Previous Topic: Rule Writing Guidelines for the DirMaint commandNext Topic: Commands with Special Rule Considerations

VM Directory Command Limiting and Logging SupportProtecting the VM Directory in DirMaintDirMaint Version 1 Release 5 and Above Command Syntax

DirMaint Version 1 Release 5 and Above Command Syntax

DirMaint Version 1 Release 5 and above command structure follows:

DirMaint prefix-keywords command-string
prefix-keywords

Any of the several DirMaint options, such as FORUSER, ASUSER, and so on.

command-string

The actual DirMaint command string.

Most of the prefix-keywords affect how the command operates. However, the FORUSER keyword specifies who the command is issued for, which in many cases means what directory entry the command should actually affect. Because of this, the CA ACF2 for z/ VM VM DirMaint Version 1 Release 5 interface constructs a command validation string as follows:

DirMaint FORUSER userid cmd-string
DirMaint

The command name and, therefore, the name of the rule ($KEY value) that is validated.

FORUSER

A constant value of FORUSER.

userid

The value that follows the FORUSER keyword. This value is normally * if the command issuer did not supply the FORUSER prefix-keyword, but the DirMaint default settings or the ASUSER prefix-keyword can override it.

cmd-string

The actual function to perform. This does not include the prefix-keywords.

Even if DirMaint Version 1 Release 5 is running with CMDLEVEL= 140A, CA ACF2 for z/ VM validates the Version 1 Release 5 syntax because DirMaint converts the 140A compatibility syntax to Version 1 Release 5 syntax before calling the command validation exits.

For example, to allow MAINT to issue the command:

DirMaint FORUSER TESTUSER PURGE

The following rule entry applies:

$KEY(DirMaint)
 FORUSER TESTUSER PURGE UID(MAINT) ALLOW

This allows MAINT to PURGE the directory entry for ID TESTUSER. The following rule also applies:

$KEY(DirMaint)
 FORUSER * PURGE UID(MAINT) ALLOW

If you use the value of * in the rule for the FORUSER operand, any FORUSER value applies. In other words, the above rule allows MAINT to PURGE the directory entry for any user.

To allow a rule to only apply to the command issuer, such as when a command is issued without the FORUSER operand or a FORUSER value that matches the command issuer, then write the rule as:

$KEY(DirMaint)
 FORUSER OWNER MDPW *-  UID(*) ALLOW

The above rule allows any user to issue the MDPW command for its own minidisks, but not for another user's minidisks. OWNER is a special token that matches either * or the ID being validated.