Previous Topic: Which Rule Entry Is Selected for UID Rules?Next Topic: Use of NEXTKEY in Resource Rules

Writing RulesWhich Rule Entry is Selected for $ROLESET Rules?

Which Rule Entry is Selected for $ROLESET Rules?

The following is the order in which CA ACF2 Option for DB2 automatically sorts $ROLESET rule entries in a rule set:

  1. Extended resource key parameters from most specific to least specific with “not specified” first.
  2. USER operands in alphabetical order, with “USER(-)” last
  3. ROLE operands in alphabetical order, with “ROLE(-)” last
  4. SHIFT parameters in alphabetic order (with “not specified” last).
  5. SERVICE parameters with least number of keywords first (the ALL keyword is sorted last because it represents all keywords). Multiple keywords specified by a single SERVICE parameter are sorted in a pattern determined by CA (that is, in bit sequence).
  6. UNTIL/FOR dates from earliest to latest (with “not specified” last).
  7. ACTIVE dates from earliest to latest (with “not specified” last).
  8. COLUMN parameters with least number of keywords first in alphabetic order (with “not specified” last).

During access validation on a $ROLESET rule, the first role in the user’s list of roles is used for validation. If access is denied, the next role in the list is selected and validation is re-driven. This process continues until access is allowed or the user’s list of roles is exhausted.

When a USER(…) rule lines are used, the first rule entry that matches the environment is the rule entry CA ACF2 for DB2 uses to determine the access privileges.

If access is denied by a rule line that specifies USER then the access is denied. In this case, CA ACF2 for DB2 will not re-drive validation with the next role in the user’s role list.