Domain: | SECURITY-ADMINISTRATION |
Privileges: | STD-PROCESSING, GUARD-ADMINISTRATION |
This command is used to change access conditions in one or more guards. You can specify the changes by calling the command repeatedly for one of the possible subject types *USER, *GROUP, *OTHERS and *ALL-USERS in each case
MODIFY-ACCESS-CONDITIONS | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GUARD-NAME = <filename 1..24 without-gen-vers with-wild(40)>
Specifies one or more guards in which access conditions are to be changed. The name can contain wildcards.
If the guard name is specified with the help of wildcards, only guards of the guard type STDAC are taken into account.
Only a guard administrator can specify wildcards in the user ID.
The specification of the system default ID in the guard name, e.g. $<filename> or $.<filename>, is not supported.
SUBJECTS =
Specifies the subject type for which the access conditions are to be changed. The possible subject types are:
*USER (user IDs)
*GROUP (user groups)
*OTHERS (all not explicitly specified user IDs)
Access conditions can also be specified with the pseudo subject type *ALL-USERS.
If access conditions are to be changed for several of these subject types, the command must be entered a corresponding number of times.
SUBJECTS = *OTHERS
Specifies that the conditions specified with the ADMISSION operand are to apply to those uses who are not contained in either of the lists SUBJECTS=*USER or *GROUP.
SUBJECTS = *ALL-USERS
Specifies that the conditions specified with the ADMISSION operand are additional conditions.
If additional conditions are specified, the following applies: A subject type is only granted access permission when both the conditions specified for the subject type itself and the conditions specified for the pseudo subject type *ALL-USERS permit access.
You will find more information on specifying and checking access conditions in section "Defining access conditions".
SUBJECTS = *USER(...)
The user IDs to which the following definition is to apply.
USER-IDENTIFICATION = list-poss(20):<name 1..8>
Specifies a maximum of 20 user IDs to which the access conditions specified with the ADMISSION operand are to apply. If more than 20 user IDs are to be counted, the command call must be repeated a corresponding number of times.
SUBJECTS = *GROUP(...)
Specifies that the conditions specified with the ADMISSION operand are only to apply to specific user groups.
GROUP-IDENTIFICATION = *UNIVERSAL / list-poss(20): <name 1..8>
Specifies a maximum of 20 group IDs to which the access conditions specified with the ADMISSION operand are to apply. If more than 20 group IDs are to be counted, the command call must be repeated a corresponding number of times.
ADMISSION =
Specifies the access conditions for the subject type (*USER, *GROUP, *OTHERS) specified with the SUBJECTS operand or additional conditions for all subject types (*ALL-USERS).
ADMISSION = *YES
Specifies that access is granted to the subject type specified with the SUBJECTS operand.
If additional conditions are specified, the following applies: A subject type is only granted access permission when both the conditions specified for the subject type itself and the conditions specified for the pseudo subject type *ALL-USERS permit access.
You will find more information on specifying and checking access conditions in section "Defining access conditions".
ADMISSION = *NO
Specifies that the subject type or pseudo subject type specified with the SUBJECTS operand is not permitted access.
ADMISSION = *PARAMETERS(...)
Specifies more precisely the access conditions to apply to the subject type or pseudo subject type specified with the SUBJECTS operand.
If additional conditions are specified, the following applies: A subject type is only granted access permission when both the conditions specified for the subject type itself and the conditions specified for the pseudo subject type *ALL-USERS permit access.
You will find more information on specifying and checking access conditions in section "Defining access conditions".
DATE = *UNCHANGED / *ANY / *EXCEPT(...) / list-poss(4): *INTERVAL(...)
Specifies dates on which access is to be permitted or forbidden. The year values must lie between 1991 and 2099. SDF permits the specification of the date with either a four-digit or a two-digit year number. A date with a two-digit year number (yy-mm-dd) is expanded as follows:
20yy-mm-dd, where yy < 60 or
19yy-mm-dd, where yy >= 60.
DATE = *ANY
The object can be accessed on any date.
DATE = *EXCEPT(DATE = list-poss(4): *INTERVAL(...))
Up to four periods during which access is permitted can be specified.
FROM = <date 8..10 with-compl>
Specifies the beginning of the period.
TO = *SAME
Specifies that the end of the period is the same as the beginning (the condition applies on only this one day).
TO = <date 8..10 with-compl>
Specifies the end of the period.
DATE = list-poss(4): *INTERVAL(...)
Up to four periods during which access is forbidden can be specified.
FROM = <date 8..10 with-compl>
Specifies the beginning of the period.
TO = *SAME
Specifies that the end of the period is the same as the beginning (the condition applies on only this one day).
TO = <date 8..10 with-compl>
Specifies the end of the period.
TIME = *UNCHANGED / *ANY / *EXCEPT(...) / list-poss(4): *INTERVAL(...)
Specifies the times of day during which access is to be permitted or forbidden. Seconds, if specified, are ignored. The values for hours and minutes must be separated by a colon. Specifications which do not contain a colon are interpreted as hours values.
TIME = *ANY
The object can be accessed at any time.
TIME = *EXCEPT(TIME = list-poss(4):*INTERVAL(...))
Up to four periods during which access is permitted can be specified.
FROM = <time 1..8>
Specifies the beginning of the period.
TO = <time 1..8>
Specifies the end of the period.
TIME = list-poss(4):*INTERVAL(...)
Up to four periods during which access is forbidden can be specified.
FROM = <time 1..8>
Specifies the beginning of the period.
TO = <time 1..8>
Specifies the end of the period.
WEEKDAY = *UNCHANGED / *ANY / *EXCEPT(...) / list-poss(7): *MONDAY / *TUESDAY /
*WEDNESDAY / *THURSDAY / *FRIDAY / *SATURDAY / *SUNDAY
Specifies one or more weekdays on which access is permitted.Access is permitted on any day of the week.
WEEKDAY = *ANY
Access is permitted on any day of the week.
WEEKDAY = *EXCEPT(...)
Specifies the days of the week on which access is forbidden.
WEEKDAY = list-poss(7): *MONDAY / *TUESDAY / *WEDNESDAY /
*THURSDAY / *FRIDAY / *SATURDAY / *SUNDAY
Access is forbidden on the days of the week specified in this list.
WEEKDAY = list-poss(7): *MONDAY / *TUESDAY / *WEDNESDAY /
*THURSDAY / *FRIDAY / *SATURDAY / *SUNDAY
Access is permitted only on the specified days of the week.
PRIVILEGE = *UNCHANGED / *ANY / *EXCEPT(...) / list-poss(31): <text>
Specifies the privileges with which access is permitted.
PRIVILEGE = *ANY
No special privilege is necessary for access to the object.
PRIVILEGE = EXCEPT(...)
PRIVILEGE = list-poss(31): <text>
Users with the specified privileges may not access the object. See "Functional overview" for possible privileges.
PRIVILEGE = list-poss(31): <text>
Only users with the specified privileges may access the object. See "Functional overview" for possible privileges.
PROGRAM = *UNCHANGED / *ANY / list-poss(4): <filename 1..54 without-gen-vers with-wild> /
*PHASE(...) / *MODULE(...)
Specifies the program by means of which access can take place. Up to 4 program names can be specified. The specified programs can exist either as a linked phase in a file or as an object module (OM) or link and load module (LLM) in the form of a library element.
Notes
To avoid conflicts when modules of the type OM and LLM are used, it is advisable to keep the modules in different libraries (see also the “LMS” manual [23]).
In the case of accesses by means of a program, a check is carried out to establish whether the accessing program has loaded and taken over control.
If an object protected by guards is only to be accessed by means of a program, it is important to note the following:
The file or library in which the program that has access authorization is stored should itself be protected in such a way that the program can be neither modified nor read. Otherwise, it could be copied by a user (who has no access to the protected object) using his or her user ID and given the name of the program with access authorization.
PROGRAM = *ANY
Access can take place using any program.
PROGRAM = <filename 1..54 without-gen-vers with-wild>
The program is a linked phase and exists in the form of a file. If the file name is specified without a path, it is completed with the default pubset ID and user ID of the command issuer.
PROGRAM = *PHASE(...)
The program is a linked phase and exists in the form of a library element of the type C.
LIBRARY = <filename 1..54 without-gen-vers with-wild>
Name of the library element. If the library name is specified without a path, it is completed with the default pubset ID and user ID of the command issuer.
ELEMENT = <composed-name 1..64 with-under with-wild>
Element (member) that contains the program.
VERSION = *ANY
No specific version is specified for the library element.
VERSION = <composed-name 1..24 with-under with-wild>
Version of the library element.
PROGRAM = *MODULE(...)
The program is an object module (OM) or a link and load module (LLM) and exists in the form of a library element of the type R or L.
LIBRARY = <filename 1..54 without-gen-vers with-wild>
Name of the library in which the object or load module is entered. If the library name is specified without a path, it is completed with the default pubset ID and user ID of the command issuer.
ELEMENT = <composed-name 1..32 with-under with-wild>
Name of the library element.
VERSION = *ANY
The module may have any version number.
VERSION = <composed-name 1..24 with-under with-wild>
Specifies the version of the member that contains the module
DIALOG-CONTROL =
The user can use the command in a guided dialog and can define the type of dialog that is to be performed. Dialog control has no effect in batch mode and thus corresponds to the setting DIALOG-CONTROL=*NO.
DIALOG-CONTROL = *STD
For each selected guard, the user can decide in interactive mode whether or not the command should be executed. However, dialog control is only performed if the name of the user ID guard is specified using wildcards
It is possible to abort the command.
DIALOG-CONTROL = *NO
The command is executed for every selected guard without any query being issued.
DIALOG-CONTROL = *GUARD-CHANGE
For each selected guard, the user can decide in interactive mode whether or not the command should be executed. Dialog control is performed regardless of whether or not the name of the guard is specified using wildcards.
It is possible to abort the command.
DIALOG-CONTROL = *USER-ID-CHANGE
This guided dialog can only be used by system administrators.
For each selected user ID, the system administrator can decide in interactive mode whether or not the command should be executed. However, dialog control is only performed if the user ID in the name of the guard is specified using wildcards.
It is possible to abort the command.
DIALOG-CONTROL = *CATALOG-CHANGE
For each selected catalog ID, the user can decide in interactive mode whether or not the command should be executed. However, dialog control is only performed if the catalog ID in the name of the guard is specified using wildcards.
It is possible to abort the command.
Command return codes
(SC2) | SC1 | Maincode | Meaning |
0 | CMD0001 | Command successfully executed | |
2 | 0 | PRO1011 | The command was aborted at the user’s request |
32 | PRO1001 | An internal error has occurred. A SERSLOG entry has been written for further analysis | |
64 | PRO1002 | Syntax error in the name of the guard | |
64 | PRO1007 | The specified guard does not exist | |
64 | PRO1012 | The specified catalog is not defined or not accessible | |
64 | PRO1013 | The pubset is not known to the GUARDS administration (the guards catalog was probably not opened at IMPORT-PUBSET) | |
64 | PRO1014 | The user is not authorized to execute this function | |
64 | PRO1015 | The specified subject does not exist in the guard | |
64 | PRO1016 | Error in the MRS communication facility | |
64 | PRO1017 | Unknown user ID | |
64 | PRO1018 | The remote system is not available | |
64 | PRO1020 | No more memory space available | |
64 | PRO1021 | BCAM connection error | |
64 | PRO1022 | The BCAM connection has been interrupted | |
64 | PRO1023 | There is no guard matching the selection criteria | |
64 | PRO1026 | The user ID is already included in the condition | |
64 | PRO1027 | The condition area is full | |
64 | PRO1028 | Incorrect guard type | |
64 | PRO1029 | GUARDS is not available on the remote system | |
64 | PRO1042 | The user is not registered | |
2 | 64 | PRO1035 | Command was not executed |
128 | PRO1009 | The specified guard is locked by another task | |
128 | PRO1036 | The guards catalog is locked | |
128 | PRO1038 | The guards catalog is locked by ARCHIVE |