Is there a way to list Top Secret profiles that are either empty (no rules) or have no connected acids?
If there is, I never knew about it. I eventually wrote a utility that reads the CFILE and lists various situations that call for attention. At every installation I program into it conditions that are unique to that company: A user ID that doesn't have an employee # in the installation data, for example, or that is missing a specific permission. But some are common to most installations: ACIDs that haven't been used in 14 months, for instance. Profiles that have no permissions or no ACID members are two of the conditions I'm checking for. I can run the command every so often to see what needs attention.
I know that doesn't help you, unless you're a REXX programmer. It's really by way of saying that if TSS had that ability natively, I wouldn't have had to write it.
There isn't a direct command to get these. You can issue:
TSS LIST(ACIDS) TYPE(PROFILE) DATA(XAUTH,ACIDS)
This will limit the output to profiles only and the permits in the profile and the acids attached.
If there are no permits, you will see:
ACCESSORID = profile NAME = name ACIDS = acids
If no acids are attached, the output will show:
ACIDS = *NONE*
This can be also be done in TSSCFILE so the output is formatted.
NOTE: If you are running TSS r16 with fixes RO95454, RO96670, and RO97041 applied: RO95454 is an enhancement that allows TSSCFILE to be run against the TSS backup files in a private address space.If not, the TSS LIST(ACIDS) ... command should be run during off peak hours because this can be I/O intensive to the security file which could negatively impact performance.
Hello Bob, Steve,
- it depends, what you consider as "no rules" ... DATA(XAUTH,ACIDS) would not show LCF nor FACILITY ...
- Perhaps some cleverly coded SORT-jobs could transform a TSS LIST-output to show the requested informations.
Hm, good point. The routine I said I use on demand—CFILECHK, it's called—counts the following CFILE record types as permissions:
Are there others I should be looking for too? Of course, all CFILECHK does is display the suspect profiles; only a human deletes an "empty" profile, after visual examination. And at our installation I'm not concerned about 2004; but other than that I want to be complete.