Previous Topic: Access Rule ComponentsNext Topic: Access Rule Entries

Maintaining Access Rules with the ACF CommandAccess Rule ComponentsAccess Rule Control Statements

Access Rule Control Statements

Access rules for each minidisk are grouped together and built into a rule object record. The input to the rule compiler consists of the access rule entries and the control statements listed below. You can use a blank space and a dash (-) at the end of a line to continue all input on multiple statements.

The $KEY control statement is the only required control statement. You can specify any or all of the additional control statements, but only one of each type is allowed per rule set. All $ control statements must precede % control statements. Control statements begin in column one.

You can specify multiple $ control statements on the same line with a single $ in column one. For example, you can use either of the following formats:

Format 1:

 $KEY(SYS9)
 $PREFIX(SYS*)
 $USERDATA(comments)

Format 2:

 $KEY(SYS9) PREFIX(SYS*) USERDATA(comments)

$KEY When TLCAMS is compiling a rule set to allow access to the file MYFILE COBOL on MDISK 0191, the $KEY control statement contains $KEY(TLCAMS). When you write rules for your own files, the $KEY control statement usually contains your logonid because it is often specified as the PREFIX for your own files or minidisks.

For DASD devices that can be dedicated to a particular virtual machine using the CP ATTACH command or the DEDICATE VM directory control statement, the $KEY is always SYSTEM for DASD.

$MODE The no‑rule parameter indicates the action CA ACF2 for VM takes if no access rule is found. The no$mode parameter indicates the action
CA ACF2 for VM takes if no $MODE control statement is found in the applicable access rule set. Valid values for no‑rule and no‑$mode are QUIET, LOG, WARN, and ABORT.

For example, in the following rule set only user TLCPJM could link to TLCAMS's 0191 minidisk with read and write access. The $MODE statement with a LOG mode lets all other users access (with loggings). Let's look at the example below:

 $KEY(TLCAMS)
 $MODE(LOG)
  V0191.VOLUME UID(TLCPJM) R(A) W(A)

%CHANGE The format of the %CHANGE control statement is %CHANGE (uidmask,...,uidmask). Each UID mask is a full UID or UID pattern. You can deactivate the %CHANGE function through the CHANGE|NOCHANGE operand of the RULEOPTS VMO record. %CHANGE lets designated users change the rule set to delegate %CHANGE authority to other users. They can change or delete any part of the rule set. There is no limit to the number of change commands that you can enter.

%RCHANGE A security administrator can compile a rule set with only $KEY and %RCHANGE control statements, establishing a base rule set to distribute rule writing permissions. %RCHANGE lets designated users change only rule entries in the rule set. They cannot delegate rule writing authority. There is no limit to the number of change commands that you can enter.