By masking the resource name ($KEY) of an CA ACF2 Option for DB2 rule set, a rule set can apply to multiple DB2 resources rather than just one resource. You can standardize the names of your resources so that certain names fit a particular mask. This enables access to those resources to be controlled by a single rule set. You can mask all resource names except system privileges and utilities. The only system privilege you can mask is the logonid value when you specify BINDAGENT.
The mask for a $KEY can contain only asterisks. You must also pad the $KEY with asterisks to match the maximum length of the resource names you want to match. The following examples show acceptable masks for $KEY control statements:
$KEY(BP***) TYPE(BPL) $KEY(****PLAN) TYPE(PLN) $KEY(ADM***.EMPTABLE************) TYPE(TBL)
The dash (‑) is not a valid masking character in the $KEY value. When a dash occurs in the $KEY value, CA ACF2 Option for DB2 treats it as a literal character for matching purposes. For example, a $KEY value of TEST.ABC‑ matches only a resource name of TEST.ABC‑.
With masking, you can also write an CA ACF2 Option for DB2 rule set for a group of resources and still write a unique rule set for a single resource in that group. For example, you can write the following $KEYs for databases that begin with FIN:
$KEY(FINPAY01) $KEY(FINPAY**) $KEY(FIN*****)
When validating access to the resource, CA ACF2 Option for DB2 uses the $KEY(FINPAY01) to validate access to a database named FINPAY01 because it is a more specific match, but uses the $KEY(FIN*****) to validate access to a database named FINMKT04.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|