Security access control list definition

In the role-based security model, an access control list assigns security roles to users or groups, in a certain security domain or on a specific folder or folder hierarchy. You can include multiple security access control list definitions in the same text file, along with security domain definitions and security role definitions.

Each security access control list definition has the following format and arguments:

Syntax

accesscontrollist for security_domain_name
       user_or_group_name [security_role[, security_role]...]
      [user_or_group_name [security_role[, security_role]...]]...
   end

[securitydomain ...]

[securityrole ...]

accesscontrollist folder folder_name
       user_or_group_name [security_role[, security_role]...]
      [user_or_group_name [security_role[, security_role]...]]...
   end

Arguments

security_domain_name
Specifies the name of the security domain on which you are defining the access control list.
user_or_group_name [security_role[, security_role]
Assigns one or more security roles to a certain user or group, on the specified security domain.
folder_name
Specifies the name of the folder to which you can associate an access control list. If the access control list is associated to a folder, then the security roles are valid for all of the objects contained in the folder. When specifying folder names, ensure you include a forward slash (/) before the folder name. Include a forward slash after the folder name to indicate that the access control list is defined only on the folder specified, excluding any sub-folders. A folder name without a final forward slash indicates that the access control list is defined on the folder, as well as on any sub-folders.

Associating an access control list to a folder is a quick and easy method to grant access to all of the objects defined in a folder. If, instead, you need to restrict access to a subset of objects in the folder (for example, objects with a certain name, or specific userlogon, cpu or jcl), then using an access control list associated to a security domain is more effective. With security domains you can filter objects by specifying one or more attributes for each security object type.

See the following commands when working with folders: chfolder, listfolder, mkfolder, rmfolder, and renamefolder.

Examples

The following example defines:
  • An access control list on the SECDOM1 domain
  • An access control list on SECDOM2 domain
  • An access control list on the folder /FOL1/FOL2/
  • An access control list on the folder /APPS/APP1 and any sub-folders, if present, for example, /APPS/APP1/APP1A.

ACCESSCONTROLLIST FOR SECDOM1
		USER1 SECROLE1, SECROLE2, SECROLE3
		USER2 SECROLE4
		USER3 SECROLE2, SECROLE4
END

ACCESSCONTROLLIST FOR SECDOM2
		USER1 SECROLE1, SECROLE2
		USER2 SECROLE3
END
 
ACCESSCONTROLLIST FOLDER /FOL1/FOL2/
             USER1 SECROLE1
END
ACCESSCONTROLLIST FOLDER /APPS/APP1
             USER1 SECROLE1
END