Define protection attributes

This command defines access protection attributes for existing user IDs.

The following users may execute this command:

• Owners of the USER-ADMINISTRATION privilege for all user IDs.

• Group administrators who hold at least the MANAGE-MEMBERS attribute for the user IDs assigned to and subordinate to their groups.

The user interface of the command SHOW-LOGON-PROTECTION is not changed by POSIX. Only the part of the command that is relevant to POSIX is shown in the syntax diagram below. The operand BATCH-ACCESS can also be of significance (e.g. for at, batch, crontab).

The command is described in full in the "SECOS - Access Control" [9] manual.

Format

Operands

POSIX-RLOGIN-ACCESS =

The access class attributes for system access via a remote terminal can be defined.

POSIX-RLOGIN-ACCESS = *YES(...)
The BS2000 user ID is open for system access via a remote terminal.

PASSWORD-CHECK =*YES / *NO
Determines whether the password is checked following system access via a remote terminal.

TERMINAL-SET =
Specifies whether the ID used for access via a POSIX remote login is protected by terminal sets.

TERMINAL-SET = *NO-PROTECTION
The ID is not protected by terminal sets.

TERMINAL-SET = *NONE
An empty terminal set list is assigned to the ID, i.e. no POSIX remote login is permitted.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative list of terminal sets is assigned.

TERMINAL-SET = *NONE / list-poss(48): <name 1..8>(...)
The negative list is empty, i.e. the POSIX remote login is permitted without restriction.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Access via a POSIX remote login is forbidden for terminals whose names match the terminal names in the specified terminal sets.

The significance of the subordinate operands is the same as for the following operand: TERMINAL-SET.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive list of terminal sets is assigned. Access over a POSIX remote login is permitted for terminals whose names match the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
By default, a global user administrator assigns global terminal sets and a group administrator assigns local terminal sets.

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the user ID group is assigned.

SCOPE = *SYSTEM
A jointly owned terminal set is assigned.

GUARD-NAME =
Specifies whether access via a POSIX remote login is protected by a guard.

GUARD-NAME = *NONE
Access via a POSIX remote login is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Access via the POSIX remote login is only permitted if the access conditions in the specified guard have been sastisfied. The protected user ID must be be an authorized user of the specified guard. When evaluating the guard, only the time conditions Date, Time and Weekday are taken into account. The protected user ID is the subject of the access conditions.

POSIX-RLOGIN-ACCESS = *NO
The BS2000 user ID is locked for system access via a POSIX remote login.

POSIX-REMOTE-ACCESS = *YES(...) / *NO
The BS2000 user ID is opened or locked for system access via a POSIX remote command.

TERMINAL-SET =
Specifies whether the ID is protected by terminal sets for access via a POSIX remote command.

TERMINAL-SET = *NO-PROTECTION
The ID is not protected by terminal sets.

TERMINAL-SET = *NONE
An empty terminal set list is assigned to the ID, i.e. no access is permitted via a POSIX remote command.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative list of terminal sets is assigned.

TERMINAL-SET = *NONE / list-poss(48): <name 1..8>(...)
The negative list is empty, i.e. access via a POSIX remote command is permitted without restriction.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Access via a POSIX remote command is forbidden for terminals whose names match the terminal names in the specified terminal sets.

The significance of the subordinate operands is the same as for the following operand: TERMINAL-SET.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive list of terminal sets is assigned. Access via POSIX remote command is permitted for terminals whose names match the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
By default, a global user administrator assigns global terminal sets and a group administrator assigns local terminal sets.

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the user ID group is assigned.

SCOPE = *SYSTEM
A jointly owned terminal set is assigned.

GUARD-NAME =
Specifies whether access via a POSIX remote command is protected by a guard.

GUARD-NAME = *NONE
Access via a POSIX remote command is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Access via a POSIX remote command is only permitted if the access conditions in the specified guard have been sastisfied. The protected user ID must be be an authorized user of the specified guard. When evaluating the guard, only the time conditions Date, Time and Weekday are taken into account. The POSIX user ID under which the commands rsh or rcp were entered is the subject of the access conditions. It is not necessary for this user ID to exist in BS2000.

POSIX-REMOTE-ACCESS = *NO
The BS2000 user ID is locked for system access via a POSIX remote command.

Example

The PSXROOT user ID is permitted for system access via a remote terminal:

/SET-LOGON-PROTECTION USER-ID=PSXROOT,POSIX-RLOGIN-ACCESS=*YES