Previous Topic: Unconditional AccessNext Topic: Controlling CP Commands

Rules Facility GuideSecurity with the Rules FacilityCombining Rules

Combining Rules

By now you have probably discovered that one way to allow a specific user, or group of users, exclusive access to your minidisks is with a pair of rules. One rule prevents users from completing the command; the other rule allows a specific user to complete the command.

Building on the previous example, you have now decided that FRAISERC should be able to link to your minidisk in read–only mode as well. In addition, FRAISERC does not have to specify a password. The rules needed are:

ACCEPT REBECCAH LINK 191 RR (NOPASS
REJECT * LINK 191 RR
ACCEPT FRAISERC LINK 191 RR (NOPASS

When two or more rules in a file govern a particular access request, CA VM:Secure establishes an order of preference based on how precisely the requester is specified. In order of preference, a rule is chosen that indicates:

  1. A specific user ID as requester
  2. A specific group as requester
  3. An asterisk (*) as requester; this indicates all user IDs

When two or more rules are equally specific about the requester, the rule that appears first in a rules file applies.

In the example above, it does not matter that the ACCEPT FRAISERC LINK 191 RR (NOPASS rule follows the REJECT * rule. The ACCEPT FRAISERC rule is more specific about the requester, so the ACCEPT rule would govern an attempted link by FRAISERC.

When your rules file contains two equally specific rules, the order of the rules matters. For example, these two rules are in your user rules file:

ACCEPT FRAISERC LINK 191 *
REJECT FRAISERC LINK * MW

When FRAISERC attempts an MW link to your 191 minidisk, the first of the two rules would apply. Because the rules are equally specific about the requester, the order of your rules determines whether the link is accepted or rejected. In this case, the MW link would be accepted, which is probably not your intent.

Finally, you also decide to allow all members of security group PUBS to link to your 191 minidisk if they supply their logon password. The rules needed are as follows:

ACCEPT REBECCAH LINK 191 RR (NOPASS
REJECT * LINK 191 RR
ACCEPT FRAISERC LINK 191 RR (NOPASS
ACCEPT PUBS LINK 191 RR (GROUP LOGPASS

Note the GROUP option on the last rule. This option specifies that PUBS is a security group name.

You can also achieve the same LINK access control by a combination of rules at different levels. For example, the previous ACCEPT rules can work with a system default rule of REJECT.