Depending on the value specified for the ACTION operand, this macro adds new condition definitions to a guard or modifies existing condition definitions in a guard.
Macro | Operands |
MODSAC | MF = D / L / C / M / E ,PREFIX = P / <name 1> ,MACID = ROY / <name 3> ,MGMTPRE = P / <name 1> ,MGMTMAC = ROZ / <name 3> ,PARAM = <name 1..8> ,ACTION *= *ADD / *MODIFY ,DIALOG = *STD / *NO / *GUARD / *USERID / *CATALOG / <var: enum DIALOG> / (<reg: enum DIALOG>) ,ERRMSG = *NO / *YES ,GUARD * =<c-string: filename 1..40 without-gen-vers with-wild> / <c-string: partial-filename 2..40 with-wild> / <var: char(40)> / (<reg: A(char(40))>) ,SUBTYPE = *NONE / *USER / *GROUP / *OTHER / *ALLUSER / <var: enum SUBTYPE> / (<reg: enum SUBTYPE>) ,SUBIDS = array(20): <c-string: name 1..8> / <var: char(8)> / (<reg: A(char(8))>) ,ADMISS = *YES / *NO / *PARAMS / <var: enum ADMISS> / (<reg: enum ADMISS>) ,CKTIME = *NO / *ADMISSION / *EXCLUSION / <var: enum COND_KIND> / (<reg: enum COND_KIND>) ,TIMEN =<integer 1..4> / <var: integer(1)> / (<reg: A(integer(1))>) ,TIME#1 = structure(2): (1) low: <c-string: time 5> / <var: char(5)> / (<reg: A(char(5))>) ,TIME#2 = see TIME#1 ,CKDATE = *NO / *ADMISSION / *EXCLUSION / <var: enum COND_KIND> / (<reg: enum COND_KIND>) ,DATEN = <integer 1..4> / <var: integer(1)> / (<reg: A(integer(1))>) |
MODSAC | ,DATE#1 = structure(2): (1) low: <c-string: date 10> / <var: char(10)> / (<reg: A(char(10))>) ,DATE#2 = see DATE#1 ,CKWEEK = *NO / *ADMISSION / *EXCLUSION / <var: enum COND_KIND> / (<reg: enum COND_KIND>) ,MO = *NO / *YES ,CKPRIV = *NO / *ADMISSION / *EXCLUSION / <var: enum COND_KIND> / (<reg: enum COND_KIND>) ,ACSADM = *NO / *YES |
MODSAC | ,TAPEADM = *NO / *YES ,CKPROG = *NO / *ADMISSION / *EXCLUSION / <var: enum COND_KIND> / (<reg: enum COND_KIND>) ,PHASEN = <integer 1..4> / <var: integer(1)> / (<reg: A(integer(1))>) ,PHASE#1 = structure(4): (1) type: *FILE / *PHASE / *MODULE / <var: enum PROG_TYPE> / (<reg: enum PROG_TYPE>) (2) library: <c-string: filename 1..54> / <var: char(54)> / (<reg: A(char(54))>) (3) element: <c-string: composed-name 1..54> / <var: char(54)> / (<reg: A(char(54))>) (4) version: *ANY / <c-string: composed-name 1..24> / <var: char(24)> / (<reg: A(char(24))>) ,PHASE#2 = see PHASE#1 |
For a description of the parameters MF, PREFIX, MACID, PARAM, XPAND see the “Executive Macros” manual [ 16 ].
Operands marked with an asterisk (*) are mandatory operands for MF=L.
Underscored operand values are the defaults only for ACTION=*ADD. If ACTION=*MODIFY is specified, only the explicitly specified values are modified; all other values remain unchanged.
The specifications COND_KIND, PROG_TYPE, DIALOG, SUBTYPE and ADMISSION refer to the DSECT of the SACMGMT macro.
MGMTPRE and MGMTMAC
specify the prefix for the global DSECTS, constants and equates. This prefix consists of the values specified for the two operands MGMTPRE and MGMTMAC, which are concatenated in this order.
If a prefix is used, it must match the prefix specified for the PREFIX operand in the SACMGMT macro; otherwise, compilation errors will occur.
ACTION
specifies the action to be executed. This operand is mandatory for MF=L. If only one parameter area is used, this must be re-initialized when switching from *ADD to *MODIFY or vice versa.
=*ADD
The access condition is to be added. This corresponds to the /ADD-ACCESS-CONDITIONS command. If the specified guard does not exist, an implicit CREGUAD call creates it with the default values.
=*MODIFY
An existing access condition is to be modified. This corresponds to the SDF command /MODIFY-ACCESS-CONDITIONS.
DIALOG
In interactive (dialog) mode, the user may use the function in a guided dialog. In batch mode, DIALOG=*NO is always assumed, even if other values are specified.
=*STD
In dialog mode: *GUARD (see below)
In batch mode: *NO
=*NO
The function is executed without further questions for each guard which matches the selection criteria.
=*GUARD
For each guard which matches the selection criteria, the user can decide in a dialog what is to be done:
NO: Do not execute the function
YES: Execute the function
TERMINATE: Terminate the function, even if there are further guards which match the selection criteria.
=*USERID
This guided dialog can only be used by system administrators.
This may be specified only for users with the privilege TSOS. If the user ID contains wildcards, a dialog is started each time the user ID changes to permit the user to decide whether the guards under this user ID are to be processed by the function. The permissible responses are the same as those for *GUARD.
=*CATALOG
If the catalog ID contains wildcards, a dialog is started each time the catalog ID changes to permit the user to decide whether the guards under this catalog ID are to be processed by the function. The dialog can be controlled in the same way as for *GUARD.
ERRMSG
specifies whether error messages are to be displayed on the terminal (*SYSOUT).
=*NO
Error messages are not to be displayed.
=*YES
Error messages are to be displayed.
GUARD
Name of the guard to be processed. This name may contain wildcards, but it must be entered in uppercase letters. Only guard administrators may specify wildcards in the user ID. This operand is mandatory for MF=L.
SUBTYPE
specifies the subject type for which access conditions are to be added or modified.
=*NONE
No special access conditions are to be defined. A guard with the type STDACC is created.
=*USER
User IDs to which the following definition is to apply.
=*GROUP
User groups to which the following definition is to apply.
=*OTHER
specifies that definitions are to be added/modified for all other users, who are neither specified in the *USER list nor members of the explicitly specified user groups.
=*ALLUSER
Entries for *ALLUSER are evaluated last, after evaluation of all other conditions has returned the result TRUE. The result of evaluating the conditions defined for *USER, *GROUP or *OTHERS is logically ANDed with the result of evaluating the conditions defined for *ALL-USERS.
SUBIDS
Up to 20 entries for *USER or *GROUP can be specified explicitly in one call of the macro. If more subjects are to be administered with this guard, the user should consider whether combining them into groups, and entering a definition of an access condition for *ALLUSER, could reduce the length of this list such that only the actual special cases need to be entered separately.
ADMISS
specifies whether or not access to the object protected by this guard is permitted. If ADMISS=*NO is specified for *ALLUSER, the result of condition evaluation is always FALSE, even if ADMISS=*YES is specified for a user.
=*YES
Access is always permitted (provided the *ALLUSER specification permits access).
=*NO
Access is always forbidden.
=*PARAMS
Access is permitted under certain conditions, which are defined below.
CKTIME
specifies whether and how a time condition, specified in hours and minutes, is to be evaluated:
=*NO
The time condition is not evaluated.
=*ADMISSION
Access is permitted during the specified period.
=*EXCLUSION
Access is forbidden during the specified period.
TIMEN
specifies how many periods are defined. Up to 4 periods may be defined in one call.
TIME#1 - TIME#4
Definition of the beginning and end of a period in hours and minutes in the format hh:mm (always five characters).
CKDATE
specifies whether and how a date condition is to be evaluated:
=*NO
The date condition is not evaluated.
=*ADMISSION
Access is permitted during the specified period.
=*EXCLUSION
Access is forbidden during the specified period.
DATEN
specifies how many periods are defined. Up to 4 periods may be defined in one call.
DATE#1 - DATE#4
Definition of the beginning and end of a period as two dates in the format yyyy-mm-dd (always 10 characters). If the end date is omitted, it is assumed to be the same as the beginning date.
CKWEEK
specifies whether and how a weekday condition is to be evaluated:
=*NO
The weekday condition is not evaluated.
=*ADMISSION
Access is permitted on the specified weekday(s).
=*EXCLUSION
Access is forbidden on the specified weekday(s).
MO, ..., SU
specifies the days of the week on which the access condition specified with CKWEEK is to apply. The operand names have the following meanings:
MO: MOnday
TU: TUesday
WE: WEdnesday
TH: THursday
FR: FRiday
SA: SAturday
SU: SUnday
=*NO
The day of the week has no influence on an access condition.
=*YES
The access condition applies on this day of the week.
CKPRIV
specifies whether and how a privilege condition is to be evaluated:
=*NO
The privilege condition is not evaluated.
=*ADMISSION
Access is permitted with the specified privilege.
=*EXCLUSION
Access is forbidden with the specified privilege.
ACSADM, ..., VM2ADM
specifies the privileges to which the access conditions specified with CKPRIV are to apply:
The operand names have the following meanings:
Operand | Prvilege |
ACSADM | ACS-ADMINISTRATION |
CUPRV001 ... 008 | CUSTOMER-PRIVILEGE-1 ... 8 |
FTADM | FT-ADMINISTRATION |
FTACADM | FTAC-ADMINISTRATION |
GUAADM | GUARD-ADMINISTRATION |
HWMAINT | HARDWARE-MAINTENANCE |
HSMSADM | HSMS-ADMINISTRATION |
NETADM | NET-ADMINISTRATION |
NOTIFADM | NOTIFICATION-ADMINISTRATION |
OPERATG | OPERATING |
POSXADM | POSIX-ADMINISTRATION |
PRSVADM | PRINT-SERVICE-ADMINISTRATION |
PROPADM | PROP-ADMINISTRATION |
SATFEVA | SAT-FILE-EVALUATION |
SATFMGM | SAT-FILE-MANAGEMENT |
SECADM | SECURITY-ADMINISTRATION |
STDPROC | STD-PROCESSING |
SUBSMGM | SUBSYSTEM-MANAGEMENT |
SWMONAD | SW-MONITOR-ADMINISTRATION |
TAPEADM | TAPE-ADMINISTRATION |
TAPEKEYADM | TAPE-KEY-ADMINISTRATION |
TSOS | TSOS |
USERADM | USER-ADMINISTRATION |
VMPRIV | VIRTUAL-MACHINE-ADMINISTRATION |
VM2ADM | VM2000-ADMINISTRATION |
=*NO
The privilege has no influence on an access condition.
=*YES
The access condition applies to this privilege.
PHASEN
specifies how many program definitions follow. Up to 4 program definitions may be entered. Care should be taken that programs used in access conditions are effectively protected against modification (i.e. that the users have only execution rights).
In order to avoid conflicts when using type OM or LLM modules, we recommend keeping the modules in separate libraries (see also the “LMS” manual [ 23 ]).
PHASE#1 - PHASE#4
Separate, numbered definitions for up to 4 programs. Each program definition is specified as follows:
type
Type of the program container.
=*FILE
The program is a linked phase (load module) which is stored in a file. The operands element and version are ignored.
=*PHASE
The program is a linked phase which is stored in a type C library member.
=*MODULE
The program is a module or LLM which is stored in a type R or type L library member.
library
Name of the library or file containing the program.
element
Name of the library member containing the program.
version
Version number of the library member that contains the program.
=*ANY
Any version number is allowed.
Application notes
This macro modifies entire access conditions. Each such access condition consists of:
the type of access condition (operand beginning with CK...)
one or more conditions.
If some operands for an access condition are omitted, the following must be noted:
If an operand which begins with CK... is omitted, the default value *NO is assumed and all other operands for this access condition are ignored or, if they exist, set to their default values (likewise *NO).
If *NO is explicitly specified for an operand which begins with CK..., all other operands for this access condition are ignored or, if they exist, set to their default values (likewise *NO).
All omitted operands which belong to a condition (operand beginning with CK...) are set to their default values.
If *ADMISSION or *EXCLUSION is specified as an operand value, at least one period or program or privilege must also be defined.
Macro return codes
SC2 | SC1 | Maincode | Meaning |
X’01’ | X’1000’ | The specified operand value lies outside the permitted range. The invalid operand is stored as a symbolic value in SC2 | |
X’20’ | X’1001’ | An internal error has occurred. A SERSLOG entry has been written for further analysis | |
X’40’ | X’1002’ | Syntax error in the guard name | |
X’40’ | X’1003’ | Memory for the parameter area not allocated with the required length or not accessible | |
X’40’ | X’1007’ | The specified guard does not exist | |
X’80’ | X’1009’ | The specified guard is locked by another task | |
X’02’ | CMD | X’1011’ | Command was terminated at user’s request |
X’40’ | X’1012’ | The specified catalog is not defined or not accessible | |
X’40’ | X’1013’ | The pubset is not known to the GUARDS administration (the guards catalog was probably not opened at IMPORT-PUBSET) | |
X’40’ | X’1014’ | The user is not authorized to execute this function | |
X’40’ | X’1015’ | The specified subject does not exist in the guard | |
X’40’ | X’1016’ | Error in the MRS communication facility | |
X’40’ | X’1017’ | Unknown user ID | |
X’40’ | X’1018’ | The remote system is not available | |
X’40’ | X’1020’ | No more memory space available | |
X’40’ | X’1021’ | BCAM connection error | |
X’40’ | X’1022’ | The BCAM connection has been interrupted | |
X’40’ | X’1023’ | There is no guard matching the selection criteria | |
X’40’ | X’1026’ | The condition already contains the user ID | |
X’40’ | X’1027’ | The condition area is full | |
X’40’ | X’1028’ | Invalid guard type | |
X’40’ | X’1029’ | GUARDS is not available on the remote system | |
X’02’ | X’40’ | X’1035’ | The command was not executed |
X’80’ | X’1036’ | The guards catalog is locked | |
X’80’ | X’1038’ | The guards catalog is locked by ARCHIVE |