To write effective command limiting rules, you must understand how rule entries are sorted and interpreted. You must also understand the matching environment concept. These concepts and the command validation process are explained in the following sections.
Rule entries are automatically sorted from most specific to most general. CA ACF2 for z/ VM sorts command limiting rule sets as follows:
Alphabetically, masked then unmasked
UID of the users the rule applies to
In alphabetical order, with ”none specified” last
In alphabetical order, with ”none specified” last
Last Gregorian date the rule is valid on.
Rule entries are sorted this way to make rule interpretation more efficient and rule writing simpler. To interpret a sorted rule, CA ACF2 for z/ VM simply compares the first rule entry to the actual user request, then the second, third, and so on.
The $NOSORT control statement stores and interprets rule entries in the exact order they are entered in the rule set. We do not recommend using $NOSORT. If you must use it, be sure to test the unsorted rule carefully to ensure it works as expected.
A rule match occurs when the operand values defined in a rule entry correspond to the actual environment of the user’s command request. The first rule entry that matches determines if the command is allowed to execute, allowed but logged, or prevented and logged.
To summarize, CA ACF2 for z/ VM validates access to a CP command and operand combination by:
When CA ACF2 for z/ VM finds a matching rule entry, it checks the entry to determine if the command format in the rule entry matches the command entered by the user. If the formats match, the user’s command is compared to the rule entry.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|