How Does CA ACF2 for z/VM Work? › Controlling Access to Data › What are Access Rule Sets?

What are Access Rule Sets?

An access rule set is a group of related access rules. Rule entries specify the data, access types, and permissions. CA ACF2 for z/VM maintains a rule set for each data set name (DSN) high‑level index, although some rule sets can apply for entire volumes of DASD or tape data sets. CA ACF2 for z/VM stores rule sets in the Rule database by their key or high‑level index. The key for a data set access rule set can be up to eight‑characters long. The key for a volume access rule is the volume serial number (VOLSER), which can be six characters long. Rule sets are compiled and stored much like programs.

The following is a sample rule set:

$KEY(TLCAMS)  MODE(ABORT)
%CHANGE ACCTGMGRTLCMGR
 V0191.VOLUME UID(ACCTGAUD) R(A) E(A) W(A)
 V0191.ACCOUNTS.DATA UID(ACCTGAUD) R(A) E(A) W(A)

This rule set allows all accounting auditors to read and write to the ACCOUNTS.DATA file on the TLCAMS 191 disk. UIDs that start with ACCTGAUD can also link to the TLCAMS 191 minidisk because the V0191.VOLUME rule allows this. UIDs are explained later in this chapter.

This sample rule set contains:

• Control statements
• Access rule entries
• Access types
• Access permissions.

Control Statements

Control statements are parameters that begin a rule set. They specify conditions that apply to the whole rule set or rule entries. You can use two types of control statements in an CA ACF2 for z/VM rule set, those that begin with a $ (dollar sign) and those that begin with a % (percent sign). The only required control statement is $KEY, which identifies the high‑level qualifier of the data set this rule set protects. In the sample rule set, $KEY indicates that this rule set applies to files whose names begin with TLCAMS.

The control statements of the rule set specify such attributes as:

• The user ID that owns the minidisk governed by this rule set. (You can use the PREFIX field to designate ownership other than the user ID.)
• User information to supply to locally‑defined exits.
• The CA ACF2 for z/VM mode of the rule set. Through this control statement and the system option of RULE mode, a rule set can have its own mode. See the “Migrating to Full Security” chapter for more details.
• Which users have the authority to change the entire rule set or can only change rule entries.
• Whether CA ACF2 for z/VM sorts rule entries.

Access Rule Entries

Access rule entries are statements that specify the conditions for data access, such as the names of the files you want to allow other users to access. In a rule entry, you can specify the following parameters:

EXECUTE

Defines a specific type of access. When a user has execute only access, he cannot read or write to the data. That is, he cannot update or even look at the data, but he can use it (for example, to run a program).

FOR

Specifies the number of days that a user can access this data.

NEXTKEY

Specifies the name of an alternate rule set that CA ACF2 for z/VM checks to determine if the access is authorized.

PSEUDO DSN

Defines the information that describes the minidisks, CMS files, or OS and DOS data sets.

READ

Defines a specific type of access. When a user has read access to data, he can only read the data. He cannot write to (or update) the data.

SHIFT

Specifies the time‑of‑day when a user can access the system, specific data, or resources.

SOURCE

Specifies the logical input source name or source group name where this logonid must enter the system, for example, a terminal.

UID

Defines a 1‑ to 24‑ character string that is formed when CA ACF2 for z/VM combines logonid record fields that you specify. UIDs specify the user or groups of users the rule entry applies to. By using a masked UID to group users, you reduce the number of rule entries you need to write.

UNTIL

Specifies a time limit to allow only temporary access to this data.

WRITE

Defines a specific type of access. When a user has write access to data, he can write to (or update) the data.

ZONE

Specifies the time zone where this user accesses the system (the user’s local time zone).

In the sample rule set shown in the What are Access Rule Sets? section, all accounting auditors (UIDs that start with ACCTGAUD) can read and write to the ACCOUNTS.DATA file on the TLCAMS 0191 disk and link to the TLCAMS 0191 minidisk as specified by the V0191.VOLUME rule.

Access Types

Access types are parameters in a rule entry that specify the type of access a user can have. A rule can specify that users can have read‑only (READ), read/write (WRITE), or execute‑only (EXEC) access to data. You can use a one‑character abbreviation for the access type such as R for read‑only, W for read/write, and E for execute‑only.

Access Permissions

Access permissions are parameters in a rule entry that specify the action CA ACF2 for z/VM takes when all of the required conditions are met. Access rules instruct CA ACF2 for z/VM to enforce one of the following access types:

Allow (A)

Allow the user to access the data.

Log (L)

Allow the user to access the data, but record the access so that CA ACF2 for z/VM creates an audit trail. Specify LOG for sensitive data.

Prevent (P)

Do not allow the user to access this data. Log the attempt and create an audit trail.

Permissions are matched with types to fully describe the access you want to grant. For example, R(A), W(L) lets these users read this data and write to the data, but logs that access. In our example, UIDs that begin with ACCTGAUD can read and write to the ACCOUNTS.DATA file. By default, all other UIDs are denied access.