Previous Topic: Migrating by Rule SetNext Topic: Using NEXTKEY for Access Rules

Converting to Full SecuritySelective MigrationUsing RULE Mode

Using RULE Mode

To activate RULE mode for access rules, specify the following in the OPTS VMO record:

MODE(RULE,no‑rule,no‑$mode)

To activate RULE mode for command limiting rules, specify the following in the CMDLIM VMO record:

MODE(RULE,no‑rule,no‑$mode)

To activate RULE mode for diagnose limiting rules, specify the following in the DIAGLIM VMO record:

MODE(RULE,no‑rule,no‑$mode)

For more information on these VMO records, see the Administrator Guide.

In RULE mode, CA ACF2 for z/VM verifies the access based upon the value specified in the $MODE control statement. The NO‑$MODE parameter specifies a default mode for rule sets that do not contain the $MODE control statement. Similarly, the NO‑RULE parameter specifies a default mode if CA ACF2 for z/VM cannot find a rule set (no record). The mode can be any of the other four CA ACF2 for z/VM modes: QUIET, LOG, WARN, or ABORT. For example, you can set the mode for data access validation in the VMO OPTS record:

MODE(RULE,ABORT,ABORT).

Suppose TLCPJM wants write access to the PROD TEST file on TLCAMS's 0191 minidisk. As shown below, the TLCAMS rule controls access to this file when CA ACF2 for z/VM validates it.

$KEY(TLCAMS)
$MODE(LOG)
 V0191.VOLUME R(A) W(A)
 V0191.PROD.MASTER UID(TLCPJM) R(A) W(A) E(A)
 V0191.PROD.TEST UID(TLCPJM) R(A) W(P) E(A)

Even though the rule indicates that TLCPJM cannot write to the file (W(P)), the $MODE(LOG) control statement tells CA ACF2 for z/VM to allow the access but log it. If you specify $MODE(QUIET), CA ACF2 for z/VM allows the access with no logging. If you specify $MODE(ABORT), CA ACF2 for z/VM prevents access.

Below is a sample transition rule showing how the CP SPOOL command can begin in LOG mode:

$KEY(SPOOL)
$MODE(LOG)
 CON PURGE UID(TLCAMS) LOG
 CON ‑ UID(TLCPJM) ALLOW
 PRINT COPY ‑ ALLOW UID(*)
 PRINT RSCS ALLOW UID(*)
 ‑ UID(*) ALLOW DATA(ALLOW ALL OTHER OPERAND COMBINATIONS)

After you test the rule, you can change the $MODE statement to test the rule set under WARN, then ABORT mode. After all rule sets are under ABORT mode, you can change the applicable system‑wide mode to ABORT. A diagnose limiting rule set can begin in LOG mode as follows:

$KEY(DIAG0004)
$MODE(LOG)
 UID(TLCAMS) ALLOW
 UID(TLCPJM) ALLOW

After you test the rules under LOG mode, you can change the $MODE statements to test the rule sets under WARN, then ABORT mode. After you complete these tests, you can change the system‑wide diagnose limiting mode to ABORT.