The examples shown here are valid for user IDs with the group administrator privilege, but not for the global user administrator.
Rules for managing those elements of the group potential that are not subject to booking (offset)
The group potential of an existing or new user group must always be less than or at the most equal to the group potential of its superordinate user group. As long as this rule is observed, the group administrator is free to modify any group potential, even those previously defined by a global user administrator.
The values defined in the group potential of a user group are maximum values valid for this user group and its subordinate group structure. Consequently, any definition of a subgroup’s potential which exceeds the prevailing maximum values will be rejected. In this case, a message is output to the group administrator indicating the user group (and its group potential) responsible for the rejection.
The group administrator is authorized to assign the group potential defined for his user group to the members of that group and/or its subordinate group structure.
Group members or subgroups cannot be assigned any group syntax files or account numbers that are not contained in the group potential of their user group.
If a global user administrator modifies the group syntax files or account numbers for a user group or assigns it new group syntax files or account numbers that are not or not completely contained in the group potential of its superordinate group, the group administrator can only delete these from the group potential or modify them in accordance with the group potential of the superordinate group. Any such deletion cannot be rescinded unless permitted by the group potential of the superordinate group.
A user ID/user group which is reassigned to another group or superordinate group by the group administrator retains its general user rights/group potential provided they are less than or at the most equal to the group potential of the user group to which the user ID/user group is reassigned. Otherwise, the group potentials must be modified accordingly prior to reassignment. This also applies to the general user rights of a user ID and the group potential of a user group that had previously been assigned by a global user administrator.
A user ID/user group which is reassigned to another group/superordinate group by a global user administrator always retains its general user rights/group potential.
User ID BIGCHIEF is the group administrator of the group SOFTWARE. The group SYSTEMSW is created below the group SOFTWARE.
Creation of system software also involves the creation of the related manuals (group MANUALS) and the translation of these manuals (group TRANSLAT) - an activity which is controlled by members of the group MANUALS. The potential of group TRANSLAT must be adjusted to match the varying amounts of text to be translated when, for example, a new version of the operating system is produced. A further task is setting up user IDs for new users (in this case the user ID EVAPRINT).
Group administrator BIGCHIEF creates the user group SYSTEMSW
|
SHOW-USER-GROUP INFORMATION = *ALL 2018-03-05 10:34:18
------------------------------------------------------------------------------
GROUP-IDENTIFICATION SYSTEMSW PUBSET X
GROUP-ADMINISTRATOR *NONE ADM-AUTHORITY *MANAGE-GROUPS
USER-GROUP-PREFIX *ANY GROUP-MEMBER-PREFIX *ANY
UPPER-GROUP SOFTWARE
MAX-SUB-GROUPS...
LIMIT GROUP-HIERARCHY 50 LIMIT USER-ADM 0
FREE GROUP-HIERARCHY 50 FREE USER-ADM 0
MAX-GROUP-MEMBERS...
LIMIT GROUP-HIERARCHY 50 LIMIT USER-ADM 0
FREE GROUP-HIERARCHY 50 FREE USER-ADM 0
TEST-OPTIONS...
MODIFICATION *CONTROLLED
READ-PRIVILEGE 1 WRITE-PRIVILEGE 1
PUBLIC-SPACE-EXCESS *ALLOWED PUBLIC-SPACE-LIMIT 2.147.483.647
RESIDENT-PAGES 32.767 ADDRESS-SPACE-LIMIT 16
FILE-AUDIT *NO CSTMP-MACRO *NO
MAX-ACCOUNT-RECORDS 100 TAPE-ACCESS *STD
TEMP-SPACE-LIMIT 2.147.483.647 DMS-TUNING-RESOURCES *NONE
FILE-NUMBER-LIMIT 16.777.215 JV-NUMBER-LIMIT 16.777.215
WORK-SPACE-LIMIT 2.147.483.647 PHYSICAL-ALLOCATION *NOT-ALLOWED
HARDWARE-AUDIT *ALLOWED CRYPTO-SESSION-LIMIT 128
LINKAGE-AUDIT *ALLOWED NET-STORAGE-USAGE *ALLOWED
BASIC-ACL-ACCESS *BY-GROUP-ONLY
PROFILE-IDS PRO1
PRO2
+--------+--------------+--------+--------+------------+-------+------+------+
!ACCNT-NB! CPU-LIMIT !SPOOLOUT!MAX-RUN-!MAX-ALLOWED-!NO-CPU-!START-!INHIB-!
! ! ! CLASS !PRIORITY! CATEGORY ! LIMIT !IMMED !DEACT !
+--------+--------------+--------+--------+------------+-------+------+------+
!ACC1 ! 2.147.483.647! 0 ! 255 ! *STD ! *NO ! *NO ! *NO !
!ACC2 ! 2.147.483.647! 0 ! 255 ! *STD ! *NO ! *NO ! *NO !
+--------+--------------+--------+--------+------------+-------+------+------+
NO SUB-GROUP SPECIFIED
NO GROUP-MEMBER SPECIFIED
------------------------------------------------------------------------------
SHOW-USER-GROUP INFORMATION = *ALL END OF DISPLAY
Figure 7: Sample configuration with group SYSTEMSW
Group administrator BIGCHIEF creates the group MANUALS as a subgroup of the group SYSTEMSW
|
SHOW-USER-GROUP INFORMATION = *ALL 2018-03-05 10:54:04
------------------------------------------------------------------------------
GROUP-IDENTIFICATION MANUALS PUBSET X
GROUP-ADMINISTRATOR *NONE ADM-AUTHORITY *MANAGE-MEMBERS
USER-GROUP-PREFIX *ANY GROUP-MEMBER-PREFIX *ANY
UPPER-GROUP SYSTEMSW
MAX-SUB-GROUPS...
LIMIT GROUP-HIERARCHY 5 LIMIT USER-ADM 0
FREE GROUP-HIERARCHY 5 FREE USER-ADM 0
MAX-GROUP-MEMBERS...
LIMIT GROUP-HIERARCHY 5 LIMIT USER-ADM 0
FREE GROUP-HIERARCHY 5 FREE USER-ADM 0
TEST-OPTIONS...
MODIFICATION *CONTROLLED
READ-PRIVILEGE 1 WRITE-PRIVILEGE 1
PUBLIC-SPACE-EXCESS *NO PUBLIC-SPACE-LIMIT 2.147.483.647
RESIDENT-PAGES 32.767 ADDRESS-SPACE-LIMIT 16
FILE-AUDIT *NO CSTMP-MACRO *NO
MAX-ACCOUNT-RECORDS 100 TAPE-ACCESS *STD
TEMP-SPACE-LIMIT 2.147.483.647 DMS-TUNING-RESOURCES *NONE
FILE-NUMBER-LIMIT 16.777.215 JV-NUMBER-LIMIT 16.777.215
WORK-SPACE-LIMIT 2.147.483.647 PHYSICAL-ALLOCATION *NOT-ALLOWED
HARDWARE-AUDIT *ALLOWED CRYPTO-SESSION-LIMIT 128
LINKAGE-AUDIT *ALLOWED NET-STORAGE-USAGE *ALLOWED
BASIC-ACL-ACCESS *BY-GROUP-ONLY
PROFILE-IDS PRO1
PRO2
+--------+--------------+--------+--------+------------+-------+------+------+
!ACCNT-NB! CPU-LIMIT !SPOOLOUT!MAX-RUN-!MAX-ALLOWED-!NO-CPU-!START-!INHIB-!
! ! ! CLASS !PRIORITY! CATEGORY ! LIMIT !IMMED !DEACT !
+--------+--------------+--------+--------+------------+-------+------+------+
!ACC1 ! 2.147.483.647! 0 ! 255 ! *STD ! *NO ! *NO ! *NO !
!ACC2 ! 2.147.483.647! 0 ! 255 ! *STD ! *NO ! *NO ! *NO !
+--------+--------------+--------+--------+------------+-------+------+------+
NO SUB-GROUP SPECIFIED
NO GROUP-MEMBER SPECIFIED
------------------------------------------------------------------------------
SHOW-USER-GROUP INFORMATION = *ALL END OF DISPLAY
Figure 8: Configuration after creation of group MANUALS
Group administrator BIGCHIEF creates the group TRANSLAT as a subgroup of the group MANUALS
|
SHOW-USER-GROUP INFORMATION = *ALL 2018-03-05 10:56:57
------------------------------------------------------------------------------
GROUP-IDENTIFICATION TRANSLAT PUBSET X
GROUP-ADMINISTRATOR *NONE ADM-AUTHORITY *MANAGE-MEMBERS
USER-GROUP-PREFIX *ANY GROUP-MEMBER-PREFIX *ANY
UPPER-GROUP MANUALS
MAX-SUB-GROUPS...
LIMIT GROUP-HIERARCHY 0 LIMIT USER-ADM 0
FREE GROUP-HIERARCHY 0 FREE USER-ADM 0
MAX-GROUP-MEMBERS...
LIMIT GROUP-HIERARCHY 0 LIMIT USER-ADM 0
FREE GROUP-HIERARCHY 0 FREE USER-ADM 0
TEST-OPTIONS...
MODIFICATION *CONTROLLED
READ-PRIVILEGE 1 WRITE-PRIVILEGE 1
PUBLIC-SPACE-EXCESS *NO PUBLIC-SPACE-LIMIT 2.147.483.647
RESIDENT-PAGES 32.767 ADDRESS-SPACE-LIMIT 16
FILE-AUDIT *NO CSTMP-MACRO *NO
MAX-ACCOUNT-RECORDS 100 TAPE-ACCESS *STD
TEMP-SPACE-LIMIT 2.147.483.647 DMS-TUNING-RESOURCES *NONE
FILE-NUMBER-LIMIT 16.777.215 JV-NUMBER-LIMIT 16.777.215
WORK-SPACE-LIMIT 2.147.483.647 PHYSICAL-ALLOCATION *NOT-ALLOWED
HARDWARE-AUDIT *ALLOWED CRYPTO-SESSION-LIMIT 128
LINKAGE-AUDIT *ALLOWED NET-STORAGE-USAGE *ALLOWED
BASIC-ACL-ACCESS *BY-GROUP-ONLY
PROFILE-IDS PRO1
PRO2
+--------+--------------+--------+--------+------------+-------+------+------+
!ACCNT-NB! CPU-LIMIT !SPOOLOUT!MAX-RUN-!MAX-ALLOWED-!NO-CPU-!START-!INHIB-!
! ! ! CLASS !PRIORITY! CATEGORY ! LIMIT !IMMED !DEACT !
+--------+--------------+--------+--------+------------+-------+------+------+
!ACC1 ! 2.147.483.647! 0 ! 255 ! *STD ! *NO ! *NO ! *NO !
!ACC2 ! 2.147.483.647! 0 ! 255 ! *STD ! *NO ! *NO ! *NO !
+--------+--------------+--------+--------+------------+-------+------+------+
NO SUB-GROUP SPECIFIED
NO GROUP-MEMBER SPECIFIED
------------------------------------------------------------------------------
SHOW-USER-GROUP INFORMATION = *ALL END OF DISPLAY
Figure 9: Configuration after creation of the group TRANSLAT
The global user administrator changes the potential of the group TRANSLAT
|
SHOW-USER-GROUP INFORMATION = *ALL 2018-03-05 11:01:04
------------------------------------------------------------------------------
GROUP-IDENTIFICATION TRANSLAT PUBSET X
GROUP-ADMINISTRATOR *NONE ADM-AUTHORITY *MANAGE-MEMBERS
USER-GROUP-PREFIX *ANY GROUP-MEMBER-PREFIX *ANY
UPPER-GROUP MANUALS
MAX-SUB-GROUPS...
LIMIT GROUP-HIERARCHY 0 LIMIT USER-ADM 0
FREE GROUP-HIERARCHY 0 FREE USER-ADM 0
MAX-GROUP-MEMBERS...
LIMIT GROUP-HIERARCHY 0 LIMIT USER-ADM 0
FREE GROUP-HIERARCHY 0 FREE USER-ADM 0
TEST-OPTIONS...
MODIFICATION *CONTROLLED
READ-PRIVILEGE 1 WRITE-PRIVILEGE 1
PUBLIC-SPACE-EXCESS *ALLOWED PUBLIC-SPACE-LIMIT 2.147.483.647
RESIDENT-PAGES 32.767 ADDRESS-SPACE-LIMIT 32
FILE-AUDIT *YES CSTMP-MACRO *NO
MAX-ACCOUNT-RECORDS 200 TAPE-ACCESS *STD
TEMP-SPACE-LIMIT 2.147.483.647 DMS-TUNING-RESOURCES *NONE
FILE-NUMBER-LIMIT 16.777.215 JV-NUMBER-LIMIT 16.777.215
WORK-SPACE-LIMIT 2.147.483.647 PHYSICAL-ALLOCATION *NOT-ALLOWED
HARDWARE-AUDIT *ALLOWED CRYPTO-SESSION-LIMIT 128
LINKAGE-AUDIT *ALLOWED NET-STORAGE-USAGE *ALLOWED
BASIC-ACL-ACCESS *BY-GROUP-ONLY
PROFILE-IDS PRO1
PRO2
PRO3
+--------+--------------+--------+--------+------------+-------+------+------+
!ACCNT-NB! CPU-LIMIT !SPOOLOUT!MAX-RUN-!MAX-ALLOWED-!NO-CPU-!START-!INHIB-!
! ! ! CLASS !PRIORITY! CATEGORY ! LIMIT !IMMED !DEACT !
+--------+--------------+--------+--------+------------+-------+------+------+
!ACC1 ! 2.147.483.647! 0 ! 255 ! *STD ! *NO ! *NO ! *NO !
!ACC2 ! 2.147.483.647! 0 ! 255 ! *STD ! *NO ! *NO ! *NO !
!ACC3 ! 2.147.483.647! 0 ! 255 ! *STD ! *NO ! *NO ! *NO !
+--------+--------------+--------+--------+------------+-------+------+------+
NO SUB-GROUP SPECIFIED
NO GROUP-MEMBER SPECIFIED
------------------------------------------------------------------------------
SHOW-USER-GROUP INFORMATION = *ALL END OF DISPLAY
Group administrator BIGCHIEF reduces the potential of user group TRANSLAT
|
SHOW-USER-GROUP INFORMATION = *ALL 2018-03-05 11:03:45
------------------------------------------------------------------------------
GROUP-IDENTIFICATION TRANSLAT PUBSET X
GROUP-ADMINISTRATOR *NONE ADM-AUTHORITY *MANAGE-RESOURCES
USER-GROUP-PREFIX *ANY GROUP-MEMBER-PREFIX *ANY
UPPER-GROUP MANUALS
MAX-SUB-GROUPS...
LIMIT GROUP-HIERARCHY 0 LIMIT USER-ADM 0
FREE GROUP-HIERARCHY 0 FREE USER-ADM 0
MAX-GROUP-MEMBERS...
LIMIT GROUP-HIERARCHY 0 LIMIT USER-ADM 0
FREE GROUP-HIERARCHY 0 FREE USER-ADM 0
TEST-OPTIONS...
MODIFICATION *CONTROLLED
READ-PRIVILEGE 1 WRITE-PRIVILEGE 1
PUBLIC-SPACE-EXCESS *ALLOWED PUBLIC-SPACE-LIMIT 2.147.483.647
RESIDENT-PAGES 32.767 ADDRESS-SPACE-LIMIT 16
FILE-AUDIT *NO CSTMP-MACRO *NO
MAX-ACCOUNT-RECORDS 100 TAPE-ACCESS *STD
TEMP-SPACE-LIMIT 2.147.483.647 DMS-TUNING-RESOURCES *NONE
FILE-NUMBER-LIMIT 16.777.215 JV-NUMBER-LIMIT 16.777.215
WORK-SPACE-LIMIT 2.147.483.647 PHYSICAL-ALLOCATION *NOT-ALLOWED
HARDWARE-AUDIT *ALLOWED CRYPTO-SESSION-LIMIT 128
LINKAGE-AUDIT *ALLOWED NET-STORAGE-USAGE *ALLOWED
BASIC-ACL-ACCESS *BY-GROUP-ONLY
PROFILE-IDS PRO1
PRO2
+--------+--------------+--------+--------+------------+-------+------+------+
!ACCNT-NB! CPU-LIMIT !SPOOLOUT!MAX-RUN-!MAX-ALLOWED-!NO-CPU-!START-!INHIB-!
! ! ! CLASS !PRIORITY! CATEGORY ! LIMIT !IMMED !DEACT !
+--------+--------------+--------+--------+------------+-------+------+------+
!ACC1 ! 2.147.483.647! 0 ! 255 ! *STD ! *NO ! *NO ! *NO !
!ACC2 ! 2.147.483.647! 0 ! 255 ! *STD ! *NO ! *NO ! *NO !
+--------+--------------+--------+--------+------------+-------+------+------+
NO SUB-GROUP SPECIFIED
NO GROUP-MEMBER SPECIFIED
------------------------------------------------------------------------------
SHOW-USER-GROUP INFORMATION = *ALL END OF DISPLAY
Group administrator BIGCHIEF creates the user ID EVAPRINT in the group MANUALS
|
SHOW-USER-ATTRIBUTES --- PVS X - USER EVAPRINT 2018-03-05 11:06:17
------------------------------------------------------------------------------
USER-ID EVAPRINT PUBLIC-SPACE-USED 0
GROUP-ID MANUALS PUBLIC-SPACE-LIMIT 16777215
DEFAULT-PUBSET X PUBLIC-SPACE-EXCESS *NO
MAX-ACCOUNT-RECORDS 50 TEMP-SPACE-USED 0
DEFAULT-MSG-LANGUAGE TEMP-SPACE-LIMIT 2147483647
FILES 0
PROTECTION-ATTRIBUTES... FILE-NUMBER-LIMIT 16777215
LOGON-PASSWORD *NO JOB-VARIABLES 0
PASSWORD-MGMT *BY-USER JV-NUMBER-LIMIT 16777215
TAPE-ACCESS *STD RESIDENT-PAGES 32767
FILE-AUDIT *NO ADDRESS-SPACE-LIMIT 16
DMS-TUNING-RESOURCES *NONE
TEST-OPTIONS... CSTMP-MACRO-ALLOWED *NO
READ-PRIVILEGE 1 CODED-CHARACTER-SET EDF03IRV
WRITE-PRIVILEGE 1 PHYSICAL-ALLOCATION *NO
MODIFICATION *CONTROLLED USER-LOCKED *NO
CRYPTO-SESSION-USED 0
AUDIT... CRYPTO-SESSION-LIMIT 128
HARDWARE-AUDIT *ALLOWED NET-STORAGE-USAGE *ALLOWED
LINKAGE-AUDIT *ALLOWED NET-CODED-CHAR-SET *ISO
PROFILE-ID PRO1
MAIL-ADDRESS *NONE
+---------+-----------+---------+--------+------------+-------+------+------+
!ACCOUNT-#! CPU-LIMIT !SPOOLOUT-!MAX-RUN-!MAX-ALLOWED-!NO-CPU-!START-!INHIB-!
! ! ! CLASS !PRIORITY! CATEGORY ! LIMIT ! IMMED! DEACT!
+---------+-----------+---------+--------+------------+-------+------+------+
! ACC1 ! 65535! 0 ! 255 ! STD ! NO ! NO ! NO !
+---------+-----------+---------+--------+------------+-------+------+------+
DEFAULT-ACCOUNT-# FOR LOGON: *NONE
DEFAULT-ACCOUNT-# FOR REMOTE-LOGIN: *NONE
DEFAULT-JOB-CLASS FOR BATCH-JOBS: JC1B
DEFAULT-JOB-CLASS FOR DIALOG-JOBS: JC1D
LIST OF JOB-CLASSES ALLOWED:
JC1B JC1D
------------------------------------------------------------------------------
SHOW-USER-ATTRIBUTES END OF DISPLAY FOR USER USER007 ON PUBSET X
|
SHOW-USER-GROUP INFORMATION = *ALL 2018-03-05 11:06:51 ------------------------------------------------------------------------------ GROUP-IDENTIFICATION MANUALS PUBSET X GROUP-ADMINISTRATOR *NONE ADM-AUTHORITY *MANAGE-MEMBERS USER-GROUP-PREFIX *ANY GROUP-MEMBER-PREFIX *ANY UPPER-GROUP SYSTEMSW MAX-SUB-GROUPS... LIMIT GROUP-HIERARCHY 5 LIMIT USER-ADM 0 FREE GROUP-HIERARCHY 4 FREE USER-ADM 0 MAX-GROUP-MEMBERS... LIMIT GROUP-HIERARCHY 5 LIMIT USER-ADM 0 FREE GROUP-HIERARCHY 4 FREE USER-ADM 0 . . . SUB-GROUPS TRANSLAT GROUP-MEMBERS EVAPRINT ------------------------------------------------------------------------------ SHOW-USER-GROUP INFORMATION = *ALL END OF DISPLAY
Note
If the group administrator of user group SOFTWARE (user ID BIGCHIEF) wishes to change the value for PUBLIC-SPACE-EXCESS for user group SYSTEMSW from *ALLOWED to *NO, he must first set the corresponding value in the group potential of the subordinate user group TRANSLAT to *NO, since the change for user group SOFTWARE will otherwise be rejected.
Figure 10: Initial situation for further SRPM examples
Rules for managing the group administrator privilege
The group administrator privilege is part of the group potential of a user group. Managing the group administrator privilege is subject to the same rules that govern the management of those elements of the group potential that are not subject to booking.
In accordance with the variant of the group administrator privilege defined for his user group, a group administrator may be authorized to designate, dismiss or modify other group administrators within the group structure subordinate to his group.
A group administrator is not authorized to dismiss himself or to designate another member of his own user group to replace him.
A group administrator is authorized to allocate resources and assign user rights to his own user ID in accordance with the group potential of his user group.
Rules for managing those elements of the group potential that are subject to booking
The elements MAX-SUB-GROUPS and MAX-GROUP-MEMBERS of a user group’s potential are offset (“booked”).
This means that:
on the one hand, the resources specified by means of the commands/ADD-USER-GROUP or /MODIFY-USER-GROUP and /ADD-USER or /MODIFY-USER are taken from a single source. The values specified for these two elements of the group potential are maximum quotas, i.e. the maximum allotment of resources available to a group administrator.
on the other hand, these resources may be allocated and released. A record is kept of these allocations/deallocations.
In view of the booking of group potentials, the mutual influence of the activities of group administrators and global user administrators must be taken into consideration:
Group administrators are bound by the maximum values defined for their group potential and by what is still available within the defined quota.
Global user administrators are not subject to any constraints with regard to a group potential.
Therefore, two separate accounts are kept, one of the administrative activities of the group administrator and another of the administrative activities of the global administrator.
The following principle applies to group potential booking:
The group potential assigned by a group administrator should be used up first.
The group potential assigned by a global user administrator should be left intact as long as possible or released as soon as possible.
Notes on the group potential elements MAX-GROUP-MEMBERS and MAX-SUB-GROUPS
Unless otherwise specified, the information supplied below on the values
LIMIT-GROUP-HIERARCHY
FREE-GROUP-HIERARCHY
LIMIT-USER-ADM
FREE-USER-ADM
refers to the two group potential elements MAX-GROUP-MEMBERS and MAX-SUB-GROUPS.
The value of LIMIT-GROUP-HIERARCHY denotes the group potential defined for a user group. It defines the scope of resources and rights the group administrator is authorized to manage by means of the commands /ADD-USER-GROUP and /MODIFY-USER-GROUP.
The value of LIMIT-USER-ADM denotes the group potential additionally made available to the user group by a global user administrator. It defines the scope of resources and rights managed by user administration by means of the commands /ADD-USER-GROUP and /MODIFY-USER-GROUP.
The total group potential which the group administrator has at his disposal is the sum of the values for LIMIT-GROUP-HIERARCHY and LIMIT-USER-ADM.
The total group potential currently available is denoted by the sum of the values of FREE-GROUP-HIERARCHY and FREE-USER-ADM. The values of FREE-GROUP-HIERARCHY and FREE-USER-ADM are always smaller than or at the most equal to the values of LIMIT-GROUP-HIERARCHY and LIMIT-USER-ADM. The values are equal when none of the group potentials is used up by any user IDs or subgroups, i.e. when the user group is empty.
When creating and managing user IDs and user groups, the group potential available to the group administrator is limited to the sum of these two values. No administrative activity that would result in this sum being exceeded can be performed.
Global user administrators may perform administrative activities which cause the sum of FREE-GROUP-HIERARCHY and FREE-USER-ADM to be exceeded as long as the value of FREE-USER-ADM is not negative. In this case, the resulting “system debt” is recorded as a negative value in FREE-USER-ADM. Even in the event of both group potentials being totally exhausted (FREE-USER-ADM=0, FREE-GROUP-HIERARCHY=0) or FREE-USER-ADM having a negative value, global user administrator may still perform administrative activities that may further increase the system debt. Such a system debt can only be the result of activities performed by a global user administrator.
The value of FREE-GROUP-HIERARCHY is never negative.
When managing the group potential of a user group, FREE-GROUP-HIERARCHY is always used up first. FREE-USER-ADM is not accessed until FREE-GROUP-HIERARCHY has reached the value 0.
When new user IDs (group members) or subgroups are added to an existing user group (by means of either reassignment or creation) and assigned rights or resources from the group potential, the user group’s FREE-GROUP-HIERARCHY and FREE-USER-ADM values are reduced accordingly.
When subgroups or individual user IDs are removed from a user group (by means of either reassignment or deletion) or the group potential assigned to them is reduced, the group potential previously bound by them is released and returned to the (upper) group’s potential.
When group potential previously bound by individual user IDs or subgroups is returned or a user group’s potential is otherwise increased, FREE-GROUP-HIERARCHY is not increased until FREE-USER-ADM has been increased up to the value of LIMIT-USER-ADM.