Rule Writing Guidelines › Syntax of a Rule Set › Control Statements

Control Statements

The control statements identify the command and diagnose limiting rule set and determine some rule set characteristics. The control statements and the syntax rules for coding them are:

  $KEY(command|diagnose) [MDLTYPE(mdltype)]
  $MDLTYPE(mdltype)
 [ $MODEL(model)               ]
 [ $MODE(QUIET|LOG|WARN|ABORT) ]
 [ $NOSORT                     ]
 [ $OWNER(ownerid)             ]
 [ $USERDATA(localdata)        ]
 [ %CHANGE uid|uidmask         ]

• Each control statement must begin in column one.
• The $KEY control statement is the only required control statement.
• You can use any number of $ or % control statements. If you use the same type of $ control statement more than once, CA ACF2 for z/ VM uses only the last control statement of that type. Enter all $ control statements before any rule entries in the rule set.
• Comment statements begin with an asterisk (*) in column one and can be anywhere in the input. They let you place text inside an uncompiled rule set. This text is lost when the rule set is compiled.
• You can continue all input to the compiler on multiple statements by using a dash (-) as the last nonblank character on the line. If you continue a %CHANGE statement, the next line is treated as a continuation of the %CHANGE control statement, even if that line has the format of another control statement.

You can specify the following control statements in a command and diagnose limiting rule set:

$KEY(command|diagnose)

Supplies the full name of the CP command or diagnose code. You cannot mask this name.

$MDLTYPE(mdltype)

Specifies a three-character name that identifies the appropriate command model. If you do not specify the $MDLTYPE as an operand of the $KEY control statement, you can specify it as a separate control statement.

Each command model defines a valid syntax of a CP command for the operating system and release specified in the $MDLTYPE. The $MDLTYPE lets you write rules for the same CP command for different multiple operating systems and releases. Doing so lets you create and test command limiting rules under operating systems other than the current release running at your site.

You can also use the $MDLTYPE to separate rule sets that apply to different CPUs in an CA ACF2 for z/ VM shared database environment. You can then create separate rules for the same diagnose for different CPUs.

We supply command model files for all supported releases of the VM operating system. Their file type is always MODEL. For more information about the command model files, see the Installation Guide.

For example:

• ZVM510—z/VM Version 5, Release 1.0 systems
• ZVM520—z/VM Version 5, Release 2.0 systems
• ZVM530—z/VM Version 5, Release 3.0 systems
• ZVM540—z/VM Version 5, Release 4.0 systems
• ZVM610—z/VM Version 6, Release 1.0 systems
• ZVM620—z/VM Version 6, Release 2.0 systems
• ZVM630—z/VM Version 6, Release 3.0 systems
• The models for DirMaint are located in a separate file, depending on the release of DirMaint you are running. For example, DIRMR410 contains the model for VM/Directory Maintenance Function Level 410.

If you do not define the MDLTYPE control statement, CA ACF2 for z/ VM command limiting uses the default MDLTYPE defined in the CMDLIM VMO record. Diagnose limiting uses the default MDLTYPE defined in the DIAGLIM VMO record.

$MODEL(model)

Specifies the name of a syntax model description record used when compiling this rule set. The $MODEL control statement is optional. You should not specify it when a syntax model exists that has the same name as this rule’s $KEY. The $MODEL control statement is designed for use by NEXTKEY rule sets, where you define the $KEY of the NEXTKEY rule set and the $KEY control statement does not match a syntax model. For more information about NEXTKEY, see the Using NEXTKEY section.

$MODE(QUIET|LOG|WARN|ABORT)

Specifies the mode for this CP command validation. Whenever an access is denied through this rule set, the mode determines the CA ACF2 for z/ VM response. Valid modes are:

QUIET

Allow the access

LOG

Allow but log the access

WARN

Allow the access but issue a warning message

ABORT

Abort and log the access attempt.

If a rule entry does not permit the request, it is aborted. An exception is how the SYNERR field overrides the mode value. For more information about this field, see the chapter "Controlling Syntax Error Processing for Command Limiting." For more information about the $MODE control statement, see the Administrator Guide.

$NOSORT

Prevents standard CA ACF2 for z/ VM sorting of command limiting rules when you store a rule set. For more information about the $NOSORT control statement, see the Administrator Guide.

$OWNER(ownerid)

Provides an information-only field of up to 24 characters. For more information about the $OWNER control statement, see the Administrator Guide.

$USERDATA(localdata)

Specifies any text string of up to 64 characters that is stored with the rule set. For more information about the $USERDATA control statement, see the Administrator Guide.

%CHANGE (uid|uidmask)

Specifies a UID string or UID mask. This mask lets a SECURITY privileged user delegate the authority to change and recompile the rule set to other users through a UID string or UID string mask. For more information about the %CHANGE control statement, see the Administrator Guide.