Suppose a security administrator wants to grant users DIAL access to user IDs USER20, USER21, USER22, and USER30. The security administrator then inserts an X‑RGP record as follows:
acf ACF set x(rgp) XREF insert trana resource include(user2‑,user30) exclude(user23) type(dia)
Is the record name that the security administrator selects to assign to this group of user IDs
Is the masked ID to which any user ID that begins with the characters USER2 matches
Is the resource rule type code for DIAL accesses.
The resource rule for this group of transactions might look like the one below:
$KEY(TRANA) TYPE(DIA) UID(PERCLK) ALLOW
Now suppose the security administrator wants to permit some users to access the TRANA group of transactions and another group of transactions that he has identified as TRANB in another X‑RGP record. The security administrator inserts an X‑RGP record as follows:
acf ACF set x(rgp) XREF insert group1 group include(trana,tranb)
Is the record name of this X‑RGP record that is the name of the set of X‑RGP records to which this X‑RGP record refers
Is the record ID of the individual X‑RGP records that belong to this set of X‑RGP records identified as GROUP1
Is the record ID of the individual X‑RGP records that belong to this set of X‑RGP records identified as GROUP1.
To follow through with his security plan, the security administrator must be sure to specify TRANA in the $KEY field of the resource rule for the TRANA group of users, TRANB in the $KEY field of the resource rule for the TRANB group of users, and GROUP1 in the $KEY field of the resource rule for the set of user groups (TRANA and TRANB). DIA must the type code specified for all these rules.
In the previous example, TRANA contains certain user IDs, TRANB contains certain user IDs and GROUP1 includes user IDs from TRANA and TRANB. If someone attempts access to a user ID that is in TRANA (TR20), it is included in GROUP1 because all transactions in TRANA are included in GROUP1.
If a TRANA rule exists that permits a user access, and a GROUP1 rule exists that prevents that user access, validation processing eventually grants access because some rule permits access. Access is also granted if the TRANA rule prevents access and the GROUP1 rule grants access.
As an example, assume payroll personnel need access to all the user IDs in both TRANA and TRANB. It is necessary to write only a GROUP1 rule. It is possible that the TRANA and the TRANB rule prevent access for the payroll manager.
$KEY(TRANA) TYPE(DIA) UID(PERCLK) ALLOW $KEY(TRANB) TYPE(DIA) UID(ACTCLK) ALLOW $KEY(GROUP1) TYPE(DIA) UID(PAYMGR) ALLOW
The TRANA rule permits access to personnel clerks. The TRANB rule permits access for accounting clerks. Both rules prevent the payroll manager from access because they do not include his UID. The GROUP1 rule permits his access. Because GROUP1 includes TRANA and TRANB access is granted to the payroll manager even though the TRANA and TRANB rules prohibit his access.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|