Beginning with version 2 of the MLDAP ESM Module (available in Enterprise Server 2.3 and some hotfixes for Enterprise Server 2.2 Update 2), you can also define resource-rule names based on the name of the user who is requesting access. This lets you create generic rules that apply to resources that include the user's name in the resource name. Typically this is used for rules in the DATASET and JESSPOOL classes, to give users access to resources that include their name as a qualifier.
When determining rule precedence, rules with username substitution rank as high as if the user's name appeared literally in the rule. A rule like USER.${user}.** will take precedence over one named USER.*.** when the user's name appears as the second qualifier in the dataset name.
[Operation] Version 1 authentication=no Rule substitutions=yes
The Version 1 authentication line is not needed (but allowed) in Enterprise Server 2.3 and later.
LDIF syntax for a pair of rules that gives each user access to their own datasets under USER.**, while denying other users access to them:
dn: CN=USER.${user}.**,CN=DATASET,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=X changetype: add objectClass: microfocus-MFDS-Resource microfocus-MFDS-Resource-Class: DATASET microfocus-MFDS-Resource-ACE: allow:*:alter microfocus-MFDS-UID: USER.${user}.** description: Allow full access to user's own area dn: CN=USER.**,CN=DATASET,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=X changetype: add objectClass: microfocus-MFDS-Resource microfocus-MFDS-Resource-Class: DATASET microfocus-MFDS-Resource-ACE: allow:*:none microfocus-MFDS-UID: USER.** description: Users don't have access to each other's areas
LDIF syntax for a rule that gives each user control over their own spool output:
dn: CN=*.${user}.**,CN=JESSPOOL,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=X changetype: add objectClass: microfocus-MFDS-Resource microfocus-MFDS-Resource-Class: JESSPOOL microfocus-MFDS-Resource-ACE: allow:*:control microfocus-MFDS-UID: *.${user}.** description: Give each user control over their own spool output
In the JESSPOOL class, resources have the format localnodeid.userid.jobname.jobid.dsnumber.name. This rule matches when the requesting user's name appears as the userid qualifier, and gives that user control authority.