If class or form by themselves do not provide the desired protection, you can combine them. These rules can be more complicated because there can be a wide variety of combinations of classes and forms.
The first entry of the rule set below prevents any user from changing a spool file in class A or B in any SYSTEM where the value of form is STD (standard). Also, all users are prevented from changing a spool on any device in class C with a form of XY. This rule set allows all other spool changes (last line of rule set).
$KEY(CHANGE) *- CLASS AB CLASS * FORM STD - UID(*) PREVENT *- CLASS C CLASS * FORM XY - UID(*) PREVENT - UID(*) ALLOW
In the rule below, user OPR cannot purge any files in classes A or B, or with a form of EXEC. User PAYOPR can purge any spool files with a class of P and form of A. Other users can only purge files in their own spool queue, with any class.
$KEY(PURGE) *- *- CLASS P FORM A - UID(PAYOPR) ALL *- *- CLASS ABC FORM EXEC - UID(OPR) PR ALL - UID(*) ALLOW PRT - UID(*) ALLOW PUN - UID(*) ALLOW RDR - UID(*) ALLOW
The next rule set prevents users with the PAY user ID from spooling any files in class P with the EXEC form. PER users cannot spool any files with the STD (standard) form and class of X. The last two lines of the rule set allow all other spooling for those classes and form not specifically prevented in the previous rules.
$KEY(SPOOL) *- *- CLASS P FORM EXEC - UID(PAY) PRE *- *- CLASS X FORM STD - UID(PER) PREVE *- - UID(PAY) ALLOW *- - UID(PER) ALLOW
This rule set lets users with the OPR user ID start up any spool files in classes A, B, C, or D with the STANDARD form only. PAYOPR cannot start any spool files in class P, any form. All other users can start their own files, no matter what their class or form.
$KEY(START) *- CLASS ABCD FORM STANDARD - UID(OPR) ALLOW *- CLASS P FORM * - UID(PAYOPR) PREVENT ALL - UID(*) ALLOW PRT - UID(*) ALLOW PUN - UID(*) ALLOW RDR - UID(*) ALLOW
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|