>>> On 1/6/2012 at 12:18 PM, Wayne Driscoll <wdri...@us.ibm.com> wrote: > Based on my past experiences with ACF2, I believe that ACF2 acts as if > each rule line contains, in RACF terms, as asterisk after the last > character. For example, if there are the following resources protected: > > APPL > APPL1 > APPL2 > APPX > > Under RACF, access to APPL would only allow access to that resource. > However (as I said this is based on old data, and may be incorrect) ACF2 > would treat the resource as if it was specified as APPL*, so access to > APPL would allow access to APPL1 and APPL2 as well as APPL. > If this is incorrect I would welcome being corrected.
That wasn't correct when I was working with ACF2. You could have resource rules written as APPL*, but that wasn't assumed by the software. (ACF2 was based on the principle of "protect everything by default.") You could also have resource rule names that were _all_ asterisks to act as a catch-all. What was specified in that rule could deny, allow, etc., but that was up to the security team to decide. Mark Post ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN