Rule Masking Example

Rule Writing Guidelines › Operand Masking Techniques › Rule Masking Example

Rule Masking Example

To effectively write rules, you must understand how operands relate to models and how to mask the operands. Below are two versions of the IPL command.

IPL 190 28 CL ATTN PARM AUTOCR

IPL 190 ATTN 28 CL PARM AUTOCR

Both of these commands perform the same function, even though the operands are in a different order in each command. To make rule writing easier in these instances, CA ACF2 for z/ VM sorts operands against a supplied IPL command model so they are always validated in a predictable order. To demonstrate this concept, the next three sections examine the components of command limiting:

The syntax of a command (the human representation)
The model (the machine representation)
A sample rule, that CA ACF2 for z/ VM uses to govern actions.

IPL Command Syntax

Shown below is the syntax of a typical CP command, in this case, the IPL command:


     { vaddr [cylno ] [CLear ]               }
     {       [number] [NOCLear]{STOP} [ATTN] }
IPL  {                         {PMA }        } [(PARM p1 [p2 [pn)]]
     {                         {PMAV}        }
     {                                       }
     { systemname                            }

IPL Command Model

The following is a representation of the command model for the IPL command:


COMMAND IPL
  FORMAT CLASS=G
    OPERAND VCUU,4,TRAN=VCUU
    OPERAND GROUP=OPTIONS
    OPERAND GROUP=PLIST
 FORMAT END
 
 FORMAT CLASS=G
    OPERAND SYSNAME,8,TRAN=ANY
    OPERAND GROUP=PLIST
 FORMAT END

OPTIONS GROUP TYPE=OPTIONAL
        OPERAND LIST=((CYLNO,TRAN=HEX),        -
                      (BLOCKNO,TRAN=DECIMAL))
        OPERAND LIST=((CLEAR,2),               -
                      (NOCLEAR,3,TYPE=DEFAULT))
        OPERAND GROUP=MOREOPT
      GROUP END
 
MOREOPT GROUP TYPE=OPTIONAL
        OPERAND LIST=((GROUP=STOPATN),         -
                      (GROUP=PMAOPT))
      GROUP END
 
STOPATN GROUP TYPE=OPTIONAL
       OPERAND STOP,4
        OPERAND ATTN,4
      GROUP END
 
PMAOPT GROUP TYPE=OPTIONAL
       OPERAND LIST=(                          -
                    (PMA,3),                   -
                    (PMAV,4))
      GROUP END
 
PLIST  GROUP TYPE=OPTIONAL
           OPERAND GROUP=PARM
       GROUP END
 
PARM  GROUP TYPE=KEYWORD
           OPERAND PARM,4
           OPERAND GROUP=PARMOPTS
      GROUP END
 
PARMOPTS GROUP TYPE=OPTIONAL
           OPERAND AUTOCR,6
           OPERAND BATCH,5
           OPERAND NOSYSPROF,7
           OPERAND GROUP=CMSSEG
           OPERAND GROUP=INSTSEG
           OPERAND GROUP=SAVESYS
           OPERAND ANYTHING,236,TRAN=REST
      GROUP END
 
CMSSEG  GROUP TYPE=KEYWORD
          OPERAND SEG,3
          OPERAND LIST=(                       -
                        (NULL,4),              -
                        (SEGMNAME,8,TRAN=ANY)  -
                       )
        GROUP END
INSTSEG GROUP TYPE=KEYWORD
          OPERAND INSTSEG,7
          OPERAND LIST=(                       -
                        (YES,3,TYPE=DEFAULT),  -
                        (NO,2),                -
                        (NAME,8,TRAN=ANY)      -
                       )
        GROUP END
 
SAVESYS GROUP TYPE=KEYWORD
          OPERAND SAVESYS,7
          OPERAND SYSNAME,8,TRAN=ANY
        GROUP END
 
 COMMAND END

Sample IPL Command Rule

The sample rule below was written based on the command model and IPL command syntax shown in the previous two sections:


$KEY(IPL)
 CMS PARM AUTOCR UID(*) ALLOW
 CMS10 - UID(QA) ALLOW
 SYSNAME - UID(MAINT) ALLOW
 *- - NOCLEAR - UID(*) PREVENT
 *- - CLEAR PARM SAVESYS SYSNAME UID(MAINT) ALLOW
 *- - CLEAR PARM SAVESYS CMS UID(HELPDESK) ALLOW
 *- - CLEAR PARM - UID(*) ALLOW
 *- - PARM BATCH UID(CMSBATCH) ALLOW

In the first rule entry, anyone can issue the IPL CMS command if they specify the PARM AUTOCR parameter.
In the second rule, only the QA user ID is allowed to IPL CMS10.
In the third rule, user ID MAINT can IPL any system name. SYSNAME is a pseudo operand name because it is the same as the operand name specified in the model. When you use a pseudo operand name, it matches all values allowed by the transposition routine name.
In the fourth rule, everything in all groups is masked except for NOCLEAR. Specifying NOCLEAR prevents command execution. NOCLEAR specifies the only way a user can IPL a virtual device is if they IPL with the CLEAR option.
In the fifth rule, a user can perform all IPL functions if they specify CLEAR. Only user ID MAINT can issue SAVESYS to any SYSNAME.
The sixth rule is very similar to the second one, except that only the user ID HELPDESK can save systems named CMS.
The seventh rule entry allows CMSBATCH to IPL a device with any option and allows it to use the BATCH parameter.