Modify protection attributes

Modifies existing protection attributes for user IDs.

The following persons are authorized to execute the command:

• Global user administrators (with the USER-ADMINISTRATION privilege) for all user IDs

• Group administrators who at least have the MANAGE-MEMBERS attribute for the user IDs assigned to and subordinated to their user group.

Operands which are not specified remain unchanged (default value *UNCHANGED or *NONE).

The command /MODIFY-LOGON-PROTECTION is the means to reactivate user IDs which have been locked by the system either because they have exceeded their expiration date or because it has been too long since their password was last changed. In the first case, a new, future expiration date (EXPIRATION-DATE) must be entered, in the latter case a new password must be defined.

Only the part of the command that is relevant to POSIX is shown in the syntax diagram below. The operand BATCH-ACCESS can also be significant (e.g. for at, batch, crontab).

The command is described in full in the "SECOS Access Control" [9] manual.

Format

Operands

POSIX-RLOGIN-ACCESS = *UNCHANGED/ *YES(...) / *NO

The access class attributes for system access via a remote terminal can be modified.

POSIX-RLOGIN-ACCESS = *YES(...)
The BS2000 user ID is open for system access via a remote terminal.

PASSWORD-CHECK = *UNCHANGED / *YES / *NO
Determines whether the password is checked following system access via a remote terminal.

TERMINAL-SET = *UNCHANGED / *NO-PROTECTION / *NONE / *EXCEPTION-LIST(...) / *MODIFY-LIST(...) / list-poss(48): <name 1..8>(...)
Specifies whether the ID used for access over a POSIX remote login is protected by terminal sets.

TERMINAL-SET = *NO-PROTECTION
The ID is not protected by terminal sets.

TERMINAL-SET = *NONE
An empty terminal set list is assigned to the ID used for access over a POSIX remote login, i.e. no POSIX remote login is permitted.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative list of terminal sets is assigned.

TERMINAL-SET = *NONE
The negative list is empty, i.e. a POSIX remote login is permitted without restriction.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Access over a POSIX remote login is forbidden for terminals whose names match the terminal names in the specified terminal sets.

The significance of the subordinate operands is the same as for the following operand: TERMINAL-SET=list-poss(48): <name 1..8>(...).

TERMINAL-SET = *MODIFY-LIST(...)
Modifications are made to a terminal set list which has already been defined. The list property (negative list or positive list) remains unaffected by the modification.

REMOVE-TERMINAL-SETS =
Specifies terminal sets to be removed from the terminal set list for POSIX remote login access by the user ID.

If no terminal set list has been defined yet for POSIX remote login access for the user ID, a warning is output and the command processing continues. The same applies if one or more of the terminal sets to be removed is not included in the list.

REMOVE-TERMINAL-SETS = *NONE
No terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = *ALL
All terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = list-poss(48): <name 1..8>(...)
The terminal sets whose names are specified are removed from the terminal set list.

The significance of the subordinate operands is the same as for the following operand: TERMINAL-SET=list-poss(48): <name 1..8>(...).

ADD-TERMINAL-SETS =
Specifies terminal sets to be added to the defined terminal set list for POSIX remote login access for the user ID.

If no terminal set list has been defined yet for POSIX remote login access for the user ID, a positive list is implicitly created. If one or more of the terminal sets to be added is already included in the list, a warning is output.

ADD-TERMINAL-SETS = *NONE
No terminal sets are added to the defined terminal set list.

ADD-TERMINAL-SETS = list-poss(48): <name 1..8>(...)
The terminal sets whose names are specified are added to the defined terminal set list.

The significance of the subordinate operands is the same as for the following operand: TERMINAL-SET=list-poss(48): <name 1..8>(...).

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive list of terminal sets is assigned. Access over a POSIX remote login is permitted for terminals whose names match the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
By default, a global user administrator assigns global terminal sets and a group administrator assigns local terminal sets.

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the user ID group is assigned.

SCOPE = *SYSTEM
A jointly owned terminal set is assigned.

GUARD-NAME = *UNCHANGED / *NONE / <filename 1..18 without-cat-gen-vers>Specifies whether access via the POSIX remote login is protected with a guard.

GUARD-NAME = *NONE
Access via the POSIX remote login is not protected with a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Access via the POSIX remote login is only permitted if the access conditions in the specified guard have been sastisfied. The protected user ID must be be an authorized user of the specified guard. When evaluating the guard, only the time conditions Date, Time and Weekday are taken into account. The protected user ID is the subject of the access conditions.

POSIX-RLOGIN-ACCESS = NO
The BS2000 user ID is locked for system access via a remote terminal.

POSIX-REMOTE-ACCESS = *UNCHANGED / *YES(...) / *NO
The BS2000 user ID is opened or locked for system access via a POSIX remote command (e.g. rsh, rcp).

TERMINAL-SET = *UNCHANGED / *NO-PROTECTION / *NONE / *EXCEPTION-LIST(...) / *MODIFY-LIST(...) / list-poss(48): <name 1..8>(...)
Specifies whether the ID is protected by terminal sets for access via a POSIX remote command.

TERMINAL-SET = *NO-PROTECTION
The ID is not protected by terminal sets.

TERMINAL-SET = *NONE
An empty terminal set list is assigned to the ID for access via a POSIX remote command, i.e. no access is permitted via a POSIX remote command.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative list of terminal sets is assigned.

TERMINAL-SET = *NONE / list-poss(48): <name 1..8>(...)
The negative list is empty, i.e. access via a POSIX remote command is permitted without restriction.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Access via a POSIX remote command is forbidden for terminals whose names match the terminal names in the specified terminal sets.

The significance of the subordinate operands is the same as for the following operand: TERMINAL-SET=list-poss(48): <name 1..8>(...).

TERMINAL-SET = *MODIFY-LIST(...)
Modifications are made to a terminal set list which has already been defined. The list property (negative list or positive list) remains unaffected by the modification.

REMOVE-TERMINAL-SETS =
Specifies terminal sets to be removed from the terminal set list for POSIX remote command access by the user ID.

If no terminal set list has been defined yet for POSIX remote command access by the user ID, a warning is output and command processing continues. The same applies if one or more of the terminal sets to be removed is not included in the list.

REMOVE-TERMINAL-SETS = *NONE
No terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = *ALL
All terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = list-poss(48): <name 1..8>(...)
The terminal sets whose names are specified are removed from the terminal set list.

The significance of the subordinate operands is the same as for the following operand: TERMINAL-SET=list-poss(48): <name 1..8>(...).

ADD-TERMINAL-SETS =
Specifies terminal sets to be added to the terminal set list defined for POSIX remote command access by the user ID.

If no terminal set list has been defined yet for POSIX remote command access by the user ID, a positive list is implicitly created. If one or more of the terminal sets to be added is already included in the list, a warning is output.

ADD-TERMINAL-SETS = *NONE
No terminal sets are added to the defined terminal set list.

ADD-TERMINAL-SETS = list-poss(48): <name 1..8>(...)
The terminal sets whose names are specified are added to the defined terminal set list.

The significance of the subordinate operands is the same as for the following operand: TERMINAL-SET=list-poss(48): <name 1..8>(...).

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive list of terminal sets is assigned. Access via a POSIX remote command is permitted for terminals whose names match the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
By default, a global user administrator assigns global terminal sets and a group administrator assigns local terminal sets.

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the user ID group is assigned.

SCOPE = *SYSTEM
A jointly owned terminal set is assigned.

GUARD-NAME = *UNCHANGED / *NONE / <filename 1..18 without-cat-gen-vers>Specifies whether access via a POSIX remote command is protected by a guard.

GUARD-NAME = *NONE
Access via a POSIX remote command is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Access via a POSIX remote command is only permitted if the access conditions in the specified guard have been sastisfied. The protected user ID must be be an authorized user of the specified guard. When evaluating the guard, only the time conditions Date, Time and Weekday are taken into account. The POSIX user ID under which the commands rsh or rcp were entered is the subject of the access conditions. It is not necessary for this user ID to exist in BS2000.

POSIX-REMOTE-ACCESS = *NO
The BS2000 user ID is locked for system access via a POSIX remote command.