Previous Topic: VM Batch Environment and Subsystem Access RulesNext Topic: Splitting Rule Sets

Maintaining Access Rules with the ACF CommandAccess Rule ComponentsMerging Rule Sets

Merging Rule Sets

Similar files (such as production files) may require similar CA ACF2 for VM validation. The following rule sets provide an example of using NEXTKEY to merge multiple rule sets:

$KEY(ACCT01)
 V0191.A.DATA NEXTKEY(ACCTXX)

$KEY(ACCT02)
 V0191.A.DATA NEXTKEY(ACCTXX)

$KEY(ACCT03)
 V0191.A.DATA NEXTKEY(ACCTXX)

$KEY(ACCT25)
 V0191.A.DATA NEXTKEY(ACCTXX)

In the following screen, accounting personnel (UIDs that match the mask ACCTUID) have READ and WRITE access to all of the above accounting files, each falling under a different rule ID. (They can belong to different users.) Rather than write a rule entry that allows access to each file, use the NEXTKEY operand to direct CA ACF2 for VM to one main rule set (ACCTXX) to govern all of these indexes. That rule set would be written as follows:

$KEY(ACCTXX)
$PREFIX(ACCT**)
%RCHANGE ACCTMGR
 V0191.A.DATA UID(ACCTUID) R(A) W(A)

The %RCHANGE control statement in this example establishes that the account manager (ACCTMGR) is responsible for writing and maintaining this rule set (after a security administrator establishes it). The account manager can change individual rule entries in the rule set, but not the control statements.

The NEXTKEY rule set must contain the $PREFIX control statement to ensure that the VM user ID associated with the specified files matches the file ID masks specified.

There are two ways to control access to one particular file. When you use NEXTKEY to merge rule sets, you can enclose the data set name in single quotes to specify the CA ACF2 for VM file ID (such as ACCT29.V0191.A.DATA) as a rule entry in the alternate ACCTXX rule set:

$KEY(ACCTXX)
$PREFIX(ACCT**)
%RCHANGE ACCTMGR
 'ACCT29.V0191.A.DATA' UID(ACCTUID01) R(P) W(P) E(A)
 V0191.A.DATA UID(ACCTUID) R(A) W(A)

Here, user ACCTUID01 has only EXECUTE access to ACCT29.V0191.A.DATA. All other users (including ACCTUID01) have READ and WRITE access to all accounting files.

Another way to control access permission to a particular file is to place a rule entry in the original ACCT29 rule set to specify READ, WRITE, and EXECUTE access for ACCTUID01, still retaining the NEXTKEY rule entry to govern all other access attempts:

$KEY(ACCT29)
 V0191.A.DATA UID(ACCTUID01) R(P) W(P) E(A)
 V0191.A.DATA NEXTKEY(ACCTXX)