Previous Topic: What is the User Identification String?Next Topic: How Do I Use CA ACF2 for z/VM Access Rules?

How Does CA ACF2 for z/VM Work?What is the User Identification String?What is Masking?

What is Masking?

You can also simplify rule writing and improve system performance by masking. In access rules, masks can represent multiple data set names or UIDs. You can replace almost all character strings used in CA ACF2 for z/VM with a character string pattern. For example, you can create a pattern to mask the data set, volume, and UID in an access rule set.

You can substitute two special symbols for characters— the asterisk (*) and the dash (—). CA ACF2 for z/VM processes these symbols differently depending upon the type of character string, that is, fixed‑length strings (such as the UID) or variable‑length strings. The basic function of each symbol is described below:

Asterisk (*)

Matches any character in this position. You can place any number of asterisks in a string pattern. For example, AB*D matches any string containing AB in positions 1‑2 and D in position 4. ABCD, AB1D, ABXD, and ABBD match AB*D. An asterisk embedded anywhere in a string does not match a null character. For example, AB*D does not match AB D.

If you place an asterisk at the end of a string, the trailing asterisk matches a null character and every other character. For example, ABC* matches ABC, ABCD, ABC1, and ABC2.

Dash (—)

Translates into asterisks to create the maximum length of the character string. Maximum length varies according to the string type. A dash is only valid when placed at the end of a character string or when used by itself. You cannot imbed it between other characters.

If you omit a dash from a string specification with a variable length, the remainder of the name is assumed to be blanks and only matches blanks. Also, when specifying data set names, you can specify a dash as the only character of a data set name index level to indicate that any number of index levels (including zero) can be present in the target data set.

Our sample rule set did not contain any masks, but we could add a new rule entry to mask a data set name as follows:

$KEY(TLCAMS) MODE(ABORT)
%CHANGE ACCTGMGRTLCMGR
 V0191.VOLUME UID(ACCTGAUD) R(A) E(A) W(A)
 V0191.ACCOUNTS.DATA UID(ACCTGAUD) R(A) E(A) W(A)
 V0191.—. UID(ACCTGMGRTLCMGR) R(A) W(A) E(A)
 V—.— UID(ACCTG) R(A) E(A) W(P)

This new rule entry allows any user who’s UID begins with ACCTG to read and execute any file.