Previous Topic: CA ACF2 Resource Rule ValidationNext Topic: Which Rule Entry Is Selected for UID Rules?

Writing RulesCA ACF2 Resource Rule ValidationHow Resource Rule Records Are Selected for Validation

How Resource Rule Records Are Selected for Validation

If you mask resource rule $KEY values, remember that CA ACF2 Option for DB2 considers a rule less specific if a mask character appears earlier in its resource name than in another. For example, $KEY(TRANS*123) is less specific than $KEY(TRANS.***) because its masking character occurs earlier in the rule key.

When validating a particular resource name, CA ACF2 searches for the resource rule whose $KEY value is the most specific match for the resource name. It matches the $KEY values of the resource rules to the resource name (or qualifier, as described in the following) from left to right, character by character, starting with the first character.

If the resource name being validated is 252 characters or less, CA ACF2 first searches for the generalized resource rule whose $KEY value most specifically matches the full resource name of the resource being validated. When CA ACF2 finds a rule that matches (directly or with masking) the full resource name, it uses that rule for the validation. When no generalized resource rule key matches the full resource name and the resource name is a qualified resource name, CA ACF2 searches for the resource rule whose $KEY most specifically matches the first qualifier of the resource name. When it finds a rule that matches (directly or with masking) the first qualifier, it uses that rule for the validation.

Resource name:  TEST.TESTNAME2

Sample resource rules:

$KEY(**************) TYPE(TBL) SYSID(TEST)       full key match
 UID(...) SERVICE(SELECT) ALLOW 

$KEY(TEST) TYPE(TBL) SYSID(TEST)                 qualifier match
 TESTNAME2 UID(...) SERVICE(SELECT) ALLOW

If the resource name is longer than 252 characters, it must be a qualified resource name. CA ACF2 searches for the resource rule whose $KEY most specifically matches the first qualifier of the resource name. When it finds a rule that matches (directly or with masking) the first qualifier, it uses that rule for the validation.

Resource name:  TEST.NAME.THAT.IS.SUPPORTED.EVEN.THOUGH.IT.IS.VERY.LONG

Sample resource rule:

$KEY(TEST) TYPE(TBL) SYSID(TEST)
 NAME.‑ UID(...) SERVICE(SELECT) ALLOW