A sample rule set for a table might look like this:
$KEY(PROD.EMPLPAY) $TYPE(TBL) $SYSID(DB2P) $LIDOWNER(USER99) UID(****PAY) SERVICE(SELECT,UPDATE,DELETE,INSERT) LOG SHIFT(NORMAL) UID(‑) SERVICE(SELECT) ALLOW
Here is an explanation of each element of this sample rule set:
This control statement identifies the table that this rule protects. CA ACF2 Option for DB2 uses this rule set when a user attempts to access the PROD.EMPLPAY table.
This control statement identifies the type of DB2 resource that this rule applies to. In this case, the resource is a table (TBL).
This control statement means CA ACF2 Option for DB2 uses these rules when a user makes a request to use a resource existing on the DB2 subsystem DB2P or from a subsystem that has DB2P as the value of the GSYSID field in the DB2 OPTS record.
This control statement specifies the logonid that owns this table resource. CA ACF2 Option for DB2 automatically gives the USER99 logonid access to the PROD.EMPLPAY table.
This rule entry applies to any user whose UID matches ****PAY (for example, a user in the accounts payable department). This rule entry is sorted before the rule entry UID(-) because CA ACF2 Option for DB2 sorts from most specific to least specific.
The keywords of this parameter are the functions that CA ACF2 Option for DB2 must match with the function that the accounts payable user wants to perform. In this case, this rule entry is used if an accounts payable user wants to perform the SELECT, UPDATE, DELETE, or INSERT function. If none of these functions match, CA ACF2 Option for DB2 denies the access and provides protection by default.
This access permission lets the accounts payable users perform the functions specified by the SERVICE parameter but logs each access.
This parameter specifies what type of time and day environment must exist for CA ACF2 Option for DB2 to allow access. The site defined the NORMAL shift in the shift infostorage record as 9:00 a.m. to 5:00 p.m. Monday through Friday.
This rule entry applies to everyone. The accounts payable users are still given more privileges because CA ACF2 Option for DB2 finds their rule entry first and uses it to determine their access.
This parameter specifies the function that the user must be performing for this rule entry to match. In this case, if the user does not match the first rule entry that begins with UID(****PAY), CA ACF2 Option for DB2 uses this rule entry to determine access. If the user wants to perform a function other than SELECT, CA ACF2 Option for DB2 denies the access. Otherwise, CA ACF2 Option for DB2 allows the access.
This access permission lets all users select the PROD.EMPLPAY table.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|