A rule container may contain multiple rules which themselves consist of multiple conditions. The search therefore needs to follow a precise logic.

Search for valid rules

The rules are checked in the order in which they are entered in the rule container. The check determines whether the rule applies to the object (file or job variable) to be accessed. The name of the object which is to be accessed is successively compared with the object names in the 1st, 2nd ... nth rule in the rule container until a matching name is found or no further rules remain to be checked.

If a matching rule is found, the search in the rule container is discontinued and the corresponding access condition is checked.

If no suitable rule is found, the system’s default applies: namely, that the user ID TSOS is the only co-owner of the object.

* This part of the rule concerns the checking of co-ownership for the user ID TSOS (for more information, see "Restriction of TSOS co-ownership").

Checking the co-owner conditions

The check of the co-owner conditions depends on whether or not the accesser has the TSOS privilege:

• The following applies to nonprivileged users:

  The object names of each rule are linked to the access conditions (STDAC guards). If a rule with a matching object name is found, the result of the evaluation of the STDAC guard indicates whether or not the accesser is the co-owner of the object.

• For users with the TSOS privilege, the result of the evaluation of the TSOS-ACCESS rule attribute indicates whether or not the accesser is a co-owner of the object (see "Restriction of TSOS co-ownership).

The diagram below illustrates the logic of the entire co-owner protection checking process for users without the TSOS privilege. You will find the checking logic on which the evaluation of STDAC guards is based in section “Defining access conditions”.