How Do I Use CA ACF2 for z/VM Access Rules?

How Does CA ACF2 for z/VM Work? › What is the User Identification String? › How Do I Use CA ACF2 for z/VM Access Rules?

How Do I Use CA ACF2 for z/VM Access Rules?

Before you can write an access rule, you must be the owner of the data, a security administrator, or someone with change authority in the control statement of the rule set.

To write effective access rules, you must ask the following questions:

What data do I want to allow access?
Who do I want to access this data? What are the UIDs of the users I want to allow access? Can they be grouped? Can I mask them?
How do I want others to use the data? Do I want them to be able to read and write to the file?

In the rule set example below, the minidisk rules allow access to the 0191 minidisk, but not to any of the files on the minidisk. Access to specific files is granted by individual rule entries. The lines that begin with an asterisk (*) are comments. They are included to help you understand the rule set.

* ALLOW ALL APPL‑PROGRAMMERS TO READ MY COBOL FILE
* FOR THE NEXT 7 DAYS
* ALLOW MY MANAGER TO READ AND WRITE TO MY COBOL FILE
* MY INDEX/LOGONID = APP002, MGR = APP001
$KEY(APP002)
* LINKS TO MY MINIDISK MUST BE AUTHORIZED
 V0191.VOLUME UID(APP001) READ(A) WRITE(A)
 V0191.VOLUME UID(APP) READ(A)
* ACCESS TO THE SPECIFIC FILE FOLLOWS
 V0191.TEST1.COBOL UID(APP001) READ(A) WRITE(A)
 V0191.TEST1.COBOL UID(APP) READ(A) FOR(7)

In the above access rule, the manager (APP001) is allowed WRITE access to the TEST1.COBOL FILE on the minidisk on virtual device 0191. However, the application programmers (APP) can only read this file for seven days because the rule only specifies READ, not WRITE.

Many sites need to limit access even further. They should consider such issues as:

What specific conditions must the user meet to access data?
Must the users access the data from a specific group of terminals during a specific shift?

After you decide how you want to allow others access to your data, you must write the rule sets. Rule sets are like computer programs. Both are written in human‑readable form (known as source code) and then converted (compiled) into machine‑readable form (known as object code). You can compile the source code directly from the terminal and store it on the rule database. Or, you can create the source code in a CMS file, then compile it into object code and store it on the rule database.

You can use the ACF command and its subcommands to compile, test, store, maintain, and delete access rules on the rule database. Issue the ACF command from the CMS READY prompt. Additionally, CA ACF2 for z/VM provides full‑screen panels that you can use to process access rules. You must have special privileges to issue these commands. You can find complete details on how to use the ACF subcommands to process access rules in the Administrator Guide.

How Does CA ACF2 for z/VM Sort Rules?

CA ACF2 for z/VM sorts access rules alphabetically by data set name and then from most specific to most general. CA ACF2 for z/VM grants privileges as determined by the first rule entry that matches the environment. The rule selection algorithm for CA ACF2 for z/VM access rules is mapped out below.

DSN (data set name)—CA ACF2 for z/VM selects patterns from most specific to most general
VOL (volume)—CA ACF2 for z/VM selects patterns from most specific to most general
UID (user identification string)—CA ACF2 for z/VM selects patterns from most specific to most general
PGM/PROG (program)—CA ACF2 for z/VM selects patterns from most specific to most general
UNTIL—CA ACF2 for z/VM selects dates from earliest to latest.