Is it possible to use a NEXTKEY statement from an "old" UID ruleset to a "ROLE" based ruleset or vice versa?
Role-based security or Role-based access control is a security model based on assignment of privileges to business objects or system functions. Role based rules contain the $Roleset Control Statement and Rule Entry ROle (role) parameter. Role based rules must contain role parameters in rule line entries; UID parameters are NOT allowed in a Role based rule set.
A site can NEXTKEY from a Role-based ruleset to a UID-based ruleset or from a UID-based ruleset to a Role-based ruleset.
A site can switch between Role-based rulesets and UID-based rulesets within a NEXTKEY chain. The only restriction is that you cannot mix Role-based rules and UID-based rules within a single ruleset. If you create a $roleset rule you can only write rule lines with either ROLE or USER parameters. If you write a ruleset WITHOUT the $ROLESET parameter, then only the UID rule entry parameter is valid.
The following two examples demonstrate the use of NEXTKEYs with Role-based rulesets and UID-based rulesets.
Example 1: NEXTKEY Chain from a Role-based ruleset, to a UID-based ruleset, to a Role-based ruleset
$KEY(MASTER) $ROLESET TEST ROLE(*ROLE*) NEXTKEY(MASTER2) TEST ROLE(0) $KEY(MASTER2) $PREFIX(MASTER) - UID(AX4*USER01 MAD6440) NEXTKEY(MASTER3) - UID(*) READ(A) WRITE(A) EXEC(A) $KEY(MASTER3) $ROLESET $PREFIX(MASTER) - ROLE(*ROLE*) READ(A) WRITE(A) EXEC(A)
Example 2: NEXTKEY from a UID-based ruleset to a Role-based ruleset
$KEY(MASTERA) - UID(AX4*USER01 MAD6440) NEXTKEY(MASTERB) - UID(*) READ(A) WRITE(A) EXEC(A) $KEY(MASTERB) $ROLESET $PREFIX(MASTERA) - ROLE(*ROLE*) READ(A) WRITE(A) EXEC(A) TEST ROLE(0)
Details on Role-based rulesets and NEXTKEYS can be found in the CA ACF2 for z/OS documentation in section "Use NEXTKEYs with $ROLESET Rules"