When you use X‑RGP records, CA ACF2 for VM searches the resident typelist first. If you have a $KEY(********) rule that allows access to all transactions, CA ACF2 for VM uses this rule to allow access before it finds the more specific rule. X‑RGP processing is never performed. If there is no resident typelist for this resource, X‑RGP processing is never performed.
If CA ACF2 for VM finds a matching entry in the resident typelist, it locates the resource rule and performs access validation. CA ACF2 for VM uses the validation result even if the access is denied. If CA ACF2 for VM cannot find a matching entry in the typelist, it searches all the X‑RGP records. When CA ACF2 for VM finds a matching entry in the INCLUDE or EXCLUDE lists of an X‑RGP record, it performs access validation. If the access is allowed, X‑RGP processing ends. If access is denied, CA ACF2 for VM continues to search more X‑RGP records until it finds another matching entry in a INCLUDE or EXCLUDE list, looking for a record that allows access. If CA ACF2 for VM cannot find an X‑RGP record that allows access, access is denied.
When you use the resource grouping facility to implement resource access controls, you must carefully consider the way you want the accesses authorized and logged.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|