This command is used to enter access conditions in one or more guards. By means of repeated command calls the access conditions can be entered one after the other for one of the possible subject types *USER, *GROUP, *OTHERS and *ALL-USERS in each case.

GUARD-NAME = <filename 1..24 without-gen-vers with-wild(40)>
Specifies one or more guards in which access conditions are to be entered. The name can contain wildcards.

If the name is specified without wildcards and the specified guard is not yet set up, it is created and receives the guard type STDAC.

If the guard name is specified using wildcards, only those guards that have the guard type STDAC are taken into account.

Only the guard administrator may use wildcards in the user ID.

The specification of the system default ID in the guard name, e.g. $<filename> or $.<filename>, is not supported.

SUBJECTS =
Specifies the subject type to which the access conditions to be entered are to apply. The possible subject types are:

• *USER (user IDs)

• *GROUP (user groups)

• *OTHERS (all user IDs that are not specified explicitly)

In addition, there is also the pseudo subject type *ALL-USERS, with which additional conditions can be specified.

If access conditions are to be specified for several of these subject types, the command must be entered correspondingly often.

SUBJECTS = *NONE
No access conditions are defined. A guard of the type UNDEF can be assigned the type STDAC with this operand value. The guard can then only take access conditions.

SUBJECTS=*NONE can only be specified together with ADMISSION=*YES.

SUBJECTS = *OTHERS
Specifies that the conditions specified by means of the ADMISSION operand are to apply to users who are not contained in either of the lists SUBJECTS=*USER or *GROUP.

SUBJECTS = *ALL-USERS
Specifies that the conditions specified by means of the ADMISSION operand are additional conditions.

If additional conditions are specified, the following applies: A subject type only receives access permission when the conditions specified for the subject type itself as well as the conditions specified for the pseudo subject type *ALL-USERS permit access.

You will find more information on defining and checking access conditions in section "Defining access conditions"

SUBJECTS = *USER(...)
Specifies that the conditions specified by means of the ADMISSION operand are to apply to specific user IDs.

USER-IDENTIFICATION = list-poss(20):<name 1..8>
The same conditions for up to 20 user IDs can be defined in a guard with one call of this command. If this guard is to apply to more than 20 user IDs, the command must be issued the necessary number of times. In such cases, however, the owner of the guard should consider forming groups for the user IDs and/or defining the access condition for the subject type ALL-USERS, since this makes input much easier.

SUBJECTS = *GROUP(...)
Specifies that the conditions specified by means of the ADMISSION operand are to apply to specific user groups.

GROUP-IDENTIFICATION = *UNIVERSAL / list-poss(20): <name 1..8>
The same conditions for up to 20 user groups can be defined in a guard with one call of this command. If this guard is to apply to more than 20 user group, the command must be issued the necessary number of times. In such cases, however, the owner of the guard should consider defining the access condition for the subject type ALL-USERS, since this makes input much easier.

ADMISSION =
Specifies the access conditions for the subject type (*USER, *GROUP, *OTHERS) specified by means of the SUBJECT operand or additional conditions for all subject types (*ALL-USERS).

ADMISSION = *YES

ADMISSION = *NO

Specifies that the subject type or pseudo subject type specified by means of the SUB-JECTS operand is not permitted access.

ADMISSION = *PARAMETERS(...)
Specifies more precisely the access conditions that are to apply to the subject type or pseudo subject type specified by means of the SUBJECTS operand.

DATE =
Specifies dates on which access is to be permitted or forbidden. The year values must lie between 1991 and 2099. SDF permits the specification of the date with either a four-digit or a two-digit year number. A date with a two-digit year number (yy-mm-dd) is expanded as follows:

20yy-mm-dd, where yy < 60 or
19yy-mm-dd, where yy >= 60.

DATE = *ANY
The object can be accessed on any date.

DATE =*EXCEPT(DATE = list-poss(4): *INTERVAL(...))
Up to four periods during which access is permitted can be specified.

FROM = <date 8..10 with-compl>
Specifies the beginning of the period.

TO = *SAME
Specifies that the end of the period is the same as the beginning (the condition applies on only this one day).

TO = <date 8..10 with-compl>
Specifies the end of the period.

DATE = list-poss(4): *INTERVAL(...)
Up to four periods during which access is forbidden can be specified.

FROM = <date 8..10 with-compl>
Specifies the beginning of the period.

TO = *SAME
Specifies that the end of the period is the same as the beginning (the condition applies on only this one day).

TO = <date 8..10 with-compl>
Specifies the end of the period.

TIME =
Specifies the times of day during which access is to be permitted or forbidden. Seconds, if specified, are ignored. The values for hours and minutes must be separated by a colon. Specifications which do not contain a colon are interpreted as hours values.

TIME = *ANY
The object can be accessed at any time.

TIME = *EXCEPT(TIME = list-poss(4):*INTERVAL(...))
Up to four periods during which access is permitted can be specified.

FROM = <time 1..8>
Specifies the beginning of the period.

TO = <time 1..8>
Specifies the end of the period.

TIME = list-poss(4):*INTERVAL(...)
Up to four periods during which access is forbidden can be specified.

FROM = <time 1..8>
Specifies the beginning of the period.

TO = <time 1..8>
Specifies the end of the period.

WEEKDAY =
Specifies one or more days of the week on which access is permitted.

WEEKDAY = *ANY
Access is permitted on any day of the week.

WEEKDAY = *EXCEPT(...)
Specifies the days of the week on which access is forbidden.

WEEKDAY = list-poss(7): *MONDAY / *TUESDAY / *WEDNESDAY / *THURSDAY /
*FRIDAY / *SATURDAY / *SUNDAY
Access is forbidden on the days of the week specified in this list.

WEEKDAY = list-poss(7): *MONDAY / *TUESDAY / *WEDNESDAY / *THURSDAY / *FRIDAY /
*SATURDAY / *SUNDAY
Access is permitted only on the specified days of the week.

PRIVILEGE =
Specifies the privileges with which access is permitted.

PRIVILEGE = *ANY
No special privilege is necessary for access to the object.

PRIVILEGE = *EXCEPT(...)

PRIVILEGE = list-poss(31): <text>
Users with the specified privileges may not access the object. See "Functional overview" for possible privileges.

PRIVILEGE = list-poss(31): <text>
Only users with the specified privileges may access the object. See "Functional overview" for possible privileges.

PROGRAM = *ANY / list-poss(4): <filename 1..54 without-gen-vers with-wild> / *PHASE(...) /
*MODULE(...)
Specifies the program by means of which access can occur. Up to 4 program names can be specified. The specified programs may either exist in the form of a linked phase (load module) in a file or in the form of an object module (OM) or link and load module (LLM) as a library element.

Notes

To avoid conflicts when modules of the type OM and LLM are used, it is advisable to keep the modules in different libraries (see also the “LMS” manual [23]).

In the case of accesses by means of a program, a check is carried out to establish whether the accessing program has loaded and taken over control.

If an object protected by guards is only to be accessed by means of a program, it is important to note the following:

The file or library in which the program that has access authorization is stored should itself be protected in such a way that the program can be neither modified nor read. Otherwise, it could be copied by a user (who has no access to the protected object) using his or her user ID and given the name of the program with access authorization.

PROGRAM = *ANY
Access can take place using any program.

PROGRAM = <filename 1..54 without-gen-vers with-wild>
The program is a linked phase and exists in the form of a file. If the file name is specified without a path, it is completed with the default pubset ID and user ID of the command issuer.

PROGRAM = *PHASE(...)
The program is a linked phase and exists in the form of a library element of the type C.

LIBRARY = <filename 1..54 without-gen-vers-wild>
Name of the library in which the linked phase is entered. If the library name is specified without a path, it is completed with the default pubset ID and user ID of the command issuer.

ELEMENT = <composed-name 1..64 with-under with-wild>
Name of the library element

VERSION = *ANY
No specific version is specified for the library element.

VERSION = <composed-name 1..24 with-under with-wild>
Version of the library element

PROGRAM = *MODULE(...)
The program is an object module (OM) or a link and load module (LLM) and exists in the form of a library element of the type R or L.

LIBRARY = <filename 1..54 without-gen-vers with-wild>
Name of the library in which the object or load module is entered. If the library name is specified without a path, it is completed with the default pubset ID and user ID of the command issuer.

ELEMENT = <composed-name 1..32 with-under with-wild>
Name of the library element

VERSION = *ANY
No specific version is specified for the library element.

VERSION = <composed-name 1..24 with-under with-wild>
Version of the library element

DIALOG-CONTROL =
The user can use the command in a guided dialog and can define the type of dialog that is to be performed. Dialog control has no effect in batch mode and thus corresponds to the setting DIALOG-CONTROL=*NO.

DIALOG-CONTROL = *STD
For each selected condition guard, the user can decide in interactive mode whether or not the command should be executed. However, dialog control is only performed if the name of the condition guard is specified using wildcards.

It is possible to abort the command.

DIALOG-CONTROL = *NO
The command is executed for every selected condition guard without any query being issued.

DIALOG-CONTROL = *GUARD-CHANGE
For each selected condition guard, the user can decide in interactive mode whether or not the command should be executed. Dialog control is performed independently of whether or not the name of the condition guard is specified using wildcards.

It is possible to abort the command.

DIALOG-CONTROL = *USER-ID-CHANGE
This guided dialog can only be used by system administrators.
For each selected user ID, the system administrator can decide in interactive mode whether or not the command should be executed. However, dialog control is only performed if the user ID in the name of the condition guard is specified using wildcards.

It is possible to abort the command.

DIALOG-CONTROL = *CATALOG-CHANGE
For each selected catalog ID, the user can decide in interactive mode whether or not the command should be executed. However, dialog control is only performed if the catalog ID in the name of the condition guard is specified using wildcards.

It is possible to abort the command.

Command return codes

Example

A guard which permits the user SECOSMAN to access an object only in the period between 7:00 and 17:00 is to be created:

This condition can be checked by means of SHOW-ACCESS-CONDITIONS:

     Guard name          Scope       Creation Date            Last Mod Date
-----------------------------------------------------------------------------
:N:$SECOSMAN.GUARDEXA     SYS     2017-09-29/10:52:28     2017-09-29/11:07:28
                         GUARD FOR THE GUARD EXAMPLES
   User   SECOSMAN
    Time      IN ( <07:00,17:00> )
-----------------------------------------------------------------------------
Guards selected: 1                                             End of display