Previous Topic: How Resource Rule Records Are Selected for ValidationNext Topic: Which Rule Entry is Selected for $ROLESET Rules?

Writing RulesCA ACF2 Resource Rule ValidationWhich Rule Entry Is Selected for UID Rules?

Which Rule Entry Is Selected for UID Rules?

When you create or compile a rule set, CA ACF2 Option for DB2 sorts the rule entries according to specific criteria. The order in which CA ACF2 Option for DB2 sorts rule entries is important because CA ACF2 Option for DB2 selects the first rule entry in the rule set that matches the request. If you do not want CA ACF2 Option for DB2 to automatically sort your rule entries, you can use the $NOSORT control statement. This control statement prevents CA ACF2 Option for DB2 from sorting rule entries when the rule set is stored. We suggest you use $NOSORT with caution. In general, let CA ACF2 Option for DB2 sort your rule entries automatically. Here is the order in which CA ACF2 Option for DB2 automatically sorts rule entries in a rule set:

  1. Extended resource key parameters from most specific to least specific with “not specified” first.
  2. UID patterns from most specific to least specific, then in alphabetic order. For entries with the same UID, CA ACF2 Option for DB2 sorts the rule entries by rule parameters with more parameters sorted before fewer parameters.
  3. SHIFT parameters in alphabetic order (with “not specified” last).
  4. SERVICE parameters with least number of keywords first (the ALL keyword is sorted last because it represents all keywords). Multiple keywords specified by a single SERVICE parameter are sorted in a pattern determined by CA Technologies (that is, in bit sequence).
  5. UNTIL/FOR dates from earliest to latest (with “not specified” last).
  6. ACTIVE dates from earliest to latest (with “not specified” last).
  7. COLUMN parameters with least number of keywords first in alphabetic order (with “not specified” last).

For example, suppose you enter the following rule entries into the compiler in this order. (The numbers are shown for illustrative purposes only.)

01  $KEY(PROD.PAYROLL_TABLE)
02  $TYPE(TBL)
03  $SYSID(DB2P)
04  %CHANGE TFINPAYISO
05  %RCHANGE TFIN
06  UID(TFINPAYISO) SERVICE(ALL) ALLOW
07  ID(TFINADMISO) SERVICE(SELECT) ALLOW
08  UID(TFINADMISO) SERVICE(ALL) ALLOW
09  UID(TFIN) SERVICE(ALL) SHIFT(NORMAL) ALLOW
10  UID(TFIN) SERVICE(ALL) SHIFT(OVERTIME) LOG
11  UID(TFINADMISO) SERVICE(ALL) SHIFT(OVERTIME) COLUMN(TERM_DATE) LOG
12  UID(TFIN) SERVICE(ALL) SHIFT(OVERTIME) ALLOW UNTIL(10/12/99)
13  UID(*) SERVICE(SELECT) ALLOW
14  UID(*) SERVICE(UPDATE) COLUMN(PAY_RATE) LOG
15  UID(TFINPAYISO) SERVICE(DELETE,ALTER) ALLOW
16  UID(TFINPAYISO) SERVICE(UPDATE,SELECT,INDEX) ALLOW
17  UID(TFINPRS) SERVICE(SELECT) ALLOW ACTIVE(02/04/99)
18  UID(TFINPRS) SERVICE(SELECT) LOG UNTIL(02/03/99)

The CA ACF2 Option for DB2 rule compiler would sort the rule entries into the following order:

01  $KEY(PROD.PAYROLL_TABLE) TYPE(TBL) SYSID(DB2P)
04  %CHANGE TFINPAYISO
05  %RCHANGE TFIN
11   UID(TFINADMISO) SHIFT(OVERTIME) SERVICE(ALL) COLUMN(TERM_DATE) LOG
07   UID(TFINADMISO) SERVICE(SELECT) ALLOW
08   UID(TFINADMISO) SERVICE(ALL) ALLOW
15   UID(TFINPAYISO) SERVICE(ALTER,DELETE) ALLOW
16   UID(TFINPAYISO) SERVICE(INDEX,INSERT,SELECT) ALLOW
06   UID(TFINPAYISO) SERVICE(ALL) ALLOW
18   UID(TFINPRS) SERVICE(SELECT) LOG UNTIL(02/03/99)
17   UID(TFINPRS) SERVICE(SELECT) ALLOW ACTIVE(02/04/99)
09   UID(TFIN) SHIFT(NORMAL) SERVICE(ALL) ALLOW
12   UID(TFIN) SHIFT(OVERTIME) UNTIL(10/12/99) SERVICE(ALL) ALLOW
10   UID(TFIN) SHIFT(OVERTIME) SERVICE(ALL) LOG
14   UID(*) SERVICE(UPDATE) COLUMN(PAY_RATE) LOG
13   UID(*) SERVICE(SELECT) ALLOW

If more than one rule entry matches the environment (because of duplicate SERVICE or COLUMN parameters), CA ACF2 Option for DB2 uses the first rule entry that matches.

If you specify the $NOSORT control statement, CA ACF2 Option for DB2 does not sort the rule entries. They remain in the order that you entered them into the compiler or in the data set.