Features that Simplify Access Rule Writing
The writing of access rules for all data sets residing on a system might seem to be a substantial undertaking at the time of installation. Keep in mind these three important features of CA ACF2: Modes
- Centralization versus decentralization option
- &LID qualifiers
These features are described in the following.
Modes let CA ACF2 be integrated into your computer operating system in stages. These stages are designed to provide time for the development and testing of rules and various local CA ACF2 features. For more information about the modes of CA ACF2 (QUIET, LOG, WARN, ABORT, and RULE), see CA ACF2 Option Specifications (OPTS).
Centralization Versus Decentralization Option
Your site can centralize or decentralize the different aspects of CA ACF2 administration. In a centralized environment, the security administrator generally has sole responsibility for the writing of access rules. Decentralization grants each user the authority to store an access rule set for data sets that the user owns. This centralization and decentralization feature is controlled through the GSO RULEOPTS record.
You can also use the %CHANGE and %RCHANGE control statements to specify which logonids can change a rule set. Another possible way to decentralize rule administration is to give a logonid the SECURITY privilege, but create a scope record that limits its access to a specific group of data set high-level indexes. For more information on creating scope records, see Scope Records.
Masking lets an access rule environment apply to a group of data sets and a group of users. Masking is most effective when you create your site's UID correctly.
&LID can be used as one or more of the qualifiers. &LID represents the logonid of the user who is requesting the access. &LID cannot be used with any other characters in a single qualifier, it must be used alone as the entire qualifier. To learn more about using &LID see Using &LID in Data Set Rules.
Note:Use of &LID is not compatible with CA ACF2 r14 and below. If a rule with &LID is used in r14 or below, &LID will not match anything.