In the example below, the first line of the rule indicates that the CHANGE command is command limited. The second line prevents any user from changing a spool file in classes C or 2. All other spool changes are allowed (last line of rule set).
$KEY(CHANGE) - CLASS C2 - UID(*) PREVENT - UID(*) ALLOW
In the next rule, user OPR can purge classes A, E, F, G, M, O, or R. User PAYOPR is allowed to purge classes P and W that belong to user IDs beginning with P only. Other users can only purge files in their own spool queue.
$KEY(PURGE) P***** - CL PW - UID(PAYOPR) ALLOW - CL AEFGMOR - UID(OPR) ALLOW ALL - UID(*) ALLOW PRT - UID(*) ALLOW PUN - UID(*) ALLOW RDR - UID(*) ALLOW
The next rule set prevents users with the PAY, PER, GEN, MKT, and OPR user ID from spooling the classes listed in their particular rule. The last five lines of the rule set allow all other spooling for those classes not specifically prevented in the previous rules. The mask *- requires you enter at least one character for the device type before you specify other operands, including class. The - masks possible other operands, either before or after class.
$KEY(SPOOL) *- - CLASS BCEFGHIJKLMNQSTUVXYZ0123456789 - UID(PAY) PREVENT *- - CLASS ABDGHIKLMNOQRSTVWXYZ0123456789 - UID(PER) PREVENT *- - CLASS ABCDEFHIJKLMNOPRSTUVXYZ013456789 - UID(GEN) PREVENT *- - CLASS BCDEGHIJKNOPQRTUVWXYZ0123456789 - UID(MKT) PREVENT *- - CLASS ABCDEFGHIJKLMNQRSTVWXY012356789 - UID(OPR) PREVENT - UID(PAY) ALLOW - UID(PER) ALLOW - UID(GEN) ALLOW - UID(MKT) ALLOW - UID(OPR) ALLOW
The next rule lets an OPR user ID dump any class A, B, or C file, but the occurrence is logged. CA ACF2 for z/ VM denies all attempts at dumping any other classes.
$KEY(SPTAPE) - CLASS ABC UID(OPR) LOG
Below, OPR user IDs can start up classes A, E, F, G, M, O, and R only. PAYOPR can only start up classes P and W.
$KEY(START) *- CL AEFGMOR - UID(OPR) ALLOW *- CL PW - UID(PAYOPR) ALLOW
The following rule lets PAYOPR send files in classes A, P, R, and W to and from Payroll and Personnel. The OPR user can send class E, F, G, M, and O files to anyone, and class A and R files only to Payroll and Personnel. PAY and PER users can transfer files in classes A, P, R, and W to or from others in Payroll and Personnel. PER users can also transfer files in classes E, F, G, M, and O to or from anyone. GEN and MKT users can transfer files to and from anyone.
$KEY(TRANSFER) SYSTEM *- CL APRW *- P***** - UID(PAYOPR) ALLOW SYSTEM *- CL AR *- P***** - UID(OPR) A *- CL APRW *- PER*** UID(PER) ALLOW *- CL APRW *- PAY*** - UID(PAY) ALLOW SYSTEM *- CL EFGMO - UID(OPR) ALLOW *- CL EFGMO - UID(OPR) ALLOW *- CL EFGMO - UID(PER) ALLOW - UID(GEN) ALLOW - UID(MKT) ALLOW
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|