One of the variables for OPSAOF security events is SEC.AUAORSNA.
When somebody is using Dynamic Rules, SEC.AUAORSNA or the current rule set name string is set to *DYNAMIC.
But RACF doesn't like qualifiers as *DYNAMIC:
Defining the profile
/* OPS/MVS OPSAOF */
RDEFINE XFACILIT OPSMVS.OPSAOF.*DYNAMIC.RULE1 +
OWNER(G$PSYS) UACC(NONE)
RALT XFACILIT OPSMVS.OPSAOF.*DYNAMIC.RULE1 +
AUDIT(ALL(READ))
RALT XFACILIT OPSMVS.OPSAOF.*DYNAMIC.RULE1 +
DATA('OPS/MVS AOF DYNAMIC RULES')
results in
IKJ56702I INVALID ENTITY, OPSMVS.OPSAOF.*DYNAMIC.RULE1
IKJ56702I INVALID ENTITY, OPSMVS.OPSAOF.*DYNAMIC.RULE1
IKJ56702I INVALID ENTITY, OPSMVS.OPSAOF.*DYNAMIC.RULE1
It's possible to circumvent the problem, changing the SEC.AUAORSNA *DYNAMIC to something as @DYNAMIC in the AOF security rule before using OPSECURE to reach following RACF-definition :
RDEFINE XFACILIT OPSMVS.OPSAOF.@DYNAMIC.RULE1 +
OWNER(G$PSYS) UACC(NONE)
But it doesn't show the real situation when an error occurs (violation...).
The person, who changed the rule will know it, but later on it will be difficult to find the link between @DYNAMIC rules and the documentation of CA Technologies.
As it's necessary to protect the rule-sets in our environment, with different types of access as a refinement of the external security, I liked to know how others solved the problem.