Policy statement examples
- The basic syntax for a policy statement that updates a check should look something like
this:
The ADDREPLACE POLICY statement is identified by the statement name defined in the STMT parameter. If you have already defined a policy statement with the same name, the system replaces it with the new policy statement, as long as the DATE specified is more current than the existing one. For this reason, be careful when you specify ADDREPLACE with a policy statement name that already exists, because you'll most likely be overwriting the old policy statement with your new one.ADDREPLACE POLICY STMT(statement_name) UPDATE CHECK(check_owner, check_name) options REASON(’reason_for_change’) DATE(yyyymmdd)
- Make all checks low severity except for UNIX System
Services checks:
ADDREPLACE POLICY STMT( LOW ) UPDATE CHECK(*,*) SEVERITY(LOW) (’Make all checks low severity to start’) DATE(20061130) ADDREPLACE POLICY STMT( USSMED ) UPDATE CHECK(IBMUSS,*) SEVERITY(MEDIUM) REASON(’Make all USS checks medium severity’) DATE(20061130)
- Policy statement LOW makes all checks low severity
- Policy statement USSMED then makes the UNIX System Services checks medium severity
- Update the severity value for all IBMGRS
checks:
ADDREPLACE POLICY STMT(POL4) UPDATE CHECK(IBMGRS,*) SEVERITY(HIGH) REASON('change policy') DATE(20050901)
The system applies the values to all:- Existing IBMGRS checks
- New IBMGRS checks added later
- Apply the following changes to all checks:
- Apply a severity of HIGH
- Apply a WTO type of IMMEDIATE
- Use additional descriptor code 16
- Use routing codes 126,127
ADDREPLACE POLICY STMT(POL3) CHECK(*,*) UPDATE SEVERITY(HIGH) WTOTYPE(IMMEDIATE) DESCCODE(16) ROUTCODE(126,127) REASON(Updating all my checks) DATE(20050920)
- Delete a check:
We recommend that you delete checks in your policy, see Why does my check reappear after I delete it? Understanding delete processing for details.ADDREPLACE POLICY STMT(DEL1) DELETE Check(IBMRACF,RACF_GRS_RNL)