile.
  5. If a user ID that you specified in the SYSIN file is found in the name of a user profile containing an LNOTES, NDS, or DCE segment, IRRRID00 will produce a DELUSER command to delete the user profile, but it will not produce RDELETE commands to delete the corresponding NOTELINK, NDSLINK, or DCEUUIDS profiles. Deletion of the user ID through DELUSER processing will cause the deletion of the corresponding general resource profiles.
  6. If a residual user ID or a user ID that you specified in the SYSIN file is found in an IDIDMAP profile, IRRRID00 does not produce an RDELETE command to delete the IDIDMAP profile. Instead, it produces a RACMAP DELMAP command, specifying the user ID and label name of the distributed identity filter contained in the IDIDMAP profile, to delete the filter.

    A residual user ID might be found in an IDIDMAP profile if a user ID that is mapped by distributed identity filter is subsequently deleted by issuing a DELUSER command from a downlevel system that does not support distributed identity filters.

    Performance consideration: When you issue the RACMAP DELMAP command specifying both the label and a user ID that has no user profile (such as a residual user ID), distributed identity filter RACF searches all profiles in the IDIDMAP class to locate and delete all matching filters. This search might take an extended period of time.

Parent topic: Working with the RACF database