About Access Rules

CA ACF2 for VM protects all data by default. This means that no one can access (read, write, or execute) a file other than the owner of the file or a security administrator unless an access rule exists that specifically allows the access. CA ACF2 for VM automatically protects all data. CA ACF2 for VM provides for controlled access to data through access rules.

An access rule entry is a statement that defines the data you want to protect, who can access that data, and what type of access they can have (can they just look at the data, or can they change it). As you become more familiar with
CA ACF2 for VM, you can limit when users can access the data, and where they can access the data from. There are many other limitations you can put on users, and you will learn about those later in this guide.

An access rule set is a collection of rule entries that apply to one element. An element can be all of the minidisks a user ID owns, or the high level index of VSE or OS/390 data sets. The rule set name, or $KEY value, is a user ID or the high level index of a data set name. The easiest way to think of a rule set is that it is a file that contains rules that allow or prevent others from reading or changing your data.

Writing access rules for all data on CA ACF2 for VM may seem like a complicated task at first, but keep in mind these three important features:

CA ACF2 for VM is integrated into your computer operating system in modes. These modes are designed to provide time for you to develop and test rules and local CA ACF2 for VM features. The five modes of
CA ACF2 for VM are QUIET, LOG, WARN, RULE, and ABORT. For more information on these modes, see the Implementation Planning Guide.
You can centralize or decentralize the different aspects of rule administration. In a centralized environment, security administrators have the authority to maintain access rules. If you specify NOCENTRAL in the RULEOPTS VMO record, rule writing is decentralized. This lets each user change the rule set that matches his PREFIX (often the same as the user's logonid).
You can also delegate rule administration to different individuals and control what rules they can administer through the SCPLIST facility or through rule sets that specify who can change various aspects of the rule. See the “About the Loginid Record” chapter for more information about SCPLIST.
Masking lets you write rule entries that apply to groups of users and groups of data. Masking greatly decreases the number of necessary rules.

When you finish this chapter, you will know

What access rules are and why you need them to protect your data
What masking is and how to use it
How to change the full‑screen feature options and its PF keys
How to set the correct mode for rule processing
What ACF subcommands are valid for processing rules.

This section contains the following topics:

Why You Need Access Rules

Using Masking in Access Rules

Access Rule Masking

Using NEXTKEY