Using CA IDMS Internal Security › CA IDMS Privileges › Using a Wildcard

Using a Wildcard

What Wildcarding Is

Wildcarding is the use of a single character to represent one or more characters omitted from a string. An entity name with a wildcard character identifies all the entities whose names match the pattern established by the wildcarded name.

Why You Use Wildcards

In most cases, you can use a wildcard when naming the resources to which the privileges in a GRANT statement apply. This allows you to do the following:

• Enforce high-level naming conventions
• Grant privileges on groups of resources

Document convention: If a parameter value in a security statement can include a wildcard, the parameter description that follows the statement syntax diagram explicitly notes your ability to use a wildcard.

How to Wildcard: The wildcard character is the asterisk (*). You can use the wildcard only as the last character in a resource name. For example, * and A* and ABCD* are valid, but *A and A*BC are not.

Wildcarding Qualified Resource Names

In some cases, wildcarding is permitted only on the last one or two identifiers in a qualified resource name. For example, when you grant or revoke area access privileges, you identify the area as segment-name.area-name; the qualifier segment-name is required, but wildcarding is not permitted on area-name. In such a case, these are examples valid and invalid resource names:

Valid area names

APPLDICT.HR*

APPLDICT.*

Valid area names

APPLDICT*

APPL*

Specific restrictions on wildcarding are described appropriately in the syntax parameter descriptions found in the statement syntax chapters later in this manual.

Note: Special considerations apply to the effect of using a wildcard in reference to categories generally and in CREATE RESOURCE statement particularly. For more information, see the Usage section of CREATE RESOURCE in the chapter Syntax for Securing System Resources.

Granting and Revoking with a Wildcard

When you grant a privilege on resources using a wildcard, you must use the same wildcard to revoke the privileges.

For example, if you grant CREATE privilege on category HR* to user ABC, you must issue a REVOKE CREATE or REVOKE DEFINE statement on category HR* to revoke the privilege from user ABC. Revoking privilege on category *, category H*, category HR, or category HRA has no effect on privileges granted on category HR*.

Considerations in Revoking Privileges

Through the use of groups and wildcards in a GRANT statement, a user can be given the same privilege on a resource more than once. A REVOKE statement revokes the privileges specified in the statement only on the specified resource name and only from the specified user or group. Thus, it is possible for a user to retain a privilege even after it has been revoked.

For example, suppose:

• User PKB is in the group SALES_ADMIN.
• PKB has been granted the CREATE privilege on the access module name SALES_SCH.SALES_FORECAST.
• SALES_ADMIN has been granted the CREATE privilege on all access modules named SALES_SCH.SALES* where * is a wildcard character.

You can revoke the CREATE privilege on SALES_FOREcaST from the user identifier PKB. However, PKB can still create an access module by that name in the SALES_SCH schema because PKB is a member of SALES_ADMIN.