Resource grouping lets you write one single rule set for multiple resources. To use resource grouping, use the CA ACF2 cross‑reference resource group (X‑RGP) records. X‑RGP records group resources for which you want similar access control in a resource group. These records cross‑reference the resource names and type codes. They can also cross‑reference other resource group records.
These X‑RGP fields are acceptable:
To control a resource cross‑referenced in an X‑RGP record, specify the resource group name or record ID of the X‑RGP record in the $KEY control statement. To use resource grouping in CA ACF2 Option for DB2, however, you must specify the DB2 subsystem SYSID as part of the resource name or entry in the INCLUDE or EXCLUDE field. For example, the INCLUDE entries for table resources might look like this for the PROD DB2 subsystem:
INCLUDE(PRODEMPLOYEE.TABLE,PRODPAY.TABLE,PRODUSER.TABLE)
Here is an example of creating one resource group to control multiple databases. The name of the cross-reference resource group for the following databases is FINANCE:
These are the ACF subcommands that you enter:
READY acf ACF set xref(rgp) XREF insert finance type(dbs) sysid(prod) include(prodacctpay,prodacctrec,‑ prodfin01,prodfin02,prodaudit01,prodaudit02)
Note that the SYSID you use in the above XREF INSERT statement is the CA ACF2 SYSID, not the DB2 subsystem ID. The SYSID in the INSERT statement determines whether this record is included in the XRGP structure at NEWXREF time. If the SYSID in effect for CA ACF2 at the time of the NEWXREF matches this SYSID value, the XRGP record is included in the XRGP structure, that is, it will be active. Also note that you did not have to specify the RESOURCE field because this is the default. See the CA ACF2 Administrator Guide for full details about how to use X‑RGP records.
When CA ACF2 Option for DB2 validates access to a resource, it first attempts to find an CA ACF2 Option for DB2 rule with a matching $KEY. If CA ACF2 Option for DB2 does not find a $KEY, it next searches an in‑storage cross‑reference list of resources contained in resource groups. This search tells CA ACF2 Option for DB2 the resource groups to which the resource belongs. CA ACF2 Option for DB2 tests the rule written for the first resource group matched (this list is sorted in collating sequence). If the rule denies access, the next rule set is tested. If no rule set is found that grants access, access is denied.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|