This command writes an entry for a user group into the user catalog of the specified pubset.

ADD-USER-GROUP may be issued by the following:

• global user administrators at any time and for any groups; there are likewise no restrictions with regard to the definition of group potentials and group-specific limit values

• group administrators possessing the MANAGE-GROUPS privilege (ADM-AUTHORITY), in which case the command is valid only for the group structure subordinate to this group administrator.

For the command to be accepted, the global administrator issuing the command must be registered as such on the home pubset of the current BS2000 session, while the group administrator must be registered as such on the pubset specified via the PUBSET operand.

GROUP-IDENTIFICATION = <name 1..8>
Group ID of the group for which the entry is to be made in the user catalog of the pubset specified via the PUBSET operand. There are no reserved group IDs or group IDs with special rights (unlike user IDs, see the /ADD-USER command). A user group and a user ID may be assigned the same name.

PUBSET =
Pubset in whose user catalog the new group entry is to be made. If a user group is to be allowed to use more than one pubset, it must be entered in the JOIN file of each of these pubsets. If a group administrator is to be active as such on more than one pubset, a global user administrator or a superordinate group administrator has to register both the user group and the group administrator on each of the pubsets.

PUBSET = *HOME
The group entry is to be made in the user catalog of the home pubset.

PUBSET = <cat-id 1..4>
Catalog ID of the pubset in which the group entry is to be made. The command is rejected if the specified pubset is not active in the local system.

UPPER-GROUP =
User group of which the new user group is to be a subgroup. If the command is issued by a group administrator, the superordinate group must be a group of the substructure covered by his group administrator privilege. A global user administrator is authorized to attach the new group as a subgroup to any existing group.

UPPER-GROUP = *OWN
The new user group is to be a subgroup of the group of the group administrator issuing the ADD-USER-GROUP command. Even if the command-issuing user ID is a global user administrator, the new group is not automatically attached to the *UNIVERSAL group but to the user group of which the command-issuing user ID is a member.

UPPER-GROUP = *UNIVERSAL
This operand value permits a global user administrator or a group administrator of the *UNIVERSAL group to create a new user group at the highest level of the group structure. An /ADD-USER-GROUP command with UPPER-GROUP=*UNIVERSAL will be rejected if the command-issuing user ID is neither a global administrator nor the group administrator of the *UNIVERSAL group.

UPPER-GROUP = <name 1..8>
The new user group is attached as a subgroup to the specified user group. The superordinate group must already exist on the specified pubset.

GROUP-ADMINISTRATOR =
User ID designated as the group administrator. The user ID is assigned as a member of the user group. The command is rejected if the specified user ID is already the group administrator of another user group on the specified pubset. If the user ID is to be designated as the group administrator of the new group despite this prior allocation, the other user group must first be assigned a new group administrator (or *NONE).

If no group administrator is designated, the new user group is managed either by the group administrator of a superordinate user group equipped with the requisite group administrator privilege (see the ADM-AUTHORITY operand) or by a global user administrator.

The command is rejected if the user ID to be designated as the group administrator possesses the USER-ADMINISTRATION or SECURITY-ADMINISTRATION privilege, since the combination of functions ’group administrator + USER-ADMINISTRATION privilege’ or ’group administrator + SECURITY-ADMINISTRATION privilege’ is prohibited. The check to this effect is made against both the home pubset of the current session and the pubset specified via the PUBSET operand.

A warning is output if one of the function combinations described above occurs. The USER-ADMINISTRATION privilege is given priority during command processing.

GROUP-ADMINISTRATOR = *NONE
No group administrator is designated.

GROUP-ADMINISTRATOR = <name 1..8>
User ID of the group administrator. The user ID must have been entered on the appropriate pubset by means of an /ADD-USER command prior to its designation as group administrator.

ADD-GROUP-MEMBER =
The specified user IDs are assigned as members of this user group. Any existing membership of another user group is implicitly canceled. If the command-issuing user is a group administrator equipped with at least the MANAGE-GROUPS privilege, the user IDs must be part of the group structure that is subject to administration by this group administrator.

The list of user IDs specified here must not contain any group administrator of another user group.

ADD-GROUP-MEMBER = *NONE
No group members are assigned to this user group at this stage.

ADD-GROUP-MEMBER = list-poss(127): <name 1..8>
List of user IDs assigned as members of the current user group at this stage, if permitted in the MAX-GROUP-MEMBERS operand. To assign more than 127 additional group members, they must be assigned by subsequent /MODIFY-USER-GROUP commands. The user IDs must be part of the group structure that is subject to administration by the command-issuing user ID. None of the user IDs may be the group administrator of another group on the specified pubset or possess either of the privileges USER-ADMINISTRATION or SECURITY-ADMINISTRATION on the specified pubset or the home pubset.

ADM-AUTHORITY =
This defines the privilege assigned to the group administrator of the user group to be created.

ADM-AUTHORITY = *MANAGE-RESOURCES
The group administrator is authorized to manage the resources and rights of the individual user IDs which are members either of his own group or of any of its subgroups; he is not authorized to create or delete user IDs or to reassign them to another user group. The group administrator is authorized to manage the resources and rights of his own group or of any of its subgroups, but is not authorized to modify the group structure subject to his administration, i.e. he may neither create, reassign nor delete any user groups or group members.

ADM-AUTHORITY = *MANAGE-MEMBERS
The group administrator is authorized to create, delete or suspend/readmit (/LOCK-USER and /UNLOCK-USER) user IDs that are members of his own user group or any of its subgroups and to reassign them to another user group. The MANAGE-MEMBERS privilege automatically implies the MANAGE-RESOURCES variant.

ADM-AUTHORITY = *MANAGE-GROUPS
The group administrator is authorized to modify the group structure subordinate to his own group by creating or deleting user groups or changing their position within the group structure. The MANAGE-GROUPS privilege automatically implies the MANAGE-MEMBERS variant.

MAX-GROUP-MEMBERS =
This defines the maximum number of user IDs that may be assigned by the group administrator of this user group .

MAX-GROUP-MEMBERS = *STD
The user group must not be assigned any user IDs.

MAX-GROUP-MEMBERS = <integer 0..32767>
Maximum number of user IDs that may be assigned as members of this user group and any of its subgroups.

GROUP-MEMBER-PREFIX =
Specifies the prefix with which the names of group members must begin. Group administrators whose user group possesses the ADM-AUTHORITY MANAGE-MEMBERS may assign this prefix or any other prefix which forms a subset of this prefix to subgroups (SRPM, for example, is a subset of the prefix SRP.)

GROUP-MEMBER-PREFIX = *ANY
Any prefix is permitted.

GROUP-MEMBER-PREFIX = <name 1..7>
The prefix which must be used for group members.

MAX-SUB-GROUPS =
This defines the maximum number of user groups that may be assigned as subgroups of this user group and any of its subgroups.

MAX-SUB-GROUPS = *STD
The group administrator must not assign any user ID.

MAX-SUB-GROUPS = <integer 0..32767>
Maximum number of subgroups.

USER-GROUP-PREFIX =
Specifies the prefix with which the names of group members must begin. Group administrators whose user group possesses the ADM-AUTHORITY MANAGE-GROUPS may assign this prefix or any other prefix which forms a subset of this prefix to group members (SECOS, for example, is a subset of the prefix SEC.)

USER-GROUP-PREFIX = *ANY
Any prefix is permitted.

USER-GROUP-PREFIX = <name 1..7>
The prefix which must be used for subgroups.

PUBLIC-SPACE-LIMIT = *MAXIMUM / <integer 0..2147483647>
This specifies the maximum amount of storage space which a group administrator can assign to subgroups or group members. the user’s files are allowed to occupy on public volumes of the pubset assigned by means of the PUBSET operand.

PUBLIC-SPACE-LIMIT = *MAXIMUM
The group administrator may assign the full amount of storage space available, i.e. 2,147,483,647 PAM pages.

PUBLIC-SPACE-EXCESS =
This defines the group administrator’s authorization to allow individual members or subgroups to occupy more than the amount of space defined via the PUBLIC-SPACE-LIMIT operand.

PUBLIC-SPACE-EXCESS = *NO
The group administrator must not authorize individual members or subgroups to exceed the value specified via PUBLIC-SPACE-LIMIT.

PUBLIC-SPACE-EXCESS = *ALLOWED
The group administrator may authorize individual members or subgroups to exceed the value specified via PUBLIC-SPACE-LIMIT.

PUBLIC-SPACE-EXCESS = *TEMPORARILY-ALLOWED
The storage space limit may be exceeded providing the upper limit has not already been reached at LOGON time.

PUBLIC-SPACE-EXCESS = *YES
The group administrator may authorize the value specified via PUBLIC-SPACE-LIMIT to be exceeded.

FILE-NUMBER-LIMIT =
Specifies the maximum number of files which may be created. This or a lower value may be passed on to subgroups or group members.

FILE-NUMBER-LIMIT = *MAXIMUM
The maximum number of files is 16,777,215.

FILE-NUMBER-LIMIT = <integer 0..16777215>
Specifies the precise maximum possible number of catalog entries.

JV-NUMBER-LIMIT =
Specifies the maximum number of job variables which may be created. This or a lower value may be passed on to subgroups or group members.

JV-NUMBER-LIMIT = *MAXIMUM
The maximum number of job variables is 16,777,215.

JV-NUMBER-LIMIT = <integer 0..16777215>
Specifies the precise maximum possible number of job variables.

TEMP-SPACE-LIMIT =
Specifies the maximum amount of temporary storage space which may be occupied on the public volume specified in the operand PUBSET. This or a lower value may be passed on to subgroups or group members.

TEMP-SPACE-LIMIT = *MAXIMUM
The maximum group potential is is 2,147,483,647.

TEMP-SPACE-LIMIT = <integer 0..2147483647>
Specifies the precise group potential.

WORK-SPACE-LIMIT = *MAXIMUM / <integer 0..2147483647>
This defines the upper limit for the value which a group administrator may specify as the WORK-SPACE-LIMIT for a pubset for his/her subgroup or group members. Specification of this operand is meaningful only for an SM pubset.

WORK-SPACE-LIMIT = *MAXIMUM
The upper limit for the value which a group administrator may specify as the WORK-SPACE-LIMIT is to be set to 2147483647.

DMS-TUNING-RESOURCES =
Specifies which performance measures may be implemented and how they may be used. This authorization or a lower one may be passed on to subgroups or group members. The effects of the various performance measures are described in the section "Permissible performance measures for the home and data pubsets".

DMS-TUNING-RESOURCES = *NONE
No tuning measures may be implemented.

DMS-TUNING-RESOURCES = *CONCURRENT-USE
The user may reserve preferred resources, but must compete for these with all other users with the same authorization.

DMS-TUNING-RESOURCES = *EXCLUSIVE-USE
The user may exclusively reserve preferred resources.

Permissible performance measures for the home and data pubsets

TAPE-ACCESS =
This determines whether the group administrator is authorized to grant users any of the following TAPE-ACCESS rights (see the /ADD-USER and /MODIFY-USER-ATTRIBUTES commands).

TAPE-ACCESS = *STD
It is not permissible to ignore any error messages.

TAPE-ACCESS = *PRIVILEGED
Error messages referring to output files may be ignored.

TAPE-ACCESS = *READ
Error messages referring to input files may be ignored.

TAPE-ACCESS = *BYPASS-LABEL
Label checking may be deactivated for tapes processed in INPUT or REVERSE mode (implies TAPE-ACCESS=READ).

TAPE-ACCESS = *ALL
All error messages may be ignored (implies TAPE-ACCESS=*READ, TAPE-ACCESS=*PRIVILEGED and TAPE-ACCESS=*BYPASS-LABEL). The following rules apply when the group administrator specifies a specific value for the TAPE-ACCESS operand in a command that refers to a group member:

FILE-AUDIT =
This determines whether the group administrator is authorized to permit individual group members or subgroups to activate the AUDIT function.

FILE-AUDIT = *NO
The group administrator must not authorize group members or subgroups to activate the AUDIT function.

FILE-AUDIT = *YES
The group administrator may authorize group members or subgroups to activate the AUDIT function.

CSTMP-MACRO =
This determines whether the group administrator is authorized to grant group members or subgroups the right to use the CSTMP macro (see the /ADD-USER and /MODIFY-USER-ATTRIBUTES commands).

CSTMP-MACRO = *NO
The group administrator is not permitted to grant group members or subgroups the right to use the CSTMP macro.

CSTMP-MACRO = *YES
The group administrator may grant group members or subgroups the right to use the CSTMP macro.

RESIDENT-PAGES =
This determines whether resident pages of main memory may be used. The maximum value specified here (and the value specified for MODIFY-SYSTEM-BIAS) are used when checking the value specified via the operand RESIDENT-PAGES=*PARAMETERS (MINIMUM=<integer 0..2147483647>) of the LOAD-/START-EXECUTABLE-PROGRAM (resp. LOAD-/START-PROGRAM) command. This maximum value – or less – may be allocated to individual group members or subgroups.

RESIDENT-PAGES = *MAXIMUM
The maximum value is to be 2,147,483,647 memory-resident pages.

RESIDENT-PAGES = *STD
The user is not allowed to occupy any memory-resident pages (value 0).

ADDRESS-SPACE-LIMIT =
This defines the maximum size of the user address space available to this group (in megabytes). This maximum size – or less – may be allocated to individual group members or subgroups.

ADDRESS-SPACE-LIMIT = *STD
The value of the system parameter SYSGJASL is assigned (the system parameter SYSGJASL has the default value 16 MB, see the SHOW-SYSTEM-PARAMETERS command in the “Commands” manual [4]).

ADDRESS-SPACE-LIMIT = <integer 1..2147483647>
A value between 1 and 2,147,483,647 megabytes is assigned.

TEST-OPTIONS = *PARAMETERS(...)
This defines the potential test privilege assigned to this group. It is within the range of values specified here that the group administrator may assign test privileges to members of his own group or subordinate groups, i.e. the group administrator may grant individual group members of subgroups any read or write privilege that is equal to or less than the potential group privilege.

READ-PRIVILEGE =
Maximum read privilege.

READ-PRIVILEGE = *STD
The maximum read privilege has the value 1.

READ-PRIVILEGE = <integer 1..9>
Value of the maximum read privilege.

WRITE-PRIVILEGE =
Maximum write privilege.

WRITE-PRIVILEGE = *STD
The maximum write privilege has the value 1.

WRITE-PRIVILEGE = <integer 1..9>
Value of the maximum write privilege.

MODIFICATION =
This determines to what extent the group administrator is authorized to grant the MODIFICATION privilege.

MODIFICATION = *CONTROLLED
The group administrator may grant individual group members or subgroups the MODIFICATION privilege CONTROLLED only. He is not authorized to change the MODIFICATION privilege to UNCONTROLLED.

MODIFICATION = *UNCONTROLLED
The group administrator may grant individual group members or subgroups either of the MODIFICATION privileges CONTROLLED or UNCONTROLLED.

ADD-PROFILE-ID =
This defines a group potential of SDF profile IDs which the group administrator may assign to individual group members and subgroups.

ADD-PROFILE-ID = *NONE
The group is not assigned any potential of SDF profile IDs.

ADD-PROFILE-ID = list-poss(127): <structured-name 1..30>
Profile IDs of the group syntax files assigned as the group potential of this user group.

MAX-ACCOUNT-RECORDS =
This defines the group potential of rights with respect to the writing of user-specific accounting records. The values specified here determine the rights that the group administrator is authorized to assign to members of his own user group or of the subordinate group structure.

MAX-ACCOUNT-RECORDS = *STD
The user may write up to 100 user-specific accounting records per job or program to the accounting file. He is not authorized to write any accounting records of his own (i.e. with a freely selectable record ID).

MAX-ACCOUNT-RECORDS = *NO-LIMIT
No limit is defined for the number of user-specific accounting records or the user’s own accounting records (i.e. with a freely selectable record ID) which the user may write per job or program to the accounting file.

MAX-ACCOUNT-RECORDS = <integer 0..32767>
This specifies the maximum number of user-specific accounting records that the user may write per job or program to the accounting file. The user is not authorized to write any accounting records of his own (i.e. with a freely selectable record ID).

PHYSICAL-ALLOCATION = *NOT-ALLOWED / *ALLOWED
Specifies whether the group administrator can assign the right to use absolute storage space on the pubset (direct allocation) to group members or subgroups.

HARDWARE-AUDIT = *ALLOWED / *NOT-ALLOWED
Specifies whether the group administrator can assign the right to activate the hardware audit mode to group members or subgroups.

LINKAGE-AUDIT = *ALLOWED / *NOT-ALLOWED
Specifies whether the group administrator can assign the right to activate the linkage audit mode to group members or subgroups.

CRYPTO-SESSION-LIMIT = *STD / *MAXIMUM / <integer 0..32767>
Defines the maximum number of openCRYPT sessions within a BS2000 session that the group administrator may assign to group members or subgroups.

NET-STORAGE-USAGE = *ALLOWED / *NOT-ALLOWED
Specifies whether the group administrator can assign the right to use memory space on a Net-Storage volume to group members or subgroups.

ADD-ACCOUNT =
This defines the group’s potential of account numbers that may be allocated to group members or to the group potential of subgroups.

ADD-ACCOUNT = *NONE
The user group is not assigned any potential of account numbers.

ADD-ACCOUNT = list-poss(127): <alphanum-name 1..8>(...)
List of account numbers to be included in the group potential of this user group.

CPU-LIMIT =
This defines the group’s potential of CPU seconds that may be allocated to group members and subgroups. This means that group members may be allocated CPU time up to this limit for job execution under the specified account number.

CPU-LIMIT = *MAXIMUM
The group potential of CPU time is 2,147,483,647 seconds.

CPU-LIMIT = <integer 0..2147483647>
The specified number is the group potential of CPU time in seconds (maximum value for each group ID).

SPOOLOUT-CLASS =
This defines the highest spoolout class that may be assigned to individual group members or user groups. In this context, STD (=0) or 1 is the highest possible spoolout class and 255 the lowest.

SPOOLOUT-CLASS = *STD
The spoolout class with the value 0 is to be the highest permissible spoolout class.

SPOOLOUT-CLASS = <integer 1..255>
Value representing the highest permissible spoolout class.

MAXIMUM-RUN-PRIORITY =
This defines the maximum run priority to be included in the group potential; individual group members and subgroups may subsequently be assigned the specified run priority.

MAXIMUM-RUN-PRIORITY = *STD
Default value from the system parameter SYSGJPRI.

MAXIMUM-RUN-PRIORITY = <integer 30..255>
Maximum run priority.

MAX-ALLOWED-CATEGORY =
This defines the task attributes with which the user may work. Individual group members or subgroups may be assigned a subset of the task attributes defined here (SYSTEM includes STD and TP, TP includes STD).

MAX-ALLOWED-CATEGORY = *STD
Tasks under the specified account number must not work with the task attribute TP.

MAX-ALLOWED-CATEGORY = *TP
Tasks under the specified account number may use the task attribute TP.

MAX-ALLOWED-CATEGORY = *SYSTEM
Tasks under the specified account number may use the task attributes TP and SYS.

NO-CPU-LIMIT =
This determines whether the group administrator is authorized to assign individual group members or subgroups NO-CPU-LIMIT.

NO-CPU-LIMIT = *NO
Individual group members or subgroups must not be assigned NO-CPU-LIMIT.

NO-CPU-LIMIT = *YES
Individual group members or subgroups may be assigned NO-CPU-LIMIT.

START-IMMEDIATE =
This determines whether the group administrator is authorized to grant individual group members or subgroups the right to use the job express function.

START-IMMEDIATE = *NO
Neither individual group members nor subgroups may be granted the right to use the job express function.

START-IMMEDIATE = *YES
The right to use the job express function may be granted to both individual group members and subgroups.

INHIBIT-DEACTIVATION =
This determines whether the group administrator is authorized to grant group members or subgroups the right to make use of the deactivation inhibit function for jobs under this account number.

INHIBIT-DEACTIVATION = *NO
Individual group members or subgroups must not be granted the right to make use of the deactivation inhibit function for jobs under this account number.

INHIBIT-DEACTIVATION = *YES
Individual group members or subgroups may be granted the right to make use of the deactivation inhibit function for jobs under this account number.

BASIC-ACL-ACCESS =
Controls group access for files and job variables which are protected with BACL.

BASIC-ACL-ACCESS = *BY-GROUP-ONLY
When files and job variables which are protected by BACL are accessed, only the actual group membership itself is of relevance.

BASIC-ACL-ACCESS = *EXTENDED-BY-GUARD(...)
When files and job variables which are protected by BACL are accessed, certain users are treated as if they were group members.

GUARD-NAME = <filename 1...18 without-cat-gen-vers>
Name of the guard in which the access conditions are defined. If these conditions are satisfied for a user at the time access is attempted, then he or she has the same rights as a group member.

If the guard does not exist or cannot be accessed at the time access is attempted, then the condition is considered to be not satisfied.

The check of access rights to files and job variables which are protected by BACL is based on the group structure on the home pubset. The group administration guards must therefore also be stored on the home pubset for the current session. For this reason, the name of the guard must be specified without a catalog ID. If the name of the guard is specified without a user ID, then the guard is expected under the user ID under which the ADD-USER-GROUP command was called.

The group administrator is responsible for ensuring that the guard exists and can be accessed. It may therefore be necessary to create the guard under the group administrator’s user ID on the home pubset and set its SCOPE attribute for the group in question.

Command return codes