Security access control list definition
In the role-based security model, an access control list assigns security roles to users or groups, in a certain security domain or on a specific folder or folder hierarchy. You can include multiple security access control list definitions in the same text file, along with security domain definitions and security role definitions.
Each security access control list definition has the following format and arguments:
Syntax
accesscontrollist for security_domain_name
user_or_group_name [security_role[, security_role]...]
[user_or_group_name [security_role[, security_role]...]]...
end
[securitydomain ...]
[securityrole ...]
accesscontrollist folder folder_name
user_or_group_name [security_role[, security_role]...]
[user_or_group_name [security_role[, security_role]...]]...
end
Arguments
- security_domain_name
- Specifies the name of the security domain on which you are defining the access control list.
- user_or_group_name [security_role[, security_role]
- Assigns one or more security roles to a certain user or group, on the specified security domain.
- folder_name
- Specifies the name of the folder to which you can associate an
access control list. If the access control list is associated to a folder, then the security roles are valid
for all of the objects contained in the folder. When specifying folder names, ensure you include a forward
slash (/) before the folder name.
Include a forward slash after the folder name to indicate that the access
control list is defined only on the folder specified, excluding any
sub-folders. A folder name
without a final forward slash indicates that the access control list is defined on the folder, as well as on any sub-folders.
Associating an access control list to a folder is a quick and easy method to grant access to all of the objects defined in a folder. If, instead, you need to restrict access to a subset of objects in the folder (for example, objects with a certain name, or specific userlogon, cpu or jcl), then using an access control list associated to a security domain is more effective. With security domains you can filter objects by specifying one or more attributes for each security object type.
See the following commands when working with folders: chfolder, listfolder, mkfolder, rmfolder, and renamefolder.
Examples
- An access control list on the
SECDOM1
domain - An access control list on
SECDOM2
domain - An access control list on the folder /FOL1/FOL2/
- An access control list on the folder /APPS/APP1 and any sub-folders, if present, for example, /APPS/APP1/APP1A.
ACCESSCONTROLLIST FOR SECDOM1
USER1 SECROLE1, SECROLE2, SECROLE3
USER2 SECROLE4
USER3 SECROLE2, SECROLE4
END
ACCESSCONTROLLIST FOR SECDOM2
USER1 SECROLE1, SECROLE2
USER2 SECROLE3
END
ACCESSCONTROLLIST FOLDER /FOL1/FOL2/
USER1 SECROLE1
END
ACCESSCONTROLLIST FOLDER /APPS/APP1
USER1 SECROLE1
END