Mask Data Set Names and UIDs

1
acf2src
 
 
1
 
 
Mask Data Set Names
You can use masks to represent multiple data set names.This section describes how to use these types of masks in access rules. 
When an access rule is compiled with an eight-character qualifier that ends with an "*", the compiler translates the "*" to a "-" since in this case, the masking characters are functionally equivalent.
If the dash falls at the end of an incomplete data set qualifier, the dash represents any number of characters that validly complete the qualifier. If the asterisks fall at the end of a partial data set qualifier, then the asterisks represent any number of characters from zero to the number of asterisks. 
A ruleline with WORK.LOADLIB* when compiled is changed to WORK.LOADLIB-. WORK.LOADLIB- can represent WORK.LOADLIB and WORK.LOADLIB1A ruleline with work. LOAD**** when compiled is changed to WORK.LOAD-WORK.LOAD- can represent WORK.LOAD, WORK.LOAD1, WORK.LOADLIB, WORK.LOADLIB1 etc.
Data Set Name Masks
Masking data set names (other than the name used in the $KEY high-level index field) lets an access rule entry apply to more than one data set. Consider the following PAYROLL rule set:
$KEY(payroll) work.- UID(tfinpay) R(A)
The data set name mask WORK.- lets the listed rule entry apply to all data sets with a high-level index of PAYROLL and a second-level index of WORK. Such data sets might include the following:
PAYROLL.WORK PAYROLL.WORK.TEST PAYROLL.WORK.MASTER PAYROLL.WORK.BACKUP.VER1
You can mask data set names using the dash (-), asterisks (*), and &LID as follows. You cannot mask the $KEY statement.
Using the Dash
A data set name mask that contains a dash must fit one of the following cases:
  • If the dash falls at the end of an incomplete data set name index, then the dash represents any number of characters that validly complete the index. (An index can be from one- to eight-characters.)
    WORK.BA- can represent WORK.BA WORK.BACKUP WORK.BAK cannot represent WORK.BACKUP.FILE
     When you use a dash as the last character in a data set name mask, be sure there are also one or more parameters on that rule line. Any time that a dash appears as the last character on a rule line, 
    CA ACF2
     interprets the dash as a continuation character.
  • If the dash appears as a separate index in the mask, then the dash can represent any zero or more indexes until the next index of the data set name mask matches an index in the data set name.
    WORK.- can represent WORK.TEST WORK.TEST WORK.TEST.VER1 -.TEST can represent WORK.TEST WORK.VER1.TEST
    When the index in the data set name mask after the dash index matches an index in the data set name, direct comparison of the data set name and the data set name mask resumes.
    WORK.-.TEST* can represent WORK.VER1.TEST WORK.VER1.TEST2 cannot represent WORK.TEST1.TEST29 WORK.TEST1.TEST2
    In the second example, the WORK index in the data set name matches the WORK index in the data set name mask. The next index (TEST1) in the data set name matches the TEST* index in the data set name mask, and the dash index is considered to have represented zero (no) indexes in the data set name. The TEST2 index of the data set name then has no matching representation in the data set name mask.
  • If a dash falls between or before any characters in an index, then the dash is literally a dash. For example, W-RK cannot represent WORK.
Using the Asterisk
A data set name mask that contains asterisks must fit one of the following cases:
  • If the asterisks fall at the end of a partial data set name index, then the asterisks represent any number of characters from zero to the number of asterisks.
    WORK.BACK** can represent WORK.BACK WORK.BACKUP but not WORK.BAC WORK.BACLUP WORK.BACKUPP WORK.BACK.FILE
  • If the asterisks form a separate index, then asterisks represent any index (of at least one character) whose length is no greater than the number of asterisks.
    WORK.**** can represent WORK.M WORK.TST WORK.BACK but not WORK WORK.BACKUP WORK.M.MM
  • If the asterisks fall between or before any characters of an index level, then each asterisk represents exactly one character.
    WORK.**ST can represent WORK.TEST WORK.LIST but not WORK.ST WORK.MASTER WORK.TEST.M
Using an Asterisk followed by a Dash
A data set name mask that contains an asterisk followed by a dash must fit one of the following cases:
  • If the asterisk and dash fall at the end of a data set name index, then they represent any characters that validly complete the index (as does a dash alone).
  • If the asterisk and dash form a separate index, then they represent exactly one index of at least one character.
    WORK.*- can represent WORK.M WORK.TEST but not WORK WORK.BCK.VER1
If the dash precedes any asterisks, then the dash is treated literally as a dash while the asterisks are treated as the asterisks of a mask.
Using &LID in Data Set Rules
&LID is a symbolic replacement for one or more qualifiers in a data set rule line. &LID cannot be used in as the $KEY value. &LID represents the logonid of the user who is requesting the access.
 Use of &LID is not compatible with 
CA ACF2
 r14 and below. If a rule with &LID is used in r14 or below, &LID will not match anything.
The following is a sample rule:
$KEY(SYS3) &LID.DATA UID(*) READ(A) WRITE(A) ALLOC(A) EXEC(A) PGMXYZ.USERS.&LID UID(*) READ(A) WRITE(A) ALLOC(A) EXEC(A)
Logonid USER25 has access to the following data sets:
  • SYS3.USER25.DATA
  • SYS3.PGMXYZ.USERS.USER25
Logonid USER005 has access to the following data sets:
  • SYS3.USER005.DATA
  • SYS3.PGMXYZ.USERS.USER005
&LID sorts after any non-masked characters and before any * or - mask characters that are in the first position of the qualifier. Consider the following rule:
$KEY(LOWJA33) Z-.DATA UID(ABC) READ(A) WRITE(A) ALLOC(A) EXEC(A) ZEBRA.DATA UID(DEF) READ(A) WRITE(A) ALLOC(A) EXEC(A) -.DATA UID(GHI) READ(A) WRITE(A) ALLOC(A) EXEC(A) A****.DATA UID(JKL) READ(A) WRITE(A) ALLOC(A) EXEC(A) ALPHA.DATA UID(MNO) READ(A) WRITE(A) ALLOC(A) EXEC(A) ****BBB.DATA UID(PQR) READ(A) WRITE(A) ALLOC(A) EXEC(A) &LID.DATA UID(STU) READ(A) WRITE(A) ALLOC(A) EXEC(A) BBB****.DATA UID(PQR) READ(A) WRITE(A) ALLOC(A) EXEC(A)
Once sorted, the rule appears as follows:
$KEY(LOWJA33) ALPHA.DATA UID(MNO) READ(A) WRITE(A) ALLOC(A) EXEC(A) A****.DATA UID(JKL) READ(A) WRITE(A) ALLOC(A) EXEC(A) BBB****.DATA UID(PQR) READ(A) WRITE(A) ALLOC(A) EXEC(A) ZEBRA.DATA UID(DEF) READ(A) WRITE(A) ALLOC(A) EXEC(A) Z-.DATA UID(ABC) READ(A) WRITE(A) ALLOC(A) EXEC(A) &LID.DATA UID(STU) READ(A) WRITE(A) ALLOC(A) EXEC(A) ****BBB.DATA UID(PQR) READ(A) WRITE(A) ALLOC(A) EXEC(A) -.DATA UID(GHI) READ(A) WRITE(A) ALLOC(A) EXEC(A)
Mask a UID
You can use masks to represent multiple UIDs. The following describes how to use these types of masks in access rules.
 A UID mask represents more than one UID and lets an access rule apply to multiple users. This is illustrated by the following UID:
UID(tfinpay)
This UID mask can represent any UID that begins with the letters TFINPAY and ends with up to 17 characters. (A valid UID can contain up to 24 total characters.)
A UID mask can be defined by omitting ending characters, by using asterisks (*), or by using a dash (-).
Omit Ending Characters
A UID is automatically treated as a mask. For instance, the UID TFINPAYNLT not only matches itself, but also matches any string that begins with the characters TFINPAYNLT and contains no more than 24 characters.
By omitting characters, you can form a more general UID mask. For example, characters can be omitted from the UID TFINPAYNLT to form a mask that represents all users in the payroll department:
UID(tfinpay)
The mask matches any UID that begins with the characters TFINPAY and contains up to 24 total characters.
Using the Dash
A UID mask containing a dash must fit one of the following cases:
  • If the dash falls at the end of a UID mask, it has the same effect as no dash. For example, the following two UID masks are equivalent:
    UID(tfinpay-) UID(tfinpay)
  • If the dash is alone, then the UID represents all valid UIDs.
    UID(-)
If the dash falls in the UID mask, it is treated literally as a dash and cannot represent any other character.
Using the Asterisk
A UID mask that contains asterisks must fit one of the following cases:
  • Asterisks that fall at the end of the UID mask have the same effect as a dash or as no asterisks. For example, the following three UIDs are equivalent:
    UID(tfinpay-) UID(tfinpay****) UID(tfinpay)
  • If the UID mask is comprised of all asterisks, then the UID mask represents all valid UIDs, regardless of the number of asterisks: UID(****).
  • If the asterisks fall between or before any characters of a UID mask, then each asterisk represents exactly one character.
    UID(TFIN***NLT)
    The mask TFIN***NLT matches any UID beginning with the letters TFIN, followed by any three characters except nulls, followed by the letters NLT, and then followed by any other characters to form a UID of up to 24 characters.
Using Blank Characters
A UID mask can contain blank characters. Blanks, whether they appear at the beginning of the UID, embedded in the UID, or at the end of the UID, are treated literally as blank characters.
For example, suppose that USER1 needs READ access to SYS1.DATASET, but USER12 does not. Store this rule, including the trailing blanks, to ensure that USER12 does not match the UID mask:
$KEY(SYS1) DATASET UID(*****USER1 ) R(A)