How to incorporate roles in ACF2 rules

book

Article ID: 130735

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction



The ACF2 rules are built with UID strings.  How can ROLE records be added for one resource name? 

Environment

Release:
Component: ACF2MS

Resolution

UID rules and ROLE rules can only exist in separate rule sets.  So a NEXTKEY is needed.  For example. 
 
$KEY(EZB) 
$TYPE(SER) 
CSSMTP.- UID(ABCSTC CSS) SERVICE(READ,UPDATE) ALLOW 
CSSMTP.- UID(*) SERVICE(READ) ALLOW 
FTP.- UID(***STC) SERVICE(READ) ALLOW 
FTP.- UID(*) SERVICE(READ) LOG 

To add a rule for EZB.NETSTAT with a ROLE record, add this line:
 
NETSTAT UID(*) PREVENT NEXTKEY(EZBNEXT)
 
and a nextkey'd rule EZBNEXT

$KEY(EZBNEXT) 
$TYPE(SER) 
$PREFIX(EZB)
$ROLESET
NETSTAT ROLE(STC) ALLOW
NETSTAT ROLE(*) PREVENT