RULEOPTS Record-CA ACF2 for VM Rule Option Specifications

Defining Structured Infostorage Records › RULEOPTS Record-CA ACF2 for VM Rule Option Specifications

RULEOPTS Record-CA ACF2 for VM Rule Option Specifications

Record ID	Fields
RULEOPTS	CENTRAL\|NOCENTRAL CHANGE\|NOCHANGE COMPDYN\|NOCOMPDYN DECOMP(SECURITY,AUDIT\|privilege list) RULELONG\|NORULELONG VOLRULE\|NOVOLRULE $NOSORT\|NO$NOSORT

This record defines the options that determine how CA ACF2 for VM uses and maintains command limiting rules, resource rules, and access rules.

Fields

CENTRAL|NOCENTRAL

Specifies whether the data owner has authority to store access rules. If you specify CENTRAL, only security administrators and users with the %CHANGE or %RCHANGE feature have this privilege. You can combine the NOSTORE attribute of the logonid record with NOCENTRAL to let only selected users update their own rules. The default is NOCENTRAL (all users can update the access rule sets for their own disks and files).

CHANGE|NOCHANGE

Specifies whether %CHANGE and %RCHANGE are recognized. If you specify NOCHANGE, CA ACF2 for VM ignores any %CHANGE or %RCHANGE statements in a rule set when it determines if a user can replace any access rule. The default is CHANGE, activating %CHANGE and %RCHANGE authorization.

COMPDYN |NOCOMPDYN

Specifies whether to compile a rule set with the 32K (RULELONG) compiler. With this option, CA ACF2 for VM defaults to use the 4K rule format compiler and will dynamically switch to use the 32K compiler if the 4K compiler fails due to an out-of-buffer condition or because a rule option was used that requires the 32k compiler. For example, the rule set is too large to fit in a 4K buffer. The default is NOCOMPDYN.

Note: If COMPDYN is specified, RULELONG also needs to be specified. At startup or when the RULEOPTS records is reloaded, COMPDYN will be disabled if RULELONG is not active.

DECOMP(SECURITY,AUDIT|privilege list)

Specifies the logonid attributes necessary to decompile an access rule or resource rule that you do not have the authority to change. The default is SECURITY, AUDIT (users with either attribute are authorized). This authority applies to all scoped or unscoped users with the privileges listed in this field. You can only specify CA ACF2 for VM‑defined privileges in this field. Scopes do not affect the privileged attributes listed in the DECOMP field.

RULELONG|NORULELONG

Specifies whether you want to use rules greater than 4K long. NORULELONG, the default, indicates that rules are compiled and stored in the current format with a limit of 4K. RULELONG indicates a formatted access and resource rule record capable of expanding greater than 4K, to a maximum of 32K. The Rules and Infostorage databases must be redefined to accommodate this greater length. RULELONG also requires the use of VSAM databases. If you do not increase the size of these databases, this option is disabled. Message ACFpgm47EW displays during CA ACF2 for VM startup or during a refresh of the RULEOPTS record if this option is disabled. Once you set this option, the Rules and Infostorage databases are no longer compatible with previous releases of CA ACF2 for VM.

Note the following:

While RULELONG allows for more rule lines and new options, the rules compiled by the RULELONG compiler are also larger, often twice as large. To prevent rules that do not need to use the RULELONG compiler from being expanded for no reason, enable the Dynamic Compile (COMPDYN) option.
If the Dynamic Compile option (COMPDYN) is also enabled, RULELONG will be allowed even if CMS databases are used, even though the maximum rule size will still be 4K. The only reason to enable RULELONG and COMPDYN when using CMS databases would be to use a rule option that requires RULELONG. Currently, ACTIVE is the only option that requires RULELONG. However, if an option that requires RULELONG is added to a rule that is near or over 2K in length, it will most likely not fit within the 4K CMS database limit. If this happens, NEXTKEY can be used to split the rule.

VOLRULE|NOVOLRULE

Specifies that CA ACF2 for VM validates access to tape volumes listed in the TAPEVOLS list through tape volume access rules. This operand defines the correct syntax for these rules. The values for this operand are defined below.

VOLRULE

Creates rules in the VOLUME.@volser format. You must specify the $KEY value as VOLUME. You must specify the filename as the tape volume identifier (volser) with the prefix @. You only need to create one rule set with this format. For example, if you specify 767305 and 123*** as the secured volume list in the TAPEVOLS record, the following rule set gives any user with the SVM UID mask write access to these volumes:

	$KEY(VOLUME)
	 @767305 UID(*****svm) WRITE (A)
	 @123aaa UID(*****svm) WRITE (A)

NOVOLRULE

Creates rules in the @volser.VOLUME format. It is the default. You must specify the $KEY value as the tape volume identifier (volser) with the prefix @. You must specify the filename as VOLUME. You must create a separate rule set for each tape volume with this format. For example, if you specify 767305 and 123*** as the secured volume list in @SECVOLS, the rule sets below give any user with the SVM UID mask write access to these volumes:

	$KEY(@767305)
	 VOLUME UID(****svm) WRITE (A)

	$KEY(@123aaa)
	 VOLUME UID(****svm) WRITE (A)

$NOSORT|NO$NOSORT

Specifies whether the $NOSORT rule set control statement is active. If you specify $NOSORT, CA ACF2 for VM recognizes the $NOSORT control statement during rule compilation and suppresses normal CA ACF2 for VM rule sorting (from most specific to most general). If you specify NO$NOSORT (the default), CA ACF2 for VM ignores any $NOSORT control statements and automatically sorts rule sets during rule compilation.

SHOW Subcommand

The SHOW STATE subcommand displays the values currently in effect for the RULEOPTS record.