VM Directory Command Limiting and Logging Support › Protecting the VM Directory in DirMaint › Commands with Special Rule Considerations

Commands with Special Rule Considerations

All DirMaint commands are validated as discussed previously, but there are some special considerations and multiple validations for some commands.

ADD

The ADD command is validated. Then CA ACF2 for z/ VM validates each MDISK you are adding with the user you are adding as an AMDISK command.

CMDISK

The CMDISK command is first validated as is and, if the command is allowed, then CA ACF2 for z/ VM validates a second time to verify the authority to delete the old extent. This second validation is a DMDISK validation using the VOLSER that the old minidisk is deleted from when the change is complete.

DMDISK

The DMDISK command is validated with one additional parameter. The VOLSER that the minidisk is on is added to the command. The VOLSER is inserted immediately after the virtual address of the minidisk you are deleting.

To allow ACC001 to delete any minidisk from the real DASD with VOLSER ACCPAK, the rule is:

FORUSER * DMDISK *- ACCPAK - UID(ACC001) ALLOW

PURGE

The PURGE command is validated. Then CA ACF2 for z/ VM validates each MDISK you are deleting with the user you are purging as a DMDISK command.

REPLACE

The REPLACE command is validated. Then CA ACF2 for z/ VM validates each MDISK that you are changing with both a DMDISK and AMDISK command. Any new minidisks are validated as an AMDISK command. Then, CA ACF2 for z/ VM validates any minidisk that will no longer exist in the replaced directory as a DMDISK command.

RMDISK

The RMDISK command is validated. Then CA ACF2 for z/ VM validates a DMDISK command for the old minidisk.

For each of these commands, all of the validations must be allowed for each command for DirMaint to actually process it.

Adding Minidisks (AMDISK)

The sample rule set shown below implements the following controls:

• In the first rule entry, we allowed only ACCMGR to add minidisks to the directory on a group of volumes belonging to the group defined as ACC that are charged to the Accounting Department
• The second rule entry allows PAYMGR to add minidisks to the directory on a group of volumes belonging to the group defined as PAY that are charged to the Payroll Department.
• The third rule entry states the account manager can also add minidisks to any volume that begins with ACC00.
• The fourth rule entry states the payroll manager can add minidisks to any volume that begins with PAY00 as defined in the.
• The last rule entry lets SYSADM add minidisks to any volume serial.

  $KEY(DirMaint)
  $MODE(ABORT)
   FORUSER * AMDISK *- XXXX AUTOG *- ACC -  UID(ACCMGR) ALLOW
   FORUSER * AMDISK *- XXXX AUTOG *- PAY -  UID(PAYMGR) ALLOW
   FORUSER * AMDISK *- *- *- *- ACC00* - UID(ACCMGR) ALLOW
   FORUSER * AMDISK *- *- *- *- PAY00* - UID(PAYMGR) ALLOW
   FORUSER * AMDISK -  UID(SYSADM) ALLOW
  

The field XXXX is a place holder. When using a group value (AUTOG), do not define a volume serial. XXXX tells the system that we did not assign a volume serial. You cannot use fields other than XXXX as a placeholder because of the DirMaint command format.

Changing Minidisks (CMDISK)

The sample rule set below illustrates how to control who can make changes to various minidisks.

• The first rule entry limits ACCMGR to changing only minidisks that reside on the ACC group of volumes.
• The second entry limits PAYMGR to changing only minidisks that reside on the PAY group of volumes.
• The third rule entry limits ACCMGR to changing minidisks to reside on any volume that starts with ACC00.
• The fourth rule entry limits PAYMGR to changing PAY00 minidisks to reside on any volume that starts with PAY00.
• The fifth entry lets SYSADM make changes using automatic allocation on any group of volumes.

  $KEY(DirMaint)
   FORUSER * CMDISK *- DUMMY AUTOG *- ACC  UID(ACCMGR) ALLOW
   FORUSER * CMDISK *- XXXX AUTOG *- PAY UID(PAYMGR) ALLOW
   FORUSER * CMDISK *- *- *- *- ACC00*  UID(ACCMGR) ALLOW
   FORUSER * CMDISK *- *- *- *- PAY00* UID(PAYMGR) ALLOW
   FORUSER * CMDISK *- XXXX AUTOG *- -  UID(SYSADM) ALLOW
  

The field XXXX is a place holder. When using a group value (AUTOG), do not define a volume serial. XXXX tells the system that we did not assign a volume serial. You cannot use fields other than XXXX as a placeholder because of the DirMaint command format.