Protecting Special Resources › The GRPLOGON Privilege: Logging onto Group Machines › System Access through Resource Rules

System Access through Resource Rules

When you try to log onto a group virtual machine, CA ACF2 for VM automatically validates a resource rule to see if you can use the machine, regardless of the CA ACF2 for VM data access mode setting and any special privileges you might have. CA ACF2 for VM:

• Validates the user ID of the group logon machine (the machine with the GRPLOGON privilege) as a rule set $KEY value. You can specify the resource rule type code in the TYPES field of the RESTYPE VMO record to mask this value.
• Validates the user ID that is entered during the logon process after the following prompt as a UID value of an entry in the rule set:

  ACFpgm263R Enter your ACF2 Logonid
  

  Standard UID masking applies for this value.

  Validates that the rule set type code is GRP by default. This type code is defined in the GRPLOGON field of the RESTYPE VMO record.

For example, the following rule set lets any group user with the logonid mask TLC- log onto the MAINT group machine.

SET RES(GRP)
 
RESOURCE
 
COMPILE
ACFCMP510I ACF compiler entered
 
$KEY(MAINT) TYPE(GRP)
 UID(*****TLC‑) ALLOW
 UID(*****TLCAMS) PREVENT
 
ACFCMP551I Total record length=168 bytes ‑ 4 percent utilized
 
RESOURCE

The PREVENT rule entry makes it explicitly clear how the MAINT group machine is used in this example. Users with the logonid TLC- mask can supply their own logonids and passwords to log onto the machine. TLCAMS cannot log on as the group machine. Because each user must supply his own logonid and password, no password sharing takes place. Whenever an invalid access attempt occurs through this kind of resource rule validation, CA ACF2 for VM records it in the Resource Event Log (ACFRPTRV).