If wildcards are specified in object names then it is possible that more than one of the rules in a rule container may apply to an object name. However, the check is always performed in the sequence in which the rules are entered in the rule container and terminates when the first match is located.

The diagram below presents the active rule container (without taking into account the TSOS-ACCESS rule attribute):

• A user with the user ID USER1 would like to co-administer the file BOOK on Monday. In the search for a suitable rule, the string BOO* from the first rule is checked against the file name BOOK. The name matches, the search for further matching rules is halted and the access condition specified in GUARD1 is evaluated.

  According to the access condition in GUARD1, USER1 is a co-owner of BOOK.

• On Tuesday USER2 attempts to access the file BOOK as a co-owner. In the co-owner check, the file name BOO* from the first rule is again checked against the file name BOOK. The name matches, the search for further matching rules is halted and the access condition specified in GUARD1 is evaluated.

  According to the access condition in GUARD1, USER2 is not a co-owner of BOOK. The second rule, which would have identified USER2 as a co-owner (GUARD2), is ignored.