The ACF2 part is very simple.  You define the "trusted context" and the "role" as described in the IBM doc, and all you need to do in ACF2 is make sure the "role" id that you specify is defined to ACF2.  That is the id that you would use for the access to tables, views, etc.  This new "role" is not the same as the ACF2 ROLESET and X(ROL) so don't confuse them. 

The rules themselves are very unique and are set up to say who "owns" or controls different parts of "trusted context".  Here is a sample of each:

$KEY(DDF_CONNECTION)    
$TYPE(CON)              
$SYSID(PROD)            
$LIDOWNER(DDFOWNER)     
                        
$KEY(DDFROLE)           
$TYPE(ROL)              
$SYSID(PROD)            
$LIDOWNER(DDFOWNER)   

  NOTE that there are no associated rule lines like you would see in normal rule writing.  The important part of these rules are to designate the "owner" by putting them in the $LIDOWNER field.  Please refer to the IBM documentation for the complete list of ROLE and TRUSTED CONTEXT that can be added to the $KEY for more rules.

-