Example of tag usage

Tags can be used to specify different HFM1PARM options based on certain environment variables (the z/OS® system ID, the ZDT/IMS version and the user's TSO logonid). The most usual usage of tags is to provide an exception to the normal processing, for some particular set of circumstances.

Example 1:

Suppose SAF-rule controlled auditing is turned off for all users in a single z/OS-image. The HFM1PARM member would be coded as:
FMAUDIT SAF_CTRL=NO
Now suppose that there is a requirement to implement SAF-rule controlled auditing, and that one particular logonid (TEST1) has been selected for testing purposes. Assuming all the relevant SAF rules have been written, SAF-rule controlled auditing can be turned on for logonid TEST1 using:
FMAUDIT SAF_CTRL=NO     (1)
<U TEST1>          (2)
FMAUDIT SAF_CTRL=YES      (3)
<EU>             (4)

Explanation:

When ZDT/IMS parses the above, the line (1) is processed for all users, and turns SAF-rule controlled auditing off. When line (2) is processed, the user's TSO logonid is compared with the value TEST1. For all users other than TEST1, the test fails. When a tag fails to match a condition, all lines from the start tag to the matching end tag (inclusive) are ignored, so the net result is that, in the above example, only line (1) is processed. This ensures that the default of no SAF-rule controlled auditing applies to all users other than TEST1.

For user TEST1 however, the tag comparison on line (2) matches, so line (3) is included. ZDT/IMS re-processes the FMAUDIT statement for line (3), this time with SAF_CTRL=YES, resulting in SAF-rule controlled auditing being turned on for user TEST1.

Note: This example demonstrates two important principles when processing the statements within an HFM1PARM member:
  • Multiple statements for the same option are allowed.
  • If multiple statements for the same option are encountered, the last statement processed is the one that determines the setting.

Example 2:

Suppose in a sysplex environment there are nine z/OS images, with system IDs SYS1, SYS2, SYS3 … SYS9. Z Data Tools is available on all images, and SAF-rule controlled auditing is not required on SYS1, SYS2, … SYS7 inclusive, but is required on SYS8 and SYS9. Further, on z/OS system SYS8, only TSO logonids that commence with DEV should be subject to SAF rule controlled audit; all other TSO logonids are exempt. On system SYS9 however, all TSO logonids should be subject to SAF-rule controlled audit, with the single exception of TSO logonid MASTER1.

This could be coded as follows:
FMAUDIT SAF_CTRL=NO     (1)
<Z SYS8>            (2)
<U DEV*>            (3)
FMAUDIT SAF_CTRL=YES      (4)
</U>              (5)
</Z>              (6)
<Z SYS9>            (7)
FMAUDIT SAF_CTRL=YES      (8)
<U MASTER1>         (9)
FMAUDIT SAF_CTRL=NO     (10)
</U>              (11)
</Z>              (12)

Explanation:

Line (1) sets the default, which is not to use SAF- rule controlled auditing.

For all users on z/OS systems SYS1 … SYS7 inclusive, the Z tags for SYS8 on line (2) and SYS9 on line (7) will not match the current environment, resulting in lines 2-12 inclusive being ignored.

For users running on z/OS system SYS8, line (2)-(6) inclusive are considered; lines (7)-(12) are ignored. Any TSO logonid that does not start with DEV (for example, PROD1) will not match the U tag (line 3), resulting in lines 3-5 inclusive being ignored. This leaves only line (1) to consider, which sets SAF-rule controlled auditing off. For a TSO logonid such as DEV76, the U tag on line (3) matches, so line (4) is included. ZDT/IMS processes the FMAUDIT statement on line (4) and sets SAF-rule controlled auditing on.

For users running on z/OS system SYS9, lines (2)-(6) inclusive are ignored; lines (7)-(12) inclusive are considered. Line (8) changes the default (for all users on system SYS9) to use SAF- rule controlled auditing. For all users other than TSO logonid MASTER1, lines (9)-(11) are ignored, resulting in the new default (line 8) being used. This turns SAF-rule controlled auditing on. For TSO logonid MASTER1 only, the U tag on line (9) matches and the FMAUDIT statement on line (10) is included. This turns SAF-rule controlled auditing off for user MASTER1.