You can also use masking in resource rules. You can mask the $KEY and UID parameters in resource rules, but you cannot mask the $TYPE control statement. If you mask the $KEY, you must create a resource typelist. A resource typelist is an in‑storage index of $KEYs that CA ACF2 for z/VM searches to find a resource rule. Because resource typelists are loaded into memory, CA ACF2 for z/VM does not have to search the entire Infostorage database for the $KEY. It searches the typelist, and goes directly to the rule that applies. CA ACF2 for z/VM uses resource typelists to enhance performance when you mask resource names for a resource type.
An example of an AUTOLOG command resource rule is illustrated below.
$KEY(RSCS1) $TYPE(ALG) UID(TLCAMS) SOURCE(GRAF‑4A1) SHIFT(FIRST) ALLOW UID(TLCPJM) SOURCE(GRAF‑4A1) LOG UID(TLC*) SHIFT(FIRST) UNTIL(11/30/99) ALLOW
In the above example, the last line contains a masked UID. UID masking allows one rule entry to apply to several users. Masking reduces the number of rule entries that you need to write. The last line applies to all users (except for TLCAMS) that attempt to autolog the RSCS1 machine during the first shift time period if the access date is on or before November 30, 1999. The first rule entry (line 3) limits TLCAMS to autologging the RSCS1 machine during the first shift and only from GRAF‑4A1. Because this rule entry is more specific that the last rule entry, any attempt by TLCAMS to autolog RSCS1 is validated by this rule entry.
When CA ACF2 for z/VM cannot find matching rule entry, access to the resource is prevented (by default) and logged. For example, if user TLCGLB tries to autolog RSCS1 on December 1, 1999, CA ACF2 for z/VM does not find a matching rule entry and denies the access.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|