This example is designed to show how restricted TSOS co-ownership is specified and what the response is to TSOS accesses subsequently.
Specifying the system-specific settings
The security officer (by default SYSPRIV) withdraws the two privileges USER-ADMINISTRATION and GUARD-ADMINISTRATION from the user ID TSOS. As a result, the user TSOS cannot gain access to other IDs or administer guards and thus change their contents:
/reset-privilege privilege=(*guard-administration,*user-administration), -/ user-id=tsos
The security officer makes the user ID USERADM the new user administrator:
/set-privilege privilege=*user-administration, -/ user-id=useradm
The security officer makes the user ID GUARDADM the new guard administrator:
/set-privilege privilege=*guard-administration, -/ user-id=guardadm
Specification of the user-specific settings
The user CUSTOMER gives himself alone full access rights to his file MY-OWN. The access condition is to be controlled by the guard GUA1.
/add-access-conditions guard-name=$customer.gua1,-
/ subjects=*user(customer), -
/ admission=*yes
/modify-file-attributes file-name=$customer.my-own, -
/ protection=*par(guards=(read=$customer.gua1, -
/ write=$customer.gua1, -
/ exec=$customer.gua1))The user CUSTOMER wants to restrict the co-administration rights of TSOS to his file TSOS-ACC-RESTRICTED.
He gives himself alone full access rights to his file TSOS-ACC-RESTRICTED. The access condition is again controlled by the guard GUA1.
/add-coowner-protection-rule rule-container-guard=$customer.sys.ucf, -
/ protection-rule=rule1, -
/ protect-object=(name=tsos-acc-restricted, -
/ condition-guard=*none, -
/ tsos-access=*restricted)
/modify-file-attributes file-name=$customer.tsos-acc-restricted, -
/ protection=*par(guards=(read=gua1, -
/ write=gua1, -
/ exec=gua1))The user CUSTOMER makes a mistake. He would like to restrict the co-administration rights of TSOS to his file TSOS-ERROR as well but forgets to link the file with the guard GUA1. This means that, although TSOS only has restricted co-administration rights, he has full access rights to the file.
/add-coowner-protection-rule $customer.sys.ucf, -
/ protection-rule=rule2, -
/ protect-object=(name=tsos-error, -
/ condition-guard=*none, -
/ tsos-access=*restricted)
Summary of the user-specific settings
Once the user CUSTOMER has made the settings described, his files have the following protection attributes:
File $CUSTOMER.MY-OWN
/show-file-attributes file-name=$customer.my-own, -
/ information=(security=*yes)%00000003 :2OSC:$CUSTOMER.MY-OWN % ------------------------------- SECURITY ------------------------------- % READ-PASS = NONE WRITE-PASS = NONE EXEC-PASS = NONE % USER-ACC = OWNER-ONLY ACCESS = WRITE ACL = NO % AUDIT = NONE FREE-DEL-D = *NONE EXPIR-DATE = 2018-03-23 % DESTROY = NO FREE-DEL-T = *NONE EXPIR-TIME = 00:00:00 % SP-REL-LOCK= NO % GUARD-READ = $CUSTOMER.GUA1 % GUARD-WRIT = $CUSTOMER.GUA1 % GUARD-EXEC = $CUSTOMER.GUA1
File $CUSTOMER.TSOS-ACC-RESTRICTED
/show-file-attributes file-name=$customer.tsos-acc-restricted, -
/ information=(security=*yes)%00000003 :2OSC:$CUSTOMER.TSOS-ACC-RESTRICTED % ------------------------------- SECURITY ------------------------------- % READ-PASS = NONE WRITE-PASS = NONE EXEC-PASS = NONE % USER-ACC = OWNER-ONLY ACCESS = WRITE ACL = NO % AUDIT = NONE FREE-DEL-D = *NONE EXPIR-DATE = 2018-03-23 % DESTROY = NO FREE-DEL-T = *NONE EXPIR-TIME = 00:00:00 % SP-REL-LOCK= NO % GUARD-READ = $CUSTOMER.GUA1 % GUARD-WRIT = $CUSTOMER.GUA1 % GUARD-EXEC = $CUSTOMER.GUA1 End of display
File $CUSTOMER.TSOS-ERROR
/show-file-attributes file-name=$customer.tsos.error, -
/ information=(security=*yes)%00000003 :2OSC:$CUSTOMER.TSOS-ERROR % ------------------------------- SECURITY ------------------------------- % READ-PASS = NONE WRITE-PASS = NONE EXEC-PASS = NONE % USER-ACC = OWNER-ONLY ACCESS = WRITE ACL = NO % AUDIT = NONE FREE-DEL-D = *NONE EXPIR-DATE = 2018-03-23 % DESTROY = NO FREE-DEL-T = *NONE EXPIR-TIME = 00:00:00 % SP-REL-LOCK= NO
Guard $CUSTOMER.GUA1
/show-access-conditions guard-name=$customer.gua1%:2OSC:$CUSTOMER.GUA1% User CUSTOMER has ADMISSION%-----------------------------------------------------------------------------%Guardsselected: 1Rule container $CUSTOMER.SYS.UCF
/show-access-conditions guard-name=$customer.gua1%:2OSC:$CUSTOMER.GUA1 % User CUSTOMER has ADMISSION %-----------------------------------------------------------------------------%Guards selected: 1
TSOS accesses and responses
The user TSOS makes the following attempts to access the files of the user CUSTOMER:
/show-file $customer.my-own
Result:
Access is not granted.
% SHO0003 'DMS' REPORTED ERROR '0666'. COMMAND NOT PROCESSED
Reason:
The file is protected by the guard $CUSTOMER.GUA1, in which there is an access condition defined for CUSTOMER only. Data access is thus prohibited for TSOS.
/modify-file-attributes file-name=$customer.my-own,guard=*none
Result:
The change is carried out.
Reason:
The active co-owner container under the CUSTOMER user ID does not contain a rule for the $CUSTOMER.MY-OWN file. By default, TSOS thus has unrestricted permission to carry out co-owner accesses.
/show-file file-name=$customer.tsos-acc-restricted
Result:
Access is not granted.
% SHO0003 'DMS' REPORTED ERROR '0666'. COMMAND NOT PROCESSED
Reason:
The file is protected by the $CUSTOMER.GUA1 guard, in which there is an access condition defined only for CUSTOMER. Data access is thus prohibited for TSOS.
/modify-file-attributes file-name=$customer.tsos-acc-restricted,guards=*none
Result:
The change is rejected.
% DMS0681 DMS ERROR '05CB' WHEN ACCESSING FILE ':A:$CUSTOMER.TSOS-ACC-RESTRICTED'.FOR FURTHER INFORMATION: /HELP-MSG DMS05CB
Reason:
The active co-owner rule container under the CUSTOMER user ID contains a rule that restricts the co-ownership rights of TSOS to the file. Consequently, co-owner access is prohibited for TSOS.
/copy-file from-file=$customer.tsos-acc-restricted,to-file=$tsos.new-file
Result:
Access is not granted.
% DMS0666 REQUESTED ACCESS TO FILE NOT PERMITTED DUE TO EXISTING FILE PROTECTION.COMMAND NOT PROCESSED
Reason:
The file is protected by the $CUSTOMER.GUA1 guard, in which there is an access condition defined only for CUSTOMER. Data access is thus prohibited for TSOS.
/copy-file from-file=$customer.tsos-acc-restricted, - / to-file=$tsos.new-file, - / ignore-protection=*source-file
Result:
Access is not granted.
% DMS0666 REQUESTED ACCESS TO FILE NOT PERMITTED DUE TO EXISTING FILE PROTECTION.COMMAND NOT PROCESSED
Reason:
The CUSTOMER.TSOS-ACC-RESTRICTED file is protected by the $CUSTOMER.GUA1 guard, in which there is an access condition defined only for CUSTOMER. Data access is thus prohibited for TSOS.
Although TSOS attempts to circumvent this protection by specifying the IGNORE-PROTECTION operand, the active co-owner rule container under the CUSTOMER user ID contains a rule that restricts TSOS co-owner rights to the file. Co-owner access and thus also the use of the IGNORE-PROTECTION operand is prohibited for TSOS.
/delete-file file-name=$customer.tsos-acc-restricted
Result:
Access is not granted.
% DMS0801 ERROR WHEN DELETING FILE ':A:$CUSTOMER.TSOS-ACC-RESTRICTED' % DMS0666 REQUESTED ACCESS TO FILE NOT PERMITTED DUE TO EXISTING FILE PROTECTION. COMMAND NOT PROCESSED
Reason:
The file is protected by the $CUSTOMER.GUA1 guard, in which there is an access condition defined only for CUSTOMER. Data access is thus prohibited for TSOS.
/delete-file file-name=$customer.tsos-acc-restricted, - / ignore-protection=*access
Result:
Access is not granted.
% DMS0801 ERROR WHEN DELETING FILE ':A:$CUSTOMER.TSOS-ACC-RESTRICTED'% DMS0666 REQUESTED ACCESS TO FILE NOT PERMITTED DUE TO EXISTING FILE PROTECTION.COMMAND NOT PROCESSED
/show-file file-name=$customer.tsos-error
Result:
The file is accessed (i.e. displayed).
Reason:
GUARDS access protection has not been applied to the file. By default, TSOS therefore has unrestricted permission to carry out data access.
/modify-file-attributes file-name=$customer.tsos-error,guards=*none
Result:
Access is not granted.
% DMS0681 DMS ERROR '05CB' WHEN ACCESSING FILE ':A:$CUSTOMER.TSOS-ACC-RESTRICTED'.FOR FURTHER INFORMATION: /HELP-MSG DMS05CB
Reason:
The active co-owner rule container under the CUSTOMER user ID contains a rule that restricts the co-ownership rights of TSOS to the file. Co-owner access is thus prohibited for TSOS.
/copy-file from-file=$customer.tsos-error,to-file=$tsos.new-file
Result:
The file is accessed.
Reason:
GUARDS access protection has not been applied to the file. By default, TSOS therefore has unrestricted permission to carry out data access.
/copy-file from-file=$customer.tsos-error, -/ to-file=$tsos.new-file, -/ ignore-protection=*source-file
Result:
The file is accessed (i.e. displayed).
Reason:
GUARDS access protection has not been applied to the file. By default, TSOS therefore has unrestricted permission to carry out data access. The use of the IGNORE-PROTECTION is of no significance here, because it is not possible to ignore protection that has not been set.
/delete-file file-name=$customer.tsos-error
Result:
The file is accessed.
Reason:
GUARDS access protection has not been applied to the file. By default, TSOS therefore has unrestricted permission to carry out data access.
/delete-file file-name=$customer.tsos-error,ignore-protection=*access
Result:
The file is accessed.
Reason:
GUARDS access protection has not been applied to the file. By default, TSOS therefore has unrestricted permission to carry out data access. The use of the IGNORE-PROTECTION is of no significance here, because it is not possible to ignore protection that has not been set.