Is it possible to use a NEXTKEY statement from an "old" UID ruleset to a "ROLE" based ruleset or vice versa?

book

Article ID: 52823

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction



Is it possible to use a NEXTKEY statement from an "old" UID ruleset to a "ROLE" based ruleset or vice versa?

Environment

Role-based security or Role-based access control is a security model based on assignment of privileges to business objects or system functions. Role based rules contain the $Roleset Control Statement and Rule Entry ROle (role) parameter. Role based rules must contain role parameters in rule line entries; UID parameters are NOT allowed in a Role based rule set.

Resolution

A site can NEXTKEY from a Role-based ruleset to a UID-based ruleset or from a UID-based ruleset to a Role-based ruleset.

A site can switch between Role-based rulesets and UID-based rulesets within a NEXTKEY chain. The only restriction is that you cannot mix Role-based rules and UID-based rules within a single ruleset. If you create a $roleset rule you can only write rule lines with either ROLE or USER parameters. If you write a ruleset WITHOUT the $ROLESET parameter, then only the UID rule entry parameter is valid.

The following two examples demonstrate the use of NEXTKEYs with Role-based rulesets and UID-based rulesets.

Example 1: NEXTKEY Chain from a Role-based ruleset, to a UID-based ruleset, to a Role-based ruleset

$KEY(MASTER)
$ROLESET 
TEST ROLE(*ROLE*) NEXTKEY(MASTER2) 
TEST ROLE(0) 

$KEY(MASTER2)
$PREFIX(MASTER) 
- UID(AX4*USER01 MAD6440) NEXTKEY(MASTER3) 
- UID(*) READ(A) WRITE(A) EXEC(A) 

$KEY(MASTER3)
$ROLESET
$PREFIX(MASTER) 
- ROLE(*ROLE*) READ(A) WRITE(A) EXEC(A)

Example 2: NEXTKEY from a UID-based ruleset to a Role-based ruleset

$KEY(MASTERA) 
- UID(AX4*USER01 MAD6440) NEXTKEY(MASTERB) 
- UID(*) READ(A) WRITE(A) EXEC(A) 

$KEY(MASTERB)
$ROLESET
$PREFIX(MASTERA) 
- ROLE(*ROLE*) READ(A) WRITE(A) EXEC(A) 
TEST ROLE(0)

Details on Role-based rulesets and NEXTKEYS can be found in the CA ACF2 for z/OS documentation in section "Use NEXTKEYs with $ROLESET Rules"