This command is used to enter protection attribute default values in an attribute guard.

If the attribute guard does not yet exist, it is implicitly created and assigned the guard type DEFPATTR. The SCOPE in the guard’s administrative part is set to *USER-ID.

If the attribute guard already exists because it has been created with /CREATE-GUARD or the CREGUA macro, the SCOPE remains unchanged.

The command can only be used for a non-existent or undefined guard. Otherwise it is rejected. The /MODIFY-DEFAULT-PROTECTION-ATTR command must be used to modify attributes in an attribute guard.

Users can only create attribute guards for their own user IDs. Guard administrators can create attribute guards under other user IDs.

In general, the specified protection attribute values are entered in the attribute areas *CREATE-OBJECT and *MODIFY-OBJECT-ATTR. The following departures from this rule should be considered:

ACCESS

The specified value is only entered in the *MODIFY-OBJECT-ATTR attribute area. The corresponding value in the *CREATE-OBJECT area is set to *SYSTEM-STD. This prevents the attribute ACCESS=READ being assigned to a newly created object by default before it has been possible to supply the object with data. However, if the user explicitly wants the system to behave in this way, he or she must explicitly modify the attribute value using the /MODIFY-DEFAULT-PROTECTION-ATTR command.

EXPIRATION-DATE

Since the protection attribute is not effective for newly created objects, the specified value is only entered in the attribute area *MODIFY-OBJECT-ATTR. The value is set to *SYSTEM-STD in the *CREATE-OBJECT area.

FREE-FOR-DELETION

The specified value is only entered in the *MODIFY-OBJECT-ATTR attribute area. The corresponding value in the *CREATE-OBJECT area is set to *SYSTEM-STD. This is intended to prevent the default value for FREE-FOR-DELETION from bypassing a password control set up by an existing application for the new file which it creates.

Meaning of the operand value *SYSTEM-STD

The value *SYSTEM-STD represents an attribute value which has been prespecified for a higher instance in the hierarchy.

This higher instance in the hierarchy is

• the pubset-global rule container,
  if the attribute guard is evaluated on the basis of a user-specific rule container

• the usual system default,
  if the attribute guard is evaluated on the basis of a pubset-global rule container or if there is no pubset-global rule container.

The table below indicates how the specified values are assigned to the two attribute areas:

Notes

• The attribute area *MOD-OBJECT-ATTR is only relevant for files since the object management for job variables (JVS) does not support default protection when JV attributes are modified.

• Attributes in the *CREATE-OBJECT area that are only relevant for files (e.g. EXEC-PASSWORD or USER-ACCESS=*SPECIAL) are ignored without message for job variables. This makes it possible to use the same attribute container for files and job variables.

GUARD-NAME = <filename 1..24 without-gen-vers>
This operand designates the name of a guard in which the default values for protection attributes are to be entered. The name is user-definable. However, its length without catalog ID and user ID must not exceed 8 characters. If the guard does not yet exist it is created and assigned the guard type DEFPATTR.

The specification of the system default ID in the guard name, e.g. $<filename> or $.<filename>, is not supported.

ACCESS =
Specifies the type of access which is permitted to the object.

ACCESS = *SYSTEM-STD
The attribute value is defined by the higher-ranking instance in the hierarchy (see “Meaning of the operand value *SYSTEM-STD”).

ACCESS = *WRITE
Read, write and execute access are permitted.

The specified value is only entered in the *MODIFY-OBJECT-ATTR attribute area. The corresponding value in the *CREATE-OBJECT area is set to *SYSTEM-STD.

ACCESS = *READ
Only read and execute object accesses are permitted.

The specified value is only entered in the *MODIFY-OBJECT-ATTR attribute area. The corresponding value in the *CREATE-OBJECT area is set to *SYSTEM-STD. This prevents the attribute ACCESS=READ being assigned to a newly created object by default before it has been possible to supply the object with data. However, if the user explicitly wants the system to behave in this way then he or she must explicitly modify the attribute value using /MODIFY-DEFAULT-PROTECTION-ATTR.

USER-ACCESS =
Specifies whether other user IDs can access the object.

USER-ACCESS = *SYSTEM-STD
The attribute value is defined by the higher-ranking instance in the hierarchy (see “Meaning of the operand value *SYSTEM-STD” above).

USER-ACCESS = *OWNER-ONLY
Access to the object is only possible under the user’s own user ID as well as under all catalog IDs under which the user ID (of the same name) has been set up (i.e. not only under the catalog ID under which the object was created). Co-owners can also access the object.

USER-ACCESS = *ALL-USERS
Access to the object is also possible under other user IDs.

USER-ACCESS = *SPECIAL
The object is accessible to all user IDs including IDs with the privilege HARDWARE-MAIN-TENANCE. Accesses on the part of maintenance IDs are generally only possible if USER-ACCESS=*SPECIAL has been specified.

BASIC-ACL =
Activates access control via BACL.

BASIC-ACL = *SYSTEM-STD
The attribute value is defined by the higher-ranking instance in the hierarchy (see “Meaning of the operand value *SYSTEM-STD”).

BASIC-ACL = *NONE
Access control via BACL is not activated.

BASIC-ACL = *PARAMETERS(...)
An access restriction via BACL is entered. If there is no higher access restriction, it becomes active automatically.

OWNER =
Specifies the access rights for the owners and co-owners of the file.

OWNER = *PARAMETERS(...)
The owner’s access rights are specified below.

READ = *NO / *YES
Specifies whether read access is authorized.

WRITE = *NO / *YES
Specifies whether write access is authorized.

EXEC = *NO / *YES
Specifies whether execute access is authorized.

GROUP =
Specifies the access rights for members of the owner’s group

GROUP = *PARAMETERS(...)
The access rights for members of the owner’s user group are specified below.

READ = *NO / *YES
Specifies whether read access is authorized.

WRITE = *NO / *YES
Specifies whether write access is authorized.

EXEC = *NO / *YES
Specifies whether execute access is authorized.

OTHERS =
The access rights for all users who are not members of the owner’s user group are specified below.

OTHERS = *PARAMETERS(...)
The access rights for the other users are specified below.

READ = *NO / *YES
Specifies whether read access is authorized.

WRITE = *NO / *YES
Specifies whether write access is authorized.

EXEC = *NO / *YES
Specifies whether execute access is authorized.

GUARDS =
Specifies whether access control is performed via GUARDS.

GUARDS = *SYSTEM-STD
The attribute value is defined by the higher-ranking instance in the hierarchy (see “Meaning of the operand value *SYSTEM-STD”).

GUARDS = *NONE
Access control is not performed via GUARDS.

GUARDS = *PARAMETERS(...)
Access control is performed via GUARDS.

The guard name may be a maximum of 8 characters or a maximum of 18 characters if a user ID is specified. A catid cannot be specified since the guard must always be stored in the catalog in which the file is also located!

READ =
Specifications for read control.

READ = *NONE
No guard name is assigned. No read accesses are permitted

READ = <filename 1..18 without-cat-gen-vers>
Name of a guard which controls read access. The length of the name without a user ID must not exceed 8 characters.

The specification of the system default ID in the guard name, e.g. $<filename> or $.<filename>, is not supported.

WRITE =
Specifications for write control.

WRITE = *NONE
No guard name is assigned. No write accesses are permitted.

WRITE = <filename 1..18 without-cat-gen-vers>
Name of a guard which controls write access. The length of the name without a user ID must not exceed 8 characters.

The specification of the system default ID in the guard name, e.g. $<filename> or $.<filename>, is not supported.

EXEC =
Specifications for execute control.

EXEC = *NONE
No guard name is assigned. No execute accesses are permitted.

EXEC = <filename 1..18 without-cat-gen-vers>
Name of a guard which controls execute access. The length of the name without a user ID must not exceed 8 characters.

The specification of the system default ID in the guard name, e.g. $<filename> or $.<filename>, is not supported.

READ-PASSWORD = *SYSTEM-STD / *NONE / *SECRET /
<c-string 1..4> / <x-string 1..8> / <integer -2147483648..2147483647>
Password to protect against unauthorized read accesses. The READ-PASSWORD operand is defined as “secret”. In interactive mode, the entry field is blanked and the entered value is not logged.

READ-PASSWORD = *SYSTEM-STD
The attribute value is defined by the higher-ranking instance in the hierarchy (see “Meaning of the operand value *SYSTEM-STD”).

READ-PASSWORD = *NONE
No read password is assigned.

READ-PASSWORD = *SECRET
This specification is only possible in an unguided dialog and permits the confidential entry of the desired read password. In this case, a special prompt is issued and a blanked field is displayed for the “secret” password.

WRITE-PASSWORD = *SYSTEM-STD / *NONE / *SECRET /
<c-string 1..4> / <x-string 1..8> / <integer -2147483648..2147483647>
Password to protect against unauthorized write accesses. The WRITE-PASSWORD operand is defined as “secret”. In interactive mode, the entry field is blanked and the entered value is not logged.

WRITE-PASSWORD = *SYSTEM-STD 
The attribute value is defined by the higher-ranking instance in the hierarchy (see “Meaning of the operand value *SYSTEM-STD”).

WRITE-PASSWORD = *NONE
No write password is assigned.

WRITE-PASSWORD = *SECRET
This specification is only possible in an unguided dialog and permits the confidential entry of the desired write password. In this case, a special prompt is issued and a blanked field is displayed for the “secret” password.

EXEC-PASSWORD = *SYSTEM-STD / *NONE / *SECRET /
<c-string 1..4> / <x-string 1..8> / <integer -2147483648..2147483647>
Password to protect against unauthorized execute accesses. The EXEC-PASSWORD operand is defined as “secret”. In interactive mode, the entry field is blanked and the entered value is not logged.

EXEC-PASSWORD = *SYSTEM-STD
The attribute value is defined by the higher-ranking instance in the hierarchy (see “Meaning of the operand value *SYSTEM-STD”).

EXEC-PASSWORD = *NONE
No execute password is assigned.

EXEC-PASSWORD = *SECRET
This specification is only possible in an unguided dialog and permits the confidential entry of the desired execute password. In this case, a special prompt is issued and a blanked field is displayed for the “secret” password.

DESTROY-BY-DELETE =
To enhance data protection, users can specify in the catalog entry that files which are no longer required should be overwritten with X’00’ (binary zero). In the case of disk files, this has an effect on delete operations and storage space release operations (see the /MODIFY-FILE-ATTRIBUTES and /DELETE-FILE commands). In the case of tape files, this has an effect on the overwriting of residual files during EOF and EOV processing (see the DESTROY-OLD-CONTENTS operand in the /ADD-FILE-LINK command).

DESTROY-BY-DELETE = *SYSTEM-STD
The attribute value is defined by the higher-ranking instance in the hierarchy (see “Meaning of the operand value *SYSTEM-STD” ).

DESTROY-BY-DELETE = *NO
If this setting is made then the definition in the /DELETE-FILE command applies (OPTION operand).

In the case of disk files, storage space is released unchanged unless the operand OPTION=DESTROY-ALL is specified in the /DELETE-FILE command.

In the case of tape files, the residual files which follow on the tape are not overwritten if DESTROY-OLD-CONTENTS=*YES is not specified for the current processing run in the /ADD-FILE-LINK command.

DESTROY-BY-DELETE = *YES
This setting also applies if a different definition is made in the OPTION operand of the /DELETE-FILE command.

In the case of disk files, released storage space is automatically overwritten with binary zero (X’00’).

In the case of tape files, the tape contents after the end of the file are overwritten with binary zero (X’00’). It is not necessary to specify the deletion of the residual files for the current processing run in the /ADD-FILE-LINK command.

SPACE-RELEASE-LOCK =
Specifies whether the release of storage space with the /MODIFY-FILE-ATTRIBUTES command or FILE macro should be ignored.

SPACE-RELEASE-LOCK = *SYSTEM-STD
The attribute value is defined by the higher-ranking instance in the hierarchy (see “Meaning of the operand value *SYSTEM-STD”).

SPACE-RELEASE-LOCK = *NO
Storage space can be released.

SPACE-RELEASE-LOCK = *YES
Storage space cannot be released.

EXPIRATION-DATE =
Retention period for the file. The file cannot be modified or deleted before the specified date. An expiration date can only be specified if the file has already been opened, i.e. if it possesses a CREATION-DATE.

If it is not specified using a keyword, there are two ways of defining an expiration date:

• as an absolute date specification
  Date specification in the form YY-MM-DD or YYYY-MM-DD
  (YY = year, MM = month, DD = day).

• as a relative date specification
  Maximum of 6 places including the sign in the form +n as the distance from the current day date.

Since the protection attribute is not effective for newly created objects, the specified value is only entered in the attribute area *MODIFY-OBJECT-ATTR. The value is set to *SYSTEM-STD in the *CREATE-OBJECT area.

EXPIRATION-DATE = *SYSTEM-STD
The attribute value is defined by the higher-ranking instance in the hierarchy (see “Meaning of the operand value *SYSTEM-STD”).

EXPIRATION-DATE = *TODAY
No expiration date is set or an existing expiration date is deactivated by setting the current day date.

EXPIRATION-DATE = *TOMORROW
The next day’s date is specified as the expiration date.

EXPIRATION-DATE = <date with-compl>
The file is protected until the specified date (exclusive)

EXPIRATION-DATE = <integer 0..99999>
The file cannot be deleted or modified for the specified number of days.

FREE-FOR-DELETION =
Specifies when the object can be deleted irrespective of its protection attributes.

If it is not specified using a keyword, there are two ways of defining the free-for-deletion date:

• as an absolute date specification
  Date specification in the form YY-MM-DD or YYYY-MM-DD
  (YY = year, MM = month, DD = day).

• as a relative date specification
  Maximum of 6 places including the sign in the form +n as the distance from the current day date.

The specified value is only entered in the *MODIFY-OBJECT-ATTR attribute area. The corresponding value in the *CREATE-OBJECT area is set to *SYSTEM-STD. This is intended to prevent the default value for FREE-FOR-DELETION from by-passing a password control set up by an existing application for the new file which it creates.

FREE-FOR-DELETION = *SYSTEM-STD
The attribute value is defined by the higher-ranking instance in the hierarchy (see “Meaning of the operand value *SYSTEM-STD”).

FREE-FOR-DELETION = *NONE
The object can only be deleted if this is permitted by the protection attributes.

FREE-FOR-DELETION = <date with-compl>
The object may be deleted as of the specified date irrespective of the protection attributes.

FREE-FOR-DELETION = <integer 0..99999>
The object can be deleted irrespective of the protection attributes after the specified number of days.

Command return codes