Rule Writing Guidelines › Operand Masking Techniques › Rules for Defaults from Other Operands (VALUEFOR)

Rules for Defaults from Other Operands (VALUEFOR)

Commands can obtain a default value for an operand when the command is executed, as in the ATTACH command, shown below.

ATTACH B8A TO USERA
ATTACH B8A TO USERA AS B8A
ATTACH B8A TO USERA AS BA8

• In the first line, real device B8A is attached to USERA as virtual device B8A. The virtual device address is obtained from the real device address since none was specified. You can think of the real device address as being a value for the virtual device address.
• The next example (second line) is the same as the first, except that the virtual device address is explicitly specified.
• The third example specifies a virtual device address that is different than the real device address.

When a command such as ATTACH is processed against an operand with a VALUEFOR clause, the command limiting interpreter fills in the default value. This is the way CP would behave, as in the first command example above. However, when you are writing rules, the VALUEFOR has no special meaning. You must specifically write rules to protect its object. If this was not true, the following rule would let TLCAMS issue the third sample command.

$KEY(ATTACH)
 B8A - UID(TLCAMS) PREVENT
 - UID(*) ALLOW

In the above rule, we want to prevent TLCAMS from issuing the ATTACH command against the real device B8A, regardless of his privileges (CP or CA ACF2 for z/ VM).

To protect specific values of an object of a VALUEFOR, you must write specific rules. To specifically control what virtual device address a user can specify for a particular device, examine the following rule.

$KEY(ATTACH)
 58* TO *- AS 18* UID(TLCPAM) ALLOW
 - UID(*) ALLOW

In the above example, user TLCPAM can issue the ATTACH command against devices 580-58F. He can attach them to anyone as long as they are attached as virtual addresses 180-18F.