I wrote a rule for a resource that was extended format but that rule was not used, a $KEY masked rule was used instead... Why?

Document ID : KB000044399
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

I wrote a rule for a resource that was extended format but that rule was not used, a $KEY masked rule was used instead... Why?

Answer:  

If the resource name being validated is 40 characters or fewer, CA ACF2 first  

searches for the generalized resource rule whose $KEY value most specifically  

matches the full resource name of the resource being validated. When CA ACF2   

finds a rule that matches (directly or with masking) the full resource name,   

it uses that rule for the validation. When no generalized resource rule key    

matches the full resource name and the resource name is a qualified resource   

name, CA ACF2 searches for the resource rule whose $KEY most specifically  

matches the first qualifier of the resource name. When it finds a rule that   

matches (directly or with masking) the first qualifier, it uses that rule for 

the validation. See the following example.                                    

                                                                              

Resource name:                                                                

                                                                              

TEST.TESTNAME2                                                                

                                                                              

Sample resource rules:                                                        

                                                                              

$KEY(**************) TYPE(ttt)    full key match                              

 UID(...) ALLOW                                                               

                                                                              

$KEY(TEST) TYPE(ttt)              qualifier match                             

 TESTNAME2 UID(...) ALLOW                                                     

                                                                              

Note: If you use a fully masked resource rule $KEY value as a catch-all rule, 

and you also use resource rules with qualifier $KEY values, remember that CA  

ACF2 searches first for the generalized resource rule whose $KEY value        

matches the full resource name of the resource being validated. If CA ACF2    

finds a rule that matches (directly or with masking) the full resource name,  

it uses that rule for the validation and does not search for a match using    

the first qualifier of the resource name. In the previous example, if both    

resource rules exist, CA ACF2 will find and use the fully masked resource     

rule with $KEY(**************), and will not use the resource rule with the   

 qualifier $KEY(TEST).