Resource rule sets are groups of related resource rules that control access to system resources. Resource rule sets are very similar to access rule sets. A resource rule set can contain all of the following:
Control statements are parameters that begin a rule set. They specify conditions that apply to the whole rule set or to the rule entries. You can use two types of control statements in a rule set, those that begin with a $ (dollar sign) and those that begin with a % (percent sign). The only required control statements in resource rules are the $KEY and the $TYPE. The $KEY control statement is the name of the resource you want to protect. The $TYPE is the three‑character type code of the resource. CA ACF2 for z/VM provides six type codes that you can modify:
Controls account use
Controls the target of the AUTOLOG command
Controls access to group IDs
Controls the target of the DIAL command
Controls access to the Inter‑User Communications Vehicle (IUCV)
Controls access to the Virtual Machine Communications Facility (VMCF).
These are the default resource types. You can also define your own resource type codes. The control statements of the rule set determine such attributes as:
Resource rule entries are statements that specify the conditions for resource access. In a rule entry, you can specify any of the following keywords to control the access:
Specifies an optional keyword for any comments you want to enter about the rule entry. Comments can be up to 64 characters long. DATA does not affect CA ACF2 for z/VM validation.
Specifies an optional keyword that specifies the name of a shift record that resides on the Infostorage database. The specified shift record defines the dates and time‑of‑day that this user can access the system. If you do not specify this keyword, the rule entry applies to all shifts.
Specifies an optional keyword that defines an input source. To use the resource, the user request must come from the source ID specified in the rule entry. If you do not specify this keyword, the rule entry applies to all sources.
Specifies the user identification string of the user that the rule entry applies to. You can mask the UID.
Specify optional keywords. UNTIL specifies the date that the rule expires and becomes invalid. FOR specifies the number of days that the rule entry is valid. FOR is automatically translated into an UNTIL date when you compile and store the rule entry. For example, if you compile and store a rule entry on October 1, 1999 with FOR (10) specified, the rule entry automatically expires on October 10, 1999. If you do not specify UNTIL or FOR, the rule entry applies to all dates
The next four keywords (ALLOW, LOG, PREVENT, and SERVICE) are related. They specify whether access to the resource is allowed if the rule environment matches a user‑access environment.
These keywords determine how CA ACF2 for z/VM validates the user’s request. Keyword meanings are:
The access is allowed.
The access is allowed, but logged.
The access request is prevented and logged. This is the default.
SERVICE extends the level of control that a rule entry specifies. The SERVICE level is application‑specific and controls access to the data.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|