Rule Writing Guidelines › Syntax of a Rule Set › Access Environments

Access Environments

Individual command limiting rule entries follow the control statements in a rule set and specify the environment and access permissions when a CP command is executed. Each rule entry describes a unique access environment. When the actual user request matches the access environment defined in a rule entry, that rule determines if the command is executed, executed but logged, or not executed.

The syntax rules for individual rule entries and the rules for coding them are:

operandmask UID(uidmask) SHIFT(shift) SOURCE(source) -
UNTIL(date)|FOR(days) DATA(userdata) NEXTKEY(nextkey)

• A rule entry can span multiple lines. Each line is normally 72 characters, although the compiler honors the logical record length of the file.
• Start rule entries in column two. This avoids having a rule entry treated as a comment when that entry begins with an asterisk.
• A dash (-) at the end of a line unconditionally continues a rule entry from one line to the next. For example, if a dash appears at the end of a rule entry and the next line contains a comment, the comment is assumed to be a continuation of the rule entry.

Use the following parameters to specify the access environment:

operandmask

Defines a unique combination of CP command operands. For example, when you enter a command, you can specify one or more command operands, such as IPL CMS. In this case, CMS is an operand and becomes part of your access environment. The UID keyword must follow the last operand in this mask. CA ACF2 for z/ VM treats any other rule entry keywords found before UID(uidmask) as operandmask operands. You can mask operands. For information about masking operands, see the Operand Masking Techniques section.

UID(uidmask)

Specifies the UID strings of users this rule entry applies to. This parameter is required and must follow the operandmask because it acts as the ending delimiter of the operandmask. For more information about this control statement, see the Administrator Guide.

SHIFT(shift)

Specifies the name of the shift record on the Infostorage database that applies to this rule entry. It defines days, dates, and times when access is allowed. If you do not specify this parameter, any access the rule indicates is appropriately allowed, logged, or prevented for all days, dates, and times. This parameter is optional.

SOURCE(source)

Specifies an input source or source group name where this rule should apply. For example, you can specify a terminal ID. The access is allowed only if the user is logged onto the specific terminal. If you do not specify a source, any input source is valid. Ask your Security Administrator for a list of valid group names. This parameter is optional.

UNTIL(date)

Specifies the last date this command limiting rule applies. For more information about this control statement, see the Administrator Guide.

FOR(days)

Specifies the number of days this command limiting rule applies. For more information about this control statement, see the Administrator Guide.

DATA(userdata)

Specifies any character string up to 64 characters. This string is retained with the rule entry. For more information about this control statement, see the Administrator Guide.

NEXTKEY(nextkey)

Specifies the rule ID of the next (or alternate) rule set that will be checked for this access. If CA ACF2 for z/ VM denies access to this command based on the rule set environment and access permissions in the original rule, CA ACF2 for z/ VM proceeds to the rule specified in the NEXTKEY operand for further checking.