Previous Topic: Controlling CP Commands and Diagnose InstructionsNext Topic: Providing Additional Controls

How Does CA ACF2 for z/VM Work?What is a Diagnose Limiting Rule Set?

What is a Diagnose Limiting Rule Set?

A diagnose instruction is a routine that lets any virtual machine communicate directly with CP. A diagnose limiting rule set contains the rules for a particular VM diagnose instruction. For example, one rule set can control the use of diagnose 14 while another rule set can control diagnose 84. Each diagnose limiting rule set consists of control statements and rule entries.

Control Statements

Each rule entry specifies an environment where a diagnose instruction can occur. These parameters can indicate the following:

UID

Specifies who can issue the diagnose instruction named in the $KEY control statement

UNTIL|FOR

Specifies any time limitation (you can specify the number of days or an ending date) when a user can issue the diagnose instruction.

Each rule entry also specifies an access permission that determines how CA ACF2 for z/VM validates an attempt to issue the diagnose instruction. These permissions include

ALLOW

Allow execution of the instruction under the specified environment

LOG

Allow execution but write a record to log the attempt

PREVENT

Deny execution and log the attempt.

Sample Diagnose Limiting Rule Set

The following example shows a diagnose limiting rule set for the x’14’ diagnose instruction:

$KEY(DIAG0014)
 UID(TLCOPR) ALLOW
 UID(TLCTEC) ALLOW

These rule entries let users TLCOPR and TLCTEC issue the diagnose instruction with diagnose code x’14’. You can determine the diagnose codes that CA ACF2 for z/VM validates. When a diagnose code is validated, diagnose limiting rules determine who can use the diagnose instruction.

Masking in Diagnose Limiting Rules

In diagnose limiting rules; you can mask the UID values just as you do in access rules and command limiting rules. Masking in diagnose limiting rules reduces the number of rules you need to write to protect diagnose instructions. The following sample rule set applies to users in the Payroll department and the Personnel department at the True Lock Company.

$KEY(DIAG0014)
 UID(TLCPAY—) ALLOW
 UID(TLCPER—) LOG

In the above example, all users in the Payroll Department can issue the x’14’ diagnose instruction. All users in Personnel can also issue the x’14’ diagnose. However, every time a user in Personnel issues the diagnose, the attempt is logged and CA ACF2 for z/VM creates an SMF record.