If a file is cataloged by means of the CATAL macro or CREATE-FILE command without explicit protection attributes, then, by default, only the file owner can access this file.
The file owner is considered to be the user under whose user ID the file is cataloged, any co-owners of this file, if defined (see "Defining co-ownership (co-owners)") , as well as – subject to restrictions – systems support (i.e. user IDs with the TSOS privilege, see "Restrictions on TSOS co-ownership").
Unless otherwise specified, the permitted access mode is write access (ACCESS=WRITE). When a file generation is cataloged, DMS uses the protection attributes specified in the group entry (see "File generation groups (FGGs)" for further information on file generations).
Passwords and retention periods are not automatically defined by DMS; they can be assigned only by the owner. Write access is likewise not prohibited unless otherwise specified.
If a file is to be copied, COPY-FILE PROTECTION=*SAME or COPFILE PROTECT=*SAME can be specified; the copy is thus assigned the same protection attributes as the original file, i.e. the same passwords, retention period etc. but neither the file monitoring attribute (AUDIT) nor the locks against releasing storage space.
Only the owners of a file (see above for definition) may assign access rights or define, change or delete its protection attributes. In the case of disk files, the protection attributes may be redefined at any time by means of the CATAL macro or MODIFY-FILE-ATTRIBUTES command, provided that the file is not locked by some other access. The protection attributes of tape files can be changed only before the file is opened for the first time. That is because they are written into the tape labels when the file is processed and can then no longer be changed by means of CATAL.
Users can restrict the group of authorized co-users as well as the type of access (with standard access control, BACL or GUARDS) for each of their files.
Access authorization for files
Systems support can restrict access to a pubset: only those users who have been granted explicit access authorization by means of an entry in the user catalog (ADD-USER or MODIFY-USER-ATTRIBUTES command) may access files on the pubset.
A user can restrict access to particular user classes (OWNER, GROUP and OTHERS). User groups cannot be defined unless SECOS is being used.
If SECOS is not used, existing entries in the GROUP user class are ignored and only the entries in the OWNER and OTHERS classes are evaluated.
Note on the GROUP user class
All users who are not assigned to any explicitly created group are automatically members of the implicitly created group *UNIVERSAL. This is especially true when no groups have been explicitly created. In this case, all system users are members of the same group. Consequently, when a BACL is evaluated, all users attempting access – with the exception of the object owner himself/herself – receive the access rights specified in the GROUP entry and not those defined in the OTHERS entry.
You are therefore very strongly recommended to assign identical access rights for the GROUP and OTHERS user classes when dealing with the *UNIVERSAL group.