How to incorporate roles in ACF2 rules
Article ID: 130735
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
Issue/Introduction
The ACF2 rules are built with UID strings. How can ROLE records be added for one resource name?
Environment
Release:
Component: ACF2MS
Component: ACF2MS
Resolution
UID rules and ROLE rules can only exist in separate rule sets. So a NEXTKEY is needed. For example.
$KEY(EZB)
$TYPE(SER)
CSSMTP.- UID(ABCSTC CSS) SERVICE(READ,UPDATE) ALLOW
CSSMTP.- UID(*) SERVICE(READ) ALLOW
FTP.- UID(***STC) SERVICE(READ) ALLOW
FTP.- UID(*) SERVICE(READ) LOG
To add a rule for EZB.NETSTAT with a ROLE record, add this line:
NETSTAT UID(*) PREVENT NEXTKEY(EZBNEXT)
and a nextkey'd rule EZBNEXT
$KEY(EZBNEXT)
$TYPE(SER)
$PREFIX(EZB)
$ROLESET
NETSTAT ROLE(STC) ALLOW
NETSTAT ROLE(*) PREVENT
$KEY(EZB)
$TYPE(SER)
CSSMTP.- UID(ABCSTC CSS) SERVICE(READ,UPDATE) ALLOW
CSSMTP.- UID(*) SERVICE(READ) ALLOW
FTP.- UID(***STC) SERVICE(READ) ALLOW
FTP.- UID(*) SERVICE(READ) LOG
To add a rule for EZB.NETSTAT with a ROLE record, add this line:
NETSTAT UID(*) PREVENT NEXTKEY(EZBNEXT)
and a nextkey'd rule EZBNEXT
$KEY(EZBNEXT)
$TYPE(SER)
$PREFIX(EZB)
$ROLESET
NETSTAT ROLE(STC) ALLOW
NETSTAT ROLE(*) PREVENT
Feedback
Yes
No
Powered by
