Matching Rules and ACEs

When the MLDAP ESM Module receives a request to authorize a user's access to some resource, it checks the rules stored in the LDAP repository to determine the users access.

Access control rules in the LDAP repository

Enterprise Server resources are grouped into categories called classes. Each class exists as an LDAP container in the repository. Within the class containers are resource rules. Rules are named for the resources they apply to, and their names can include wildcards, so a rule named "*" (or "**" for data sets) applies to all resources of that class. See Wildcards for Resource, User, and Group Names for more information.

Because a class can have multiple rules that match the name of the resource being accessed, the MLDAP ESM Module applies algorithms to determine which rule determines the result of a particular request. A more specific rule that matches the request should take precedence. For example, if a user attempts to submit the CICS transaction ACCT, and there is a rule named "ACCT" and another rule named "A*", the "ACCT" rule should override the "A*" rule.

Rule processing in MLDAP ESM Module versions 1 and 2

Version 1 of the MLDAP ESM Module, included in all products prior to Enterprise Server 2.3 (except for some hotfix releases for 2.2 Update 2), used a complex algorithm to retrieve resource rule data from the LDAP server and evaluate it using another algorithm called "Match Rank". The Match Rank algorithm was also used to determine which part of an ACL (an Access Control Entry or ACE) applied to the user making the request. See Compatibility Rule Matching for more information on the process used in version 1 of the module. Enterprise Server 2.3 introduced MLDAP ESM Module version 2, with a new, simplified process for matching resource access requests to rules and matching ACEs to users. This new processing algorithm provides more predictable and understandable behavior when resource rules are ambiguous, and also offers better performance in some cases.

For Enterprise Server 2.3 the new algorithm is the default. (In Enterprise Server 2.2 Update 2 hotfixes that include MLDAP ESM Module version 2, the old algorithm is still the default, to avoid changing behavior in a hotfix release.) You might want to use the new algorithm for its improved behavior and performance, and possibly for new features that require it. However, if you use complex, ambiguous resource access control rules you might, in rare cases, notice different results for some authorization queries when using the new algorithm. The MLDAP ESM Module can be configured to use the old algorithm by specifying the Version 1 authentication configuration setting.

Example: Different precedence order between versions 1 and 2

Suppose you have the following two data set access control rules, with corresponding ACLs:

DEV.** allow:alice:read
**.ALICE.* allow:alice:update

The first rule is meant to give Alice read access to all data sets under the DEV top-level qualifier, and update access to all data sets with ALICE as the final qualifier. What happens if Alice tries to update the data set DEV.PROJ1.ALICE.NOTES?

Of the two rules, the second (**.ALICE.*) matches that data set name more completely, because it matches more literal characters. Under the version 1 algorithm the module applies the first rule, because it returns it first when searching for applicable rules. That means Alice does not have update access to the data set. Using the version 2 algorithm, the module returns all the rules that might apply, then processes them in the order of closest to furthest match. So when the version 2 algorithm is used, the second rule is applied, and Alice is granted update access.

You can specify configuration options that can modify the exact behavior of the version 2 algorithm. See the Operation section of MLDAP ESM Module Custom Configuration Information for more information.