Use the INSERT subcommand under the SCP setting to create scope records. The syntax for this INSERT subcommand is:
INsert scpname
[USing(scpname)]
{ADD|REPlace|DELete}
{ [ Dsn(entry1,entry2,...,entryn) ] }
{ [ Inf(entry1,entry2,...,entryn) ] }
{ [ Lid(entry1,entry2,...,entryn) ] }
{ [ Uid(entry1,entry2,...,entryn) ] }
Specifies that you want to use an existing scope record as a model for the new scope record being inserted.
This is the one‑ to eight‑character name defined in the SCPLIST field of a user's logonid record.
These subfunctions modify the new record from the model record. ADD is the default.
There are four different types of fields. You must include at least one in a scope record through the INSERT subcommand:
These are one‑ to eight‑character access rule scope fields specifying the VM user ID ($KEY value) of a CMS file or minidisk. It can also be a high‑level index of an OS data set or DOS file. You can mask this field.
These 1‑ to 44‑character Infostorage database scope fields place the matching Infostorage database records in the scope of the user.
These are one‑ to eight‑character logonid record scope fields to put the logonid or logonid mask in the scope of the user. You must also specify a UID field for authorization to occur. Access to logonid records is not authorized unless you specify both the LID and UID parameters through the INSERT subcommand. When creating scope records, you must understand CA ACF2 for VM masking conventions (the differences between using the asterisk and using the dash).
These entries represent the UIDs or UID masks extending from 1‑to
24‑ characters that are put in the scope of the user. Access to logonid records is not authorized unless you specify both the LID and UID parameters.
You can specify multiple entries in DSN, INF, and LID fields. Separate multiple entries by commas or blanks. Separate UID field entries with commas only.
Masking for the SCPLIST UID field works in the same way as for the UID field of rules. Specifically, the UID field is automatically padded out to the right with masking characters (up to 24 characters), although this is transparent to the user.
Scope records grant no special privileges. They limit the records where user's privileges apply to. restrict other special privileges granted to the user (SECURITY, ACCOUNT, AUDIT). Because only security administrators can create, change, or delete Infostorage records, a user without the SECURITY privilege could not create a new resource rule record, regardless of any matching INF (Infostorage) scope field entries.
An example of using the INSERT subcommand under the SCOPE(SCP) setting shows how you can define scope record PAYSCOPE to govern the scope of a security administrator in a payroll department:
INSERT PAYSCOPE DSN(PAYWORK,PAYTEST) ‑
LID(PAY‑) ‑
UID(FINMGR‑)
When you assign the scope list PAYSCOPE to the security administrator's logonid SCPLIST field, the security administrator is limited to:
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|