Previous Topic: Protection by Class and FormNext Topic: Protection by Class and Target

Command Limiting the CP Spooling SystemUsing Command Limiting to Protect the Spool QueueProtection by Spool File Owner

Protection by Spool File Owner

You can protect spool files by spool file owner. This type of protection is useful when you need to protect group or departmental files. The first rule entry lets any PAY user change a spool that is owned by SYSTEM, but the event is logged. Also, no other users can change PAYOPR files. OPR users can change any other files (last line of rule set).

$KEY(CHANGE)
 SYSTEM *- -  UID(PAY) LOG
 PAYOPR *- -  UID(*) PREVENT
 -  UID(OPR) ALLOW

In the next rule, PAYOPR can purge PAY files. OPR users can purge any SYSTEM files. PEROPR can purge any files, but CA ACF2 for z/ VM logs the event. Other users can only purge files in their own spool queue.

$KEY(PURGE)
 PAY- *- -  UID(PAYOPR) ALLOW
 SYSTEM *- - UID(OPR) ALLOW
 *- - UID(PEROPR) LOG
 ALL -  UID(*) ALLOW
 PRT -  UID(*) ALLOW
 PUN -  UID(*) ALLOW
 RDR -  UID(*) ALLOW

The rule set below lets OPR users spool TO and FOR any files. PAYOPR can spool TO and FOR PAY users, but the event is logged. The last four lines of the rule set let users in a department spool TO and FOR users in the same department (any user in the Accounting department can spool TO or FOR any users in the Accounting department users, Marketing department users can spool TO or FOR any other users in the Marketing department).

$KEY(SPOOL)
 *- *- PAY- - UID(PAYOPR) LOG
 *- *- GEN- -  UID(GEN) ALLOW
 *- *- MKT- -  UID(MKT) ALLOW
 *- *- EXC- -  UID(EXC) ALLOW
 *- *- ACC- -  UID(ACC) ALLOW
 -  UID(OPR) ALLOW

This rule set lets OPR user IDs start up any files. PAY users can only start up PAY files, but CA ACF2 for z/ VM logs the event. CA ACF2 for z/ VM denies all other users start up privileges.

$KEY(START)
 PAY -  UID(PAY) LOG
 SYSTEM -  UID(*) PREVENT
 *- -  UID(OPR) ALLOW

The following rule set lets PAYOPR transfer any SYSTEM files to anyone. EXC users can transfer EXC*** files to anyone. All PER*** users can transfer any PERxxx files only to any other PER*** user. Users with the OPR*** user ID can transfer any files to anyone.

$KEY(TRANSFER)
 SYSTEM *- *- *- *- *- 
UID(PAYOPR) ALLOW
 EXC- *- *- *- *-  *-  UID(EXC) ALLOW
 PER- *- *- *- PER-  *-  UID(PER) ALLOW
 -  UID(OPR) ALLOW