Rule Writing Guidelines › Operand Masking Techniques › Rules for Operands That Have a Range

Rules for Operands That Have a Range

Some CP commands specify operands as single values or as value ranges. In addition, these commands usually have multiple formats. A good example of this is the DETACH command. Some common uses of DETACH are:

• Detach a single device, such as DETACH 0191
• Detach many devices, such as DETACH 0191 0492 0399
• Detach a range of devices, such as DETACH 0191-019F
• Detach devices from a user, such as DETACH 0191 FROM USER01.

The supplied command model for DETACH includes special indicators to handle any combination of operands, including those listed above. Before showing sample rules for operand ranges and addresses, you should understand that rule operand masking is slightly modified to handle device addresses. Consider the mask 019*. To ensure only valid addresses are used, a transposition routine modifies this standard masking technique. For device addresses, the * is a position holder and the operands going to it are numeric values. This means an operand mask of 019* is treated as 0190-019F (that is, 019G-019Z is invalid, as it should be).

Under normal masking conventions, the trailing * means zero or one character must be present to match the mask. In normal cases, this enables a singular address of 019 or an address range of 0190-019F or 019G-019Z. However, 019 and 019G-019Z are not valid because all valid device addresses are nn0 through nnF, where nn is any value between 00 and FF. Further, CA ACF2 for z/ VM considers an * in the low order portion of the range to be a low-value (0) and considers an * in the high order portion to be a high-value (F). For example, *19-1A* is transposed into a range of 019-1AF. For more information about how ranges are transposed, see the appendix “Transposition Routines for Command Limiting.” To demonstrate how this masking works, consider the following rule entries for the DETACH command.

$KEY(DETACH)
 0190 UID(*) ALLOW
 019* UID(*) ALLOW
 0190-01AF UID(*) ALLOW
 0190 0191 019D 01B0 UID(*) ALLOW
 *- UID(*) ALLOW
 -  UID(*) ALLOW

• In the first rule entry, one operand is allowed, but it must be 0190.
• In the second rule entry, one operand or a range of operands is allowed. The range for matching purposes is 0190-019F.
• In the third rule entry, one operand or a range of operands is also allowed. The range for matching purposes is 0190-01AF.
• In the fourth rule entry, you can specify 0190 0191 019D 01B0, but they must appear in that order. These singular values are treated as AND situations, meaning this operand and that operand must be present for a match.
• In the fifth rule entry, only one operand is allowed.
• In the last rule, zero or more operands are allowed.

The next series of examples shows how the ATTACH command uses device ranges. In this first example, only OPRLEAD1 can issue all forms of the ATTACH command.

$KEY(ATTACH)
 - UID(OPRLEAD1) ALLOW

In the next example, user MAINT can ATTACH tape drives 0581 and 0583 to any virtual machine. The TO is not required in the rule because it is a default in the command model. Here it clarifies the example.

$KEY(ATTACH)
 0581 TO - UID(MAINT) ALLOW
 0583 TO - UID(MAINT) ALLOW

In the next example, all system operators can ATTACH devices to the SYSTEM, but these commands are logged.

$KEY(ATTACH)
 - TO SYSTEM AS - UID(OPERATOR) LOG

In the next example, no users can ATTACH a volume as a 3300V device.

$KEY(ATTACH)
 - TO - AS 3330V UID(-) PREVENT