In previous releases of CA ACF2 for z/VM, the maximum access rule or resource rule that could be compiled was 4 Kb. CA ACF2 for z/VM release 4.2 relieves that constraint and allows a maximum of 32K when using VSAM databases. This is a significant benefit for security administrators because it makes rule maintenance straightforward and easy to perform. The previous release limit of 4 Kb forced the use of the NEXTKEY parameter to break up rule sets that exceeded the limit. With the expansion to 32K rule size, administrators can create larger rule sets, simplifying maintenance.
This feature does not limit rule size to 4 Kb or 32K. You, the user, determine the rule size. You can set it at any value between 4 Kb and 32K. If 8K is optimal, then use 8K. If you need 32K rule sets, then use the 32K limit. But the greater the value, the more storage is needed per user to be able to process. All validation processing requires a buffer size equal to the maximum rule size allowed. The maximum rule size is determined at CA ACF2 for z/VM start up. The Rules database (access rules) and the Infostorage database (resource rules) must be the same size, and must be VSAM databases.
If you use the RULELONG option of the RULEOPTS VMO record, you are required to increase the current size of the databases. Turning this option on lets CA ACF2 for z/VM process the current rule sets and any new rule sets. CA ACF2 for z/VM creates a new version record if this option is set and a compile of a ;record is performed. The advantage of setting this option is the restructuring of the current rule records and being able to take advantage of some of the new features of rules. For example, the ACTIVE data field is only valid if RULELONG is turned on. Also, any fields added in future releases will only be added to this new version rule record.
With RULELONG on, any compiled records are automatically converted from the old version to the new version. No conversions are required or necessary to use this new option. The only warning with this option is that, once the rule sets are converted to the new version (RULELONG), any rule sets compiled cannot be used if there is ever a need to go back to the old version (NORULELONG). Also, when the databases are shared, all systems must be running a release that supports RULELONG.
CA ACF2 for z/VM validates the rules database size during startup or a RULEOPTS record refresh if the RULELONG option is set. CA ACF2 for z/VM disables RULELONG if the databases were not expanded and displays message ACFpgm47EW.
Once this option is turned on, the databases are no longer compatible with previous CA ACF2 for z/VM releases or any release.
See the Administrator Guide for information about the RULELONG option.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|