An access rule set consists of the following:
The complete syntax for an access rule set is:
$Key(ruleid)
[ $Mode(Quiet|Log|Warn|Abort) ]
[ $NOSort ]
[ $Owner(ownerid) ]
[ $Prefix(prefix) ]
[ $Resowner(resource‑owner) ]
[ $Userdata(userdata) ]
[ %Change uidmask1,uidmask2,...,uidmaskn ]
[ %Rchange uidmask1,uidmask2,...,uidmaskn]
*comment
Vnnnnmask.VOLUME|Vnnnn.fileidmask|Rnnnnmask|DSNmask
[ Volume(volmask) ]
[ UId(uidmask) ]
[ SOurce(source) ]
[ SHift(shiftname) ]
[ ACtive(date) ]
[ UNtil(date)|For(days) ]
[ PGm(pgmmask) ]
[ Read(Allow|Log|Prevent) ]
[ Write(Allow|Log|Prevent) ]
[ Exec(Allow|Log|Prevent) ]
[ Allocate(Allow|Log|Prevent) ]
[ FPool(filepool) ]
[ DIR(filedir) ]
[ Library(libmask) ]
[ DDname(ddnmask) ]
[ DAta(text) ]
Nextkey(nextkey)
CA ACF2 for VM changes any CMS file containing rule text exceeding 80 characters into continuation lines. This makes it easier to edit and print the file. The compiler accepts input files that already exist from previous releases that have record lengths up to 256 characters.
Specifies the logonid of the user this rule is written for, usually the ID of a VM user who has one or more MDISKs specified in the VM Directory under his user entry. In most cases, this is also the user's CA ACF2 for VM logonid. The rule ID specified can be up to eight characters long for access rules. You cannot mask this field.
Aids the transition to phase in data protection on a rule set basis. You must meet two conditions before $MODE can be in effect: you must specify the MODE(RULE,no‑rule,no‑$mode) option in the OPTS VMO record, and an ABORT condition occurs when CA ACF2 for VM validates access to data the rule set protects (optional).
Specifies the owner of a rule set. It is for information only. No CA ACF2 for VM processing is based on this parameter. It does not grant the owner any special privileges relative to the rule set. You can enter the logonid, UID, name of the owner, or other values (up to 24 characters) for local tracking purposes. CA ACF2 for VM displays this value when the rule set is decompiled (optional).
Specifies a value as the minidisk ID for CMS files. You can enter up to 24 characters. You can specify multiple levels (for example, TLCAMS.V0191). If you specify $PREFIX(), the prefix is set equal to the $KEY entry and the $PREFIX control card is not generated when the rule is decompiled. CA ACF2 for VM issues a warning message indicating that the $PREFIX specified is null and is ignored (optional).
Specifies the resource owner (RESOWNER) of the data set. You can specify up to eight characters for the logonid acting as the RESOWNER of the dataset. CA ACF2 for VM does not use $RESOWNER. For more information, see the Administrator Guide.
Specifies that the CA ACF2 for VM compiler does not sort the rule set. If you do not specify this statement, CA ACF2 for VM sorts the rule set from most specific to most general. We recommend that you do not use this option. (You must also specify the VSM RULEOPTS $NOSORT parameter.)
Contains text up to 64 characters. USERDATA information is stored with the rule set (optional).
Specifies who (besides the data owner or security administrator) can replace a particular set of rules. A security administrator can compile a rule set with only $KEY and %CHANGE control statements, establishing a base rule set to distribute rule writing permissions (optional).
Specifies who has restricted CHANGE authority over the rule set. The designated users can change individual rule entries, but not control statements. They cannot delegate change authority or delete the rule set. If the same user matches entries in %CHANGE and %RCHANGE, %CHANGE takes effect (optional).
Specified by an asterisk (*) in column one. Unlike the $USERDATA field, comment statements are lost on a compile and decompile sequence. They can appear anywhere in the input (optional).
Indicates the format of the dsn keyword depends on the type of data that is shared.
Minidisks
Specify the virtual device address, preceded by a V (indicating virtual device), followed by VOLUME (such as V0190.VOLUME).
CMS files
Indicate the virtual device, preceded by a V, followed by the filename and filetype (such as V0191.WORK.DATA).
SFS files
Indicate the filename and filetype.
OS/390 data sets
Specify a data set name using OS/390 data set naming conventions (such as SYS1.PARMLIB). But, the high level index is the $KEY(rule ID), not part of the dsn parameter.
VSE data sets
Specify a data set name using VSE naming conventions (such as PAYROLL.MASTER.DATA). CA ACF2 for VM appends the $KEY(rule ID) field to the beginning of the data set name field to form a full 44‑byte DOS filename.
Attachable DASD devices
R, followed by the real address of the device (such as R190) for the disk device.
Tape volumes
Indicate the volume serial identification (volser) or VOLUME, depending on the TAPEVOLS VMO record.
The compiler prefixes the dsn value with the $KEY(rule ID) or the character string specified in the $PREFIX control operand. You can place single quotes around a dsn to specify an entire dsn, including the high‑level qualifier, however, you would normally do this only for NEXTKEY processing.
Specifies the volume serial number of the DASD volume that must be mounted on the device to match this rule. If omitted, any volume is considered matched. This parameter is valid only for attachable DASD device access rules. You can mask this parameter.
Specifies who the rule should apply to. If omitted, the entry applies to all users (optional).
Specifies an input source or source group name where this rule should apply. For example, you can specify the ID of a terminal. The access is allowed only if the user is logged onto the specific terminal. If no source is specified, any input source is valid. Ask your security administrator for a list of valid source group names (optional).
Specifies the name of the shift record on the Infostorage database that applies to this rule entry. It defines days, dates, and times when access is allowed. If you do not specify this parameter, any access the rule indicates is appropriately allowed, logged, or prevented for all days, dates, and times (optional).
Specifies a Gregorian date in the form mm/dd/uu, yy/mm/dd, or dd/mm/yy (depending on a site option) that is the first date when this rule is considered valid. (See the DATE field of the OPTS VMO record for the site option information.) Years specified as 70‑99 assume a date in the 20th century (1970‑1999). Years specified as 00‑69 assume a date in the 21st century (2000‑2069). This parameter is valid only when the VMO RULEOPTS RULELONG parameter is set.
Indicates a Gregorian date (specified as mm/dd/yy, dd/mm/yy, or yy/mm/dd) that is the last date when this rule is valid (optional).
Specifies the number of days that this rule is considered valid, starting from the day the access rule set was compiled. The minimum number you can specify is zero (today). The maximum number is 365 (optional).
Indicates a character (A, L, or P) specifying the read access permission to be applied if there is a successful match of the dsn, vol, UID, and source parameters (optional).
Access is allowed
Access is allowed but logged
Access is prevented (the default).
The same as READ, except that it applies to write access (opening the file for output) (optional).
The same as READ, except that it applies to execute‑only access. This value is always set to its specified value or the value specified for the READ parameter-whichever grants more permissive access. Execute authority is already allowed for any modules or macros that reside on the S‑disk. Attempts to EXEC(P) or EXEC(L) execs on the S‑disk are logged (optional).
This keyword is not valid for SFS rule entries.
The same as READ except that this parameter applies to data set allocation. For CMS access validation requests, this parameter applies only to VSAM files.
This keyword is not valid for SFS rule entries.
Specifies the SFS filepool portion of a SFS file identifier that you want to protect. The presence of the FPOOL keyword means that this is a SFS file rule entry and it will apply only to SFS access validations. If you omit FPOOL on a SFS file rule entry, FPOOL defaults to FPOOL(‑) and matches all SFS filepool names.
Specifies the SFS directory portion of a SFS file identifier that you want to protect. The presence of the DIR keyword means that this is a SFS file rule entry and it will apply only to SFS access validations. If you omit DIR on a SFS file rule entry, DIR defaults to a null value and matches SFS file identifiers without any directory levels (a SFS root directory). To match any directory, specify DIR(‑).
Specifies the name of a program (DDR or FORMAT) you want to protect (optional).
This keyword is not valid for SFS rule entries.
Specifies a 64‑character string retained with the rule set and formatted when the rule set is decompiled. Your site may have standards concerning the format of this string. Standard CA ACF2 for VM does not use these values, but they can be meaningful in your local implementation of CA ACF2 for VM through special program exit checking (optional).
Specifies the rule ID of the next (or alternate) rule set to check for this access. If CA ACF2 for VM denies access to this file or data set based on the rule set environment and access permissions in the original rule, CA ACF2 for VM proceeds to the rule specified in the NEXTKEY operand for further checking (optional).
This is an OS/390 keyword. If you specify this keyword in a rule entry,
CA ACF2 for VM rule validation skips it. The ACF command access rule TEST subcommand supports this keyword.
This is an OS/390 parameter. If you specify this parameter in a rule entry,
CA ACF2 for VM rule validation skips it. The ACF command access rule TEST subcommand supports this parameter.
Control statements and rule entry parameters are explained in the following sections.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|