Is it possible to use a NEXTKEY statement from an "old" UID ruleset to a "ROLE" based ruleset or vice versa?
A site can NEXTKEY from a Role-based ruleset to a UID-based ruleset or from a UID-based ruleset to a Role-based ruleset.
A site can switch between Role-based rulesets and UID-based rulesets within a NEXTKEY chain. The only restriction is that you cannot mix Role-based rules and UID-based rules within a single ruleset. If you create a $roleset rule you can only write rule lines with either ROLE or USER parameters. If you write a ruleset WITHOUT the $ROLESET parameter, then only the UID rule entry parameter is valid.
The following two examples demonstrate the use of NEXTKEYs with Role-based rulesets and UID-based rulesets.
Example 1: NEXTKEY Chain from a Role-based ruleset, to a UID-based ruleset, to a Role-based ruleset
$KEY(MASTER)
$ROLESET
TEST ROLE(*ROLE*) NEXTKEY(MASTER2)
TEST ROLE(0)
$KEY(MASTER2)
$PREFIX(MASTER)
- UID(A************40) NEXTKEY(MASTER3)
- UID(*) READ(A) WRITE(A) EXEC(A)
$KEY(MASTER3)
$ROLESET
$PREFIX(MASTER)
- ROLE(*ROLE*) READ(A) WRITE(A) EXEC(A)
Example 2: NEXTKEY from a UID-based ruleset to a Role-based ruleset
$KEY(MASTERA)
- UID(A************40) NEXTKEY(MASTERB)
- UID(*) READ(A) WRITE(A) EXEC(A)
$KEY(MASTERB)
$ROLESET
$PREFIX(MASTERA)
- ROLE(*ROLE*) READ(A) WRITE(A) EXEC(A)
TEST ROLE(0)
Details on Role-based rulesets and NEXTKEYS can be found in the CA ACF2 for z/OS documentation in section "Use NEXTKEYs with $ROLESET Rules"