Multiple PERMITs with Masking Characters within the same PROFILE.

Document ID : KB000116784
Last Modified Date : 02/10/2018
Show Technical Document Details
Issue:
Permits in the same profile and only profile on the user:

Rule#1 --> DSN(+.+.CACCT.++++.++.++.06172A15) ACCESS(NONE)
Rule#2 --> DSN(+.+.CACCT.MP++.++.++.061) ACCESS(UPDATE)

If this is passed in the RACROUTE #.#.CACCT.MP01.NY.AP.06172A15

Which rule will be used if the requested access level is UPDATE? 
Resolution:
The longer PERMIT that matches will be used.

In the example you gave, the first PERMIT is more specific.

Rule#1 --> DSN(+.+.CACCT.++++.++.++.06172A15) ACCESS(NONE)
Rule#2 --> DSN(+.+.CACCT.MP++.++.++.061) ACCESS(UPDATE)

This is documented in the doc at :

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/resource-access-security-validation-algorithm/how-the-algorithm-determines-best-fit

in the first bullet.