The assignment of protection attributes for files should often follow predefined patterns. To support this feature, the system lets you import such patterns from existing files or assign specially configured default values that are controlled by default settings or the file name.
With the default protection function of SECOS (subsystem GUARDDEF), you can set such pubset-global or user-global default values for protection attributes. These default values are stored in attribute guards.
Default protection can be preset for the following protection attributes:
Protection attribute | Meaning |
|---|---|
ACCESS | Standard access control (access type) |
USER-ACCESS | Standard access control (access by other users) |
BASIC-ACL | Basic access control list |
GUARDS | Access control via GUARDS |
READ-PASSWORD | Read password |
WRITE-PASSWORD | Write password |
EXEC-PASSWORD | Execute password |
DESTROY-BY-DELETE | Binary deletion |
SPACE-RELEASE-LOCK | Memory space lock |
FREE-FOR-DELETION | Release date for deletion |
EXPIRATION-DATE | Retention period |
The values that are to apply for a file name through the use of default protection are assigned with the commands ADD-/MODIFY-DEFAULT-PROTECTION-RULE and ADD-/MODIFY-DEFAULT-PROTECTION-ATTR (see the “SECOS” manual [8 (Related publications)]).
Assigning protection attributes
The following DMS interfaces provide functions for default protection:
CATAL macro
CREATE-FILE command
CREATE-FILE-GROUP command
MODIFY-FILE-ATTRIBUTES command
MODIFY-FILE-GROUP-ATTRIBUTES command
Assigning protection attributes via default protection
Protection attributes in accordance with predefined, name-sensitive default values (default protection) are transferred either implicitly by specifying nothing (default) or explicitly. The following specifications are required for the explicit transfer of protection attributes:
in the commands, with the operand PROTECTION=*PAR(PROTECTION-ATTR=*BY-DEF-PROT-OR-STD)
in the CATAL macro with the operand PROTECT=*BY_DEF_PROT_OR_STD
and by referring to this value in the individual operands (e.g. ACCESS=*BY-PROTECTION-ATTR).
Assigning protection attributes from existing files
Protection attributes are imported from existing files as follows:
in the commands, with the operand PROTECTION=*PAR(PROTECTION-ATTR=*FROM-FILE(...))
in the CATAL macro, with the operand PROTECT=(*FROM-FILE,<filename>)
Notes
- When a default date is imported, 0.00 hours local time is set; there is no conversion to UTC time.
- For temporary files, the only possible default protection attributes that can be preset using default protection are DESTROY-BY-DELETE and SPACE-RELEASE-LOCK.
Protection attributes when cataloging new files
Protection attribute | PROTECTION-ATTR= | |||
|---|---|---|---|---|
*FROM-FILE | *STD1) | *BY-DEF-PROT-OR-STD | ||
| Default protection not active1) | Default protection active | |||
ACCESS | Value | WRITE | WRITE | Value |
USER-ACCESS | OWNER-ONLY | OWNER-ONLY | ||
BASIC-ACL | NONE | NONE | ||
DESTROY-BY-DELETE | NO | NO | ||
GUARDS | NONE | NONE | ||
SPACE-RELEASE-LOCK | NO | NO | ||
READ-PASSWORD | NONE | NONE | NONE | |
WRITE-PASSWORD | NONE | NONE | NONE | |
EXEC-PASSWORD | NONE | NONE | NONE | |
FREE-FOR-DELETION | NONE | NONE | NONE | NONE |
AUDIT | NONE | NONE | NONE | NONE |
| 1) | System default values are entered. |
No expiration date (EXPIRATION-DATE) can be defined for the first entry. In the case of files, it is implicitly preset to *NONE, and in the case of file generation groups to *TODAY.
Protection attributes when changing file attributes
Protection attribute | PROTECTION-ATTR= | ||||
|---|---|---|---|---|---|
*UNCH | *FROM-FILE | *STD1) | *BY-DEF-PROT-OR-STD | ||
| Default protection not active1) | Default protection active | ||||
ACCESS | UNCHANGED | Value | WRITE | WRITE | Value |
USER-ACCESS | UNCHANGED | OWNER-ONLY | OWNER-ONLY | ||
BASIC-ACL | UNCHANGED | NONE | NONE | ||
DESTROY-BY-DELETE | UNCHANGED | NO | NO | ||
GUARDS | UNCHANGED | NONE | NONE | ||
SPACE-RELEASE-LOCK | UNCHANGED | NO | NO | ||
EXPIRATION-DATE2) | UNCHANGED | TODAY | TODAY | ||
READ-PASSWORD | UNCHANGED | UNCHANGED | UNCHANGED | NONE | |
WRITE-PASSWORD | UNCHANGED | UNCHANGED | UNCHANGED | NONE | |
EXEC-PASSWORD | UNCHANGED | UNCHANGED | UNCHANGED | NONE | |
FREE-FOR-DELETION | UNCHANGED | UNCHANGED | UNCHANGED | NONE | |
AUDIT | UNCHANGED | UNCHANGED | UNCHANGED | UNCHANGED | UNCHANGED |
| 1) | System default values are entered. |
| 2) | The expiration date is only entered for permanent files with creation dates or for file generation groups. If the reference file has no expiration date, *TODAY is entered. |
Notes on default protection
Default protection and file types
Default values that do not match a file type are ignored. This affects:
SPACE-RELEASE-LOCK, GUARDS, BASIC-ACL and free-for-deletion date for tape files
SPACE-RELEASE-LOCK, GUARDS and free-for-deletion date for files and file generation groups on private disks
GUARDS, BASIC-ACL, expiration date and free-for-deletion date for temporary files
ACCESS, USER-ACCESS and passwords for temporary files on pubsets
EXEC rights, EXEC passwords and USER-ACCESS=*SPECIAL for file generation groups.
In the case of tape files with a creation date, the specification PROTECTION-ATTR=*BY-DEF-PROT-OR-STD is rejected since the protection attributes of these files cannot be modified.
Renaming files
When changing file names, keep the following in mind:
The default protection for the new file name is checked only if the default values are reset at the same time.
When a file is renamed from permanent to temporary or vice versa and the protection attributes are simultaneously reset, the default values are determined on the basis of the new file name and file type.
When a file is renamed as a file generation, the protection attributes cannot be simultaneously reset.
Protection function hierarchy
The values entered in each case are determined in the following order of priority:
Explicit specification in the command or macro
Value supplied by default protection or via a reference file
System default value
If you explicitly specify a protection attribute, no default value for another protection attribute is entered if this value would invalidate the explicit specification. In this case, the system default is entered instead of the default value.
Examples
If you specify ACCESS or USER-ACCESS explicitly, BASIC-ACL and GUARDS are not set.
If a value unequal to *NONE is specified for BASIC-ACL, GUARDS is not set.
The value for the FREE-FOR-DELETION date of a file is skipped if a value unequal to *NONE has been explicitly specified for ACCESS, BASIC-ACL, the passwords or the expiration date.
Passwords
Default passwords are always stored in encrypted format in the attribute guard, even if N has been specified for the system parameter ENCRYPT.
If a default password is entered, all the passwords for the file are subsequently encrypted, again regardless of the value of the system parameter ENCRYPT.
In the case of new catalog entries, default values for passwords with PROTECTION-ATTR= *STD or PROTECTION-ATTR=*FROM-FILE() are not entered.
RFA (Remote File Access)
When RFA is used, the remote system's default values apply at all times.
Restrictions for default protection
Default protection is not used in the following circumstances:
when a file is imported
when a single file generation is specified
for the GUARDS catalog
when a reference file is specified (PROTECTION-ATTR=*FROM-FILE(...))
when PROTECTION-ATTR=*STD is specified
Restrictions for new catalog entries
No default value for the free-for-deletion date is entered.
When entered for the first time (i.e. when the file is opened and when a file generation group is entered for the first time), the expiration date is not set to the defined default value, but to the system default value.
Restrictions/special features when resetting to default values
Unlike when resetting to system default values, the free-for-deletion date and the passwords are also changed.
If the default value for the expiration date has already passed, the current date is entered instead.