The NEXTKEY feature can also split an access rule set. This may be necessary to selectively delegate rule maintenance (%CHANGE or %RCHANGE) authority. Or, it may be necessary if a rule set is very large and exceeds the 4K physical storage size limit.
For example, you can have several entries for a rule set, all under the same VM user ID, TLCAMS. The NEXTKEY feature can redirect or split the rule set for VM TLCAMS into smaller sets as follows:
$KEY(TLCAMS) V0191.‑ NEXTKEY(A) V0192.‑ NEXTKEY(B) V0193.‑ NEXTKEY(C)
In this example, the first three rule entries specify the NEXTKEY rule sets to validate access to the V0191, V0192, and V0193 minidisks and the CMS files that reside on them. You can then write three smaller rule sets as follows:
$KEY(A) $PREFIX(TLCAMS.V0191) %RCHANGE PAYDIR ‑ UID(PC1) R(A) W(A) ‑ UID(PC2) R(A) W(A) ‑ UID(PC3) R(A) W(A) ‑ UID(MGR) R(A)
$KEY(B) $PREFIX(TLCAMS.V0192) %RCHANGE OPSDIR ‑ UID(OPR) R(A)
$KEY(C) $PREFIX(TLCAMS.V0193) $RCHANGE PRGDIR ‑ UID(PRG) R(A)
These rule sets allow the delegation of %RCHANGE rule authority, but are smaller than a single rule set required for VM user ID TLCAMS. Specify the $PREFIX control statement to append TLCAMS to each minidisk and CMS file ID. For more information about NEXTKEY, see the “About Access Rules” chapter.
In the first rule set for V0191 files, the Director of Payroll (PAYDIR) can change rule entries governing only TLCAMS files through the %RCHANGE control statement. Similar authority is delegated to the Director of Operations (OPSDIR) in the V0192 rule set, and to the Director of Programming (PRGDIR) in the V0193 rule set.
Payroll Clerks (PC1, PC2, and so on) need READ and WRITE access to V0191 files to update them. These accesses are specified in the first rule set governing V0191 files. The Payroll Manager (MGR) is only given READ access to V0191 files.
Computer operators (OPR) must have READ access to only the V0192 files. This access is allowed in the second rule set ($KEY(B)) governing TLCAMS.V0192.-. Similarly, programmers (PRG) can link for READ access only to the V0193 files in the third rule set above.
CA ACF2 for VM validation is directed to the rule set specified in the NEXTKEY option only when access based on the current rule set is prevented. You can have a chain of up to 25 NEXTKEY options. If you specify more than 25,
CA ACF2 for VM denies access and writes a KEYEXECS trace record that appears on the ACFRPTDS report. The same rule set cannot be referenced twice during a single validation. That is, the chain of NEXTKEY options cannot form a loop. If the same rule set is referenced twice, the access is denied and a NKEYLOOP trace record is written to the ACFRPTDS report. See the Reports and Utilities Guide for complete information about ACFRPTDS and NEXTKEY reporting.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|