Previous PageTable Of ContentsNext Page

    Resolution of Conflicting Rules:


With SafeSFS it is possible to have conflicting rules within the same rule file. Normally, this does not occur because it is impractical to create conflicting rules. Conflicting rules are evaluated and resolved in the order listed below.
  1. USER rules versus ACIGROUP rules:
    USER rules are rules where the filespace specified in the SFS object in the rule is an actual SFS filespace. ACIGROUP rules are rules where the filespace specified in the rule is an acigroup. The acigroup in filespace means all filespaces belonging to members of the acigroup. Acigroup rules are indicated by the ACIGROUP option.

    USER rules always override ACIGROUP rules when specified at the same rule level. Both USER and ACIGROUP rules are allowed at the Global Admin and Global Default levels. For example: If user DEVO is a member of acigroup SYSTEM and the following rules were defined in the GLOBAL ADMIN rule file, a rule conflict would exist.
    For example:
    ACCEPT
    USER JOE READ *:DEVO.
    Overrides:
    REJECT
    USER JOE READ *:SYSTEM. (ACIGROUP


  2. Specificity of the SFS object within the rule:
    Rules that are more specific override conflicting rules that are less specific when specified at the same rule level. Specificity is determined within each token of the SFS object. The left most tokens are more specific than tokens to the right. Within a pattern matched token, a larger number of characters are more specific than a smaller number of characters. Tokens that do not contain a pattern matching character "*" are more specific than tokens that do.
    For example:
    ACCEPT USER JILL READ FP:THEHILL.PAIL.WATER
    Is more specific than:
    REJECT USER JILL READ FP:THEHILL.

    Pattern matching is less specific than non-pattern matched rules with the same root.
    For example:
    ACCEPT USER JILL READ FP:THEHILL.
    Is more specific than:
    REJECT
    USER JILL READ FP:THEHILL*.


  3. Requestor is a userid rules override requestor is an acigroup rules.
    Rules with a requestor type of USER override rules with a requestor type of ACIGROUP.
    For example:
    Assuming user JILL is a member of acigroup TALES then the rule:
    ACCEPT USER JILL READ FP:THEHILL.
    Overrides the rule:
    REJECT ACIGROUP TALES READ FP:THEHILL.


  4. Specificity of requestor:
    Requestor specificity involves pattern matching. Pattern matched requestors are less specific than non-pattern matched requestors.
    For example:
    ACCEPT USER JILL READ FP:THEHILL.
    Overrides:
    REJECT USER JILL* READ FP:THEHILL.
    And
    ACCEPT USER JI* READ FP:THEHILL.
    Overrides:
    REJECT USER J* READ FP:THEHILL.


  5. REJECT versus ACCEPT:
    When a REJECT rule and an ACCEPT rule have identical parameters and are specified at the same rule level REJECT rules override ACCEPT rules.
    For example:
    REJECT USER JILL READ FP:THEHILL.
    Overrides:
    ACCEPT USER JILL READ FP:THEHILL.


Previous PageTable Of ContentsNext Page