Access rules describe the conditions for accessing data sets and determine access for a user or group of users.
Access rules describe the conditions (environment) for accessing particular data sets and determine whether access is permitted or prevented for a user or group of users. CA ACF2 validates access to data by comparing the information in the user's logonid to the environment and users specified in the access rule. The environment can include conditions such as the UID, source of the access, date/time of the access, and other criteria.
An access rule set consists of the following items:
- Control statements
- Access rule entries that pertain to data sets of a particular high-level index
- Comment statements
The rule entry must begin with the data set to which the rule applies. Other parameters are optional.
Example Access Rule Set
The following is an example of a typical access rule set.
This rule set provides only basic access permissions that are used in most rule sets. An actual rule entry can contain several data sets (using a mask). Entries can also specify other access conditions such as the date, time, and source of the access request. For more information, see Access Rule Entries
$KEY(PAYROLL) MASTER.DATA UID(TFINPAYNLT) READ(A) WRITE(A) EXEC(A)
Specifies the high level index of the data sets to which the rule applies.
Note:This control statement must be the first line of the rule set.
In this example, the access rule set pertains to all data sets with a high-level index of PAYROLL. When a user requests access to a data set, CA ACF2 checks for a rule with a $KEY that matches the data set high-level index.
Specifies the data set name to which the rule applies. This is a rule entry line and is optional. In this example, this entry specifies that this rule pertains only to data set PAYROLL.MASTER.DATA.
Specifies the user identification (UID) string of the users to whom access to the data set is granted. (The default is all UIDs, (UID(*)). .
READ(A) WRITE(A) EXEC(A)
Specifies that the users have READ, WRITE, and EXECUTE authority to the data set. Because ALLOC(A) is not specified, allocate authority is assumed to be prevented—that is, ALLOC(P)—which means that attempts to allocate data sets are denied and logged as violations.