The following examples show how the GUARDS commands are used to define guards. A guard and an object are linked together via the interfaces of the related object management system. How this is done is shown at the end of the examples.
Example 1: Creating an access control
Problem
Access to the files of the project GUARDS is to be controlled with the aid of the guard GUARDPRO.
The project team consists of four persons with the user IDs GUARDS1, GUARDS2, GUARDS3 and GUARDS4.
The general working hours for all employees are from 07:00 to 19:00 on each day from Monday to Friday.
However, the person with user ID GUARDS3 is a part-time employee who works only on three days, Monday, Wednesday and Thursday.
The person with user ID GUARDS4 has a restricted contract which runs from 1 July 2017 to 30 September 2017, inclusive.
The user groups ONE and TWO are to have temporary access for the purpose of the reviews which are to take place on 23/24 August 2017 and 2/3 September 2017, in each case from 09:00 to 15:00.
Solution
Access conditions for the user ID GUARDS1 and GUARDS2 are entered in a guard with guard name GUARDPRO. This guard is automatically created during this operation.
|
:N:$SECOSMAN.GUARDPRO User GUARDS1 has ADMISSION User GUARDS2 has ADMISSION ----------------------------------------------------------------------------- Guards selected: 1 End of display
Access conditions for part-time workers are now created:
|
:N:$SECOSMAN.GUARDPRO
User GUARDS1 has ADMISSION
User GUARDS2 has ADMISSION
User GUARDS3
Weekday IN ( MO, WE, TH )
-----------------------------------------------------------------------------
Guards selected: 1 End of display
Access conditions are entered for personnel with the user ID GUARDS4 whose contracts are due to expire:
|
:N:$SECOSMAN.GUARDPRO
User GUARDS1 has ADMISSION
User GUARDS2 has ADMISSION
User GUARDS3
Weekday IN ( MO, WE, TH )
User GUARDS4
Date IN ( <2017-07-01,2017-09-30> )
-----------------------------------------------------------------------------
Guards selected: 1 End of display
The working hours are defined for all employees:
|
:N:$SECOSMAN.GUARDPRO
User GUARDS1 has ADMISSION
User GUARDS2 has ADMISSION
User GUARDS3
Weekday IN ( MO, WE, TH )
User GUARDS4
Date IN ( <2017-07-01,2017-09-30> )
Alluser
Time IN ( <07:00,19:00> )
Weekday EX ( SA, SU )
-----------------------------------------------------------------------------
Guards selected: 1 End of display
Definition of the access conditions for the ONE and TWO groups:
|
:N:$SECOSMAN.GUARDPRO
User GUARDS1 has ADMISSION
User GUARDS2 has ADMISSION
User GUARDS3
Weekday IN ( MO, WE, TH )
User GUARDS4
Date IN ( <2017-07-01,2017-09-30> )
Group ONE
Time IN ( <09:00,15:00> )
Date IN ( <2017-08-23,2017-08-24> , <2017-09-02,2017-09-03> )
Group TWO
Time IN ( <09:00,15:00> )
Date IN ( <2017-08-23,2017-08-24> , <2017-09-02,2017-09-03> )
Alluser
Time IN ( <07:00,19:00> )
Weekday EX ( SA, SU )
-----------------------------------------------------------------------------
Guards selected: 1 End of display
Example 2: Modifying the access conditions
Problem
The employee with user ID GUARDS1 goes on vacation from 15 October 2017 to 15 November 2017.
The employee with user ID GUARDS3 now works on Monday, Tuesday and Wednesday instead of Monday, Wednesday and Thursday.
The review planned for 2/3 September has been postponed and will now take place on 9/10 September.
Solution
|
:N:$SECOSMAN.GUARDPRO
User GUARDS1
Date EX ( <2017-10-15,2017-11-15> )
User GUARDS2 has ADMISSION
User GUARDS3
Weekday IN ( MO, WE, TH )
User GUARDS4
Date IN ( <2017-07-01,2017-09-30> )
Group ONE
Time IN ( <09:00,15:00> )
Date IN ( <2017-08-23,2017-08-24> , <2017-09-09,2017-09-10> )
Group TWO
Time IN ( <09:00,15:00> )
Date IN ( <2017-08-23,2017-08-24> , <2017-09-09,2017-09-10> )
Alluser
Time IN ( <07:00,19:00> )
Weekday EX ( SA, SU )
-----------------------------------------------------------------------------
Guards selected: 1 End of display
Example 3: Deleting an access condition
Problem
The employee with user ID GUARDS2 is moving to another company and this user ID is to be deleted from the guard.
Solution
|
:N:$SECOSMAN.GUARDPRO
User GUARDS1
Date EX ( <2017-10-15,2017-11-15> )
User GUARDS3
Weekday IN ( MO, WE, TH )
User GUARDS4
Date IN ( <2017-07-01,2017-09-30> )
Group ONE
Time IN ( <09:00,15:00> )
Date IN ( <2017-08-23,2017-08-24> , <2017-09-09,2017-09-10> )
Group TWO
Time IN ( <09:00,15:00> )
Date IN ( <2017-08-23,2017-08-24> , <2017-09-09,2017-09-10> )
Alluser
Time IN ( <07:00,19:00> )
Weekday EX ( SA, SU )
-----------------------------------------------------------------------------
Guards selected: 1 End of display
Example 4: Linking a file with the guard GUARDPRO
Problem
The file SECOS is to be linked with the guard GUARDPRO so that the guard’s access conditions apply to all accesses.
Solution
|
00001266 :N:$SECOSMAN.SECOS ------------------------------- SECURITY ------------------------------ READ-PASS = NONE WRITE-PASS = NONE EXEC-PASS = NONE USER-ACC = OWNER-ONLY ACCESS = WRITE ACL = NO AUDIT = NONE DESTROY = YES EXPIR-DATE = 2017-11-17 SP-REL-LOCK= NO EXPIR-TIME = 00:00:00 GUARD-READ = $SECOSMAN.GUARDPRO GUARD-WRIT = $SECOSMAN.GUARDPRO GUARD-EXEC = NONE :N: PUBLIC: 1 FILE RES= 1266 FREE= 2 REL= 0 PAGES
Example 5: Removing the link between guard and file
Problem
The file SECOS is no longer to be protected with the access conditions of the guard GUARDPRO, i.e. the link has to be removed. After removal of the GUARDS protection, the lower access protection mechanisms of the hierarchy come into effect.
Solution
|
00001266 :N:$SECOSMAN.SECOS ------------------------------- SECURITY ------------------------------ READ-PASS = NONE WRITE-PASS = NONE EXEC-PASS = NONE USER-ACC = OWNER-ONLY ACCESS = WRITE ACL = NO AUDIT = NONE DESTROY = YES EXPIR-DATE = 2017-11-17 SP-REL-LOCK= NO EXPIR-TIME = 00:00:00 :N: PUBLIC: 1 FILE RES= 1266 FREE= 2 REL= 0 PAGES
Example 6: Setting up user-specific default protection
Problem
User USER1 wants to create all files whose names begin with ’FILE‘ in such a way that user USER2 has write access to them.
No pubset-global default protection is active.
Solution
USER 1 sets up a condition guard WRGUA1 with the access conditions for USER2:
He then creates an attribute guard ATTR1 in which he defines the default protection attribute that write access should be controlled via the condition guard WRGUA:
|
Finally he defines a rule container DEF1 for default protection. This contains a default protection rule which states that the default protection attributes of files which begin with ’FILE’ are defined in the attribute guard ATTR1:
|
For control purposes, USER1 outputs information about all the guards and the rule container DEF1. Precondition: no guards were present under the user ID USER1 at the start of this example session.
|
Guard name Scope Type Creation Date LastMod Date
------------------------------------------------------------------------------
:DEL1:$USER1.ATTR1 USR DEFPATTR 2017-04-20/07:48:09 2017-04-20/08:04:01
Guard for the default protection attributes
:DEL1:$USER1.DEF1 USR DEFAULTP 2017-04-20/07:52:36 2017-04-20/08:11:11
Default protection rule container
:DEL1:$USER1.WRGUA1 USR STDAC 2017-04-20/07:48:46 2017-04-20/07:49:17
Guard control for write access
------------------------------------------------------------------------------
Guards selected: 3 End of display
/show-default-protection-rule rule-container-guard=def1
------------------------------------------------------------------------------
RULE CONTAINER :DEL1:$USER1.DEF1 DEFAULT PROTECTION
------------------------------------------------------------------------------
RULE1 OBJECT = FILE*
ATTRIBUTES = $USER1.ATTR1
USER-IDS = *ANY-USER-ID
------------------------------------------------------------------------------
RULE CONTAINER SELECTED: 1 END OF DISPLAY
Since the name of the rule container does not comply with the naming conventions for active rule containers, it is simply used for the preparation of the default rule. No default protection is as yet active for a file with the name FILE1 (corresponds to the wildcard specification FILE*) as the following command shows:
/show-object-protection-default file1
DEF3316 NO DEFAULT PROTECTION ACTIVE
To activate default protection, USER1 renames the inactive rule container DEF1:
|
Guard name Scope Type Creation Date LastMod Date
------------------------------------------------------------------------------
:DEL1:$USER1.ATTR1 USR DEFPATTR 2017-04-20/07:48:09 2017-04-20/08:04:01
Guard for the default protection attributes
:DEL1:$USER1.SYS.UDF USR DEFAULTP 2017-04-20/07:52:36 2017-04-20/08:17:27
Default protection rule container
:DEL1:$USER1.WRGUA1 USR STDAC 2017-04-20/07:48:46 2017-04-20/07:49:17
Guard protection for write access
------------------------------------------------------------------------------
Guards selected: 3 End of display
USER1 next displays the contents of this rule container which has now become active:
|
------------------------------------------------------------------------------
RULE CONTAINER :DEL1:$USER1.SYS.UDF USR ACTIVE DEFAULT PROTECTION
------------------------------------------------------------------------------
RULE1 OBJECT = FILE*
ATTRIBUTES = $USER1.ATTR1
USER-IDS = *ANY-USER-ID
------------------------------------------------------------------------------
RULE CONTAINER SELECTED: 1 END OF DISPLAY
Next, USER1 again checks which protection attributes the file FILE1 would receive on creation:
|
------------------------------------------------------------------------------
DEFAULTS FOR FILE :DEL1:$USER1.FILE1
------------------------------------------------------------------------------
% SCOPE: CREATE-OBJECT % SCOPE: MODIFY-OBJECT-ATTR
% --------------------------- % --------------------------
ACCESS % *SYSTEM-STD % *SYSTEM-STD
USER-ACCESS % *SYSTEM-STD % *SYSTEM-STD
BASIC-ACL % *SYSTEM-STD % *SYSTEM-STD
GUARDS % READ = % READ =
% WRITE = $USER1.WRGUA1 % WRITE = $USER1.WRGUA1
% EXEC = % EXEC =
READ-PASSWORD % *SYSTEM-STD % *SYSTEM-STD
WRITE-PASSWORD % *SYSTEM-STD % *SYSTEM-STD
EXEC-PASSWORD % *SYSTEM-STD % *SYSTEM-STD
DESTROY-BY-DELETE % *SYSTEM-STD % *SYSTEM-STD
SPACE-RELEASE-LOCK % *SYSTEM-STD % *SYSTEM-STD
EXPIRATION-DATE % *SYSTEM-STD % *SYSTEM-STD
FREE-FOR-DELETION % *SYSTEM-STD % *SYSTEM-STD
------------------------------------------------------------------------------
END OF DISPLAY
The desired default protection is active. USER1 creates the file FILE1.
|
00000003 :DEL1:$USER1.FILE1 ------------------------------- SECURITY ------------------------------- READ-PASS = NONE WRITE-PASS = NONE EXEC-PASS = NONE USER-ACC = OWNER-ONLY ACCESS = WRITE ACL = NO AUDIT = NONE FREE-DEL-D = *NONE EXPIR-DATE = NONE DESTROY = NO FREE-DEL-T = *NONE EXPIR-TIME = NONE SP-REL-LOCK= NO GUARD-READ = NONE GUARD-WRIT = $USER1.WRGUA1 GUARD-EXEC = NONE :DEL1: PUBLIC: 1 FILE RES= 3 FREE= 3 REL= 3 PAGES
As the output of the /SHOW-FILE-ATTRIBUTES command shows, the protection attribute for GUARD-WRIT has been taken over from the attribute guard ATTR1.
Next, USER1 wants to create a file FILE2. This name also matches the wildcard specification in the default protection rule:
|
------------------------------------------------------------------------------
DEFAULTS FOR FILE :DEL1:$USER1.FILE2
------------------------------------------------------------------------------
% SCOPE: CREATE-OBJECT % SCOPE: MODIFY-OBJECT-ATTR
% --------------------------- % --------------------------
ACCESS % *SYSTEM-STD % *SYSTEM-STD
USER-ACCESS % *SYSTEM-STD % *SYSTEM-STD
BASIC-ACL % *SYSTEM-STD % *SYSTEM-STD
GUARDS % READ = % READ =
% WRITE = $USER1.WRGUA1 % WRITE = $USER1.WRGUA1
% EXEC = % EXEC =
READ-PASSWORD % *SYSTEM-STD % *SYSTEM-STD
WRITE-PASSWORD % *SYSTEM-STD % *SYSTEM-STD
EXEC-PASSWORD % *SYSTEM-STD % *SYSTEM-STD
DESTROY-BY-DELETE % *SYSTEM-STD % *SYSTEM-STD
SPACE-RELEASE-LOCK % *SYSTEM-STD % *SYSTEM-STD
EXPIRATION-DATE % *SYSTEM-STD % *SYSTEM-STD
FREE-FOR-DELETION % *SYSTEM-STD % *SYSTEM-STD
------------------------------------------------------------------------------
END OF DISPLAY
However, USER1 wants to set up this file with the standard default protection attributes:
|
00000003 :DEL1:$USER1.FILE2 ------------------------------- SECURITY ------------------------------- READ-PASS = NONE WRITE-PASS = NONE EXEC-PASS = NONE USER-ACC = OWNER-ONLY ACCESS = WRITE ACL = NO AUDIT = NONE FREE-DEL-D = *NONE EXPIR-DATE = NONE DESTROY = NO FREE-DEL-T = *NONE EXPIR-TIME = NONE SP-REL-LOCK= NO :DEL1: PUBLIC: 1 FILE RES= 3 FREE= 3 REL= 3 PAGES
All the protection attributes are set to the system defaults.
Example 7: Defining co-owners
Problem
USER1 wants USER2 to have the right to create and administer files whose names contain the string ‘TEST’ under her (USER1’s) user ID.
Solution
USER1 defines a condition guard COND1 which gives USER2 access at all times:
|
USER1 then defines a rule container COO1 containing a co-owner rule. This specifies that the access conditions for co-owners of files whose names match the pattern ’*TEST*’ are defined in the condition guard COND1:
|
For control purposes, USER1 outputs information about all the guards and the rule container COO1. Precondition: no guards were present under the user ID USER1 at the start of this example session.
|
Guard name Scope Type Creation Date LastMod Date
------------------------------------------------------------------------------
:DEL1:$USER1.COND1 USR STDAC 2017-04-19/10:35:47 2017-04-19/10:36:33
Access conditions for co-owner
:DEL1:$USER1.COO1 USR COOWNERP 2017-04-19/10:37:26 2017-04-19/10:38:53
Co-owner rule container
------------------------------------------------------------------------------
Guards selected: 2 End of display
/show-coowner-protection-rule coo1
------------------------------------------------------------------------------
RULE CONTAINER :DEL1:$USER1.COO1 COOWNER PROTECTION
------------------------------------------------------------------------------
RULE1 OBJECT = *TEST*
CONDITIONS = $USER1.COND1
TSOS-ACCESS = SYSTEM-STD
------------------------------------------------------------------------------
RULE CONTAINER SELECTED: 1 END OF DISPLAY
Since the name of the rule container does not comply with the naming conventions for active rule containers, it is simply used for the preparation of the default rule. USER2 does not as yet possess co-owner authorization for files under the user ID USER1, as a call of the following command under the user ID USER2 shows:
/show-coowner admission-rule $user1.*
COO3316 NO COOWNER PROTECTION ACTIVE
To activate co-owner protection, USER1 renames the inactive rule container COO1:
|
Guard name Scope Type Creation Date LastMod Date
------------------------------------------------------------------------------
:DEL1:$USER1.COND1 USR STDAC 2017-04-19/10:35:47 2017-04-19/10:36:33
Access conditions for co-owner
:DEL1:$USER1.SYS.UCF USR COOWNERP 2017-04-19/10:37:26 2017-04-19/11:29:53
Co-owner rule container
------------------------------------------------------------------------------
Guards selected: 2 End of display
Next, USER1 displays the contents of this rule container which has now become active:
/show-coowner-protection-rule
------------------------------------------------------------------------------
RULE CONTAINER :DEL1:$USER1.SYS.UCF ACTIVE COOWNER PROTECTION
------------------------------------------------------------------------------
RULE1 OBJECT = *TEST*
CONDITIONS = $USER1.COND1
TSOS-ACCESS = SYSTEM-STD
------------------------------------------------------------------------------
RULE CONTAINER SELECTED: 1 END OF DISPLAY
USER2 checks which rules make him a co-owner of files belonging to the user ID USER1:
|
------------------------------------------------------------------------------
COOWNER RULES FOR FILE :DEL1:$USER1.*
------------------------------------------------------------------------------
RULE1 OBJECT = *TEST*
CONDITIONS = $USER1.COND1
------------------------------------------------------------------------------
RULES SELECTED: 1 END OF DISPLAY
USER2 can now create the file TESTTEST under $USER1:
|
0000003 :DEL1:$USER1.TESTTEST :DEL1: PUBLIC: 1 FILE RES= 3 FREE= 3 REL= 3 PAGES