How does the standalone '-' masking character on a resource rule entry work?

Document ID : KB000013129
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How does the standalone '-' masking character on a resource rule entry work?

Answer:

The standalone '-' masking character on an extended resource rule entry matches with any number of additional qualifiers that follow the high level qualifier specified in the $KEY.

For example, given the following rule:

$KEY(TEST) TYPE(SAF)
- UID(abcdef) ALLOW

Any of the following resource names accessed by a logonid with UID(abcdef) will match the extended resource rule entry '- UID(abcdef) ALLOW' and be allowed access:

TEST
TEST.qual2
TEST.qual2.qual3
TEST.qual2.qual3.qual4