This command serves to modify protection attributes already in effect for user IDs.

The following persons are authorized to issue this command:

• global user administrators (i.e. users possessing the USER-ADMINISTRATION privilege) may issue this command with respect to all user IDs

• group administrators possessing at least the MANAGE-MEMBERS privilege may issue this command with respect to user IDs which are members of their own user group or to any of its subgroups

Operands that are not specified are left unchanged (default value *UNCHANGED or *NONE).

The /MODIFY-LOGON-PROTECTION command serves to reactivate user IDs that have been suspended by the system because their expiration date has been reached, because they have been inactive or because the lifetime of a password has expired. In the first case, a new expiration date (i.e. one that lies in the future) must be specified, in the second case INACTIVITY-LIMIT=*RENEW and in the third case a new password must be defined.

The operand value *LOGON-DEFAULT means that the default setting defined with the /SET- or /MODIFY-LOGON-DEFAULTS command is taken over for the operand.

USER-IDENTIFICATION = <name 1..8>
User ID whose protection attributes are to be modified.

PUBSET = *HOME / <cat-id 1..4>
Pubset in whose user catalog the modifications are to be entered.

PUBSET = *HOME
The modifications are to be entered in the home pubset.

PUBSET = <cat-id 1..4>
The modifications are to be entered in the specified pubset.

EXPIRATION-DATE = *UNCHANGED / *LOGON-DEFAULT / *NONE / <date 8..10> / <integer 0..366>
The user ID will be suspended (“locked”) after the specified date, i.e. it will no longer be accessible via LOGON. The files cataloged under the user ID will be retained. During the period specified in the EXPIRATION-WARNING operand of the password, the user attempting LOGON receives message SRM3201 on SYSOUT.

EXPIRATION-DATE = *NONE
The user ID will not be suspended when a specific date is reached.

EXPIRATION-DATE = <date 8..10>
Expiration date of the user ID.

EXPIRATION-DATE = <integer 0..366>
Life of the user ID.

EXPIRATION-WARNING = *STD / *LOGON-DEFAULT / <integer 0..366>
This defines the period, in days, within which the user is warned before the user ID expiration date is exceeded. The default period is 28 days.

PASSWORD = *UNCHANGED / PARAMETERS(...)
This serves to modify the password definitions.

PASSWORD = *PARAMETERS(...)
The password definitions are modified as specified.

LOGON-PASSWORD = *UNCHANGED / *NONE / *SECRET / <c-string 1..8> / <c-string 9..32> /
<x-string 1..16>
Password to be entered by the user.

LOGON-PASSWORD = *NONE
Access via this user ID is not protected by a password.

LOGON-PASSWORD = *SECRET
Display of the requested password is to be suppressed. This operand value can be specified only in an unguided dialog. In a guided dialog (menu), there is always a blanked-out field provided for input of the password.

ENCRYPTION = *YES / *NO
This specifies whether the password is to be stored as entered or in encrypted form.

ENCRYPTION = *YES
The password is to be encrypted as defined in the system parameter ENCRYPT.

MANAGEMENT = *UNCHANGED / *LOGON-DEFAULT / *USER-CHANGE-ONLY /
*BY-USER / *BY-ADMINISTRATOR
This determines who is to be authorized to manage the password and with what restrictions.

MANAGEMENT = *USER-CHANGE-ONLY
The user may define and modify the password but not delete it.

MANAGEMENT = *BY-USER
The user may define, modify and delete the password.

MANAGEMENT = *BY-ADMINISTRATOR
The password may only be modified via the system administration commands /MODIFY-USER-ATTRIBUTES and /MODIFY-LOGON-PROTECTION.

MINIMAL-LENGTH = *UNCHANGED / *LOGON-DEFAULT / *NONE / <integer 1..8>
This specifies the minimum length of a password to be entered by the user (as a number of characters).

MINIMAL-LENGTH = *NONE
No minimum length is defined. The maximum length for user-defined passwords is 8 characters.

MINIMAL-LENGTH = <integer 1..8>
This specifies the minimum length of a password to be entered by the user (as a number of characters). When this operand is used the password must end with a character other than a blank.

MINIMAL-COMPLEXITY = *UNCHANGED / *LOGON-DEFAULT / *NONE / <integer 1..4>
This specifies the minimum complexity of a password to be entered by the user.

MINIMAL-COMPLEXITY = *NONE
The complexity of user-defined passwords is entirely at the discretion of the user.

MINIMAL-COMPLEXITY = <integer 1..4>
There are four levels of complexity (each level implying all subordinate levels):

INITIAL-LIFETIME = *UNCHANGED / *LOGON-DEFAULT / *STD / *EXPIRED /
<integer 0..366> / <date 8..10>
This defines the first lifetime cycle.

INITIAL-LIFETIME = *STD
The expiration date of the password is calculated from LIFETIME-INTERVAL.

INITIAL-LIFETIME = *EXPIRED
The entered logon password is identified as ‘expired’. The owner of the user ID must first declare a new logon password before being able to continue working under his/her user ID. For more detailed information, see the UNLOCK-EXPIRATION operand.

INITIAL-LIFETIME = <integer 0..366>
Life of the password.

INITIAL-LIFETIME = <date 8..10>
Expiration date of the password.

LIFETIME-INTERVAL = *UNCHANGED / *LOGON-DEFAULT / *UNLIMITED /<integer 1..366>(...)
This defines the intervals at which the user has to change the password. If the password is not changed within this period, the user ID is suspended. During the period specified in the EXPIRATION-WARNING operand of the password, the user receives message SRM3201 on SYSOUT every time he/she logs on.

LIFETIME-INTERVAL = *UNLIMITED
The user is not forced to change the password.

LIFETIME-INTERVAL = <integer 1..366>(...)
Interval at which the user has to change the password.

DIMENSION = *DAYS / *MONTHS
Unit of the specified value. When *MONTHS is specified, the maximum permissible value for ’integer’ is 12.

EXPIRATION-WARNING = *UNCHANGED / *LOGON-DEFAULT / *STD / <integer 0..366>
This defines the period, in days, within which the user is warned before the expiration date of the password is exceeded. The default period is 28 days.

UNLOCK-EXPIRATION = *UNCHANGED / *LOGON-DEFAULT /
*BY-ADMINISTRATOR-ONLY / *BY-USER
Specifies who is authorized to replace an expired password with a new one.

UNLOCK-EXPIRATION = *BY-ADMINISTRATOR-ONLY
When the expiration date of the password is exceeded, the user ID is locked. System administration must enter a new logon password before the owner of the user ID can access the system again.

UNLOCK-EXPIRATION = *BY-USER
When the expiration date of the password is exceeded, the user enjoys restricted access in interactive mode following entry of the expired password. In this case, the user is only able to declare a new password or terminate the dialog.

PASSWORD-MEMORY = *UNCHANGED / *LOGON-DEFAULT / *NONE / YES(...)
Specifies whether the old password is entered in a list when the password is changed. Passwords which are present in this list must not be assigned as a new password in the event of a password change. In addition, the frequency of password changes can be restricted.

PASSWORD-MEMORY = *NONE
No password list is created. If such a list already exists, it is deleted. The frequency with which passwords can be changed is not restricted.

PASSWORD-MEMORY = *YES(...)
A password list is created. In addition, a maximum is specified for the number of password modifications which may be performed during a defined period.

The operands PERIOD, CHANGES-PER-PERIOD and BLOCKING-TIME interact as follows:

• • • PERIOD <= BLOCKING-TIME

    • CHANGES-PER-PERIOD <= (100 * PERIOD) / BLOCKING-TIME

PERIOD = <integer 1..32767>
Specifies a period during which a maximum number of password changes can be specified using the CHANGES-PER-PERIOD operand. The period is specified in days.

CHANGES-PER-PERIOD = <integer 1..100>
Specifies the maximum number of password changes permitted during the period specified using the PERIOD operand. Password changes to the password *NONE are disregarded by the counter.

BLOCKING-TIME = <integer 1..32767>
Specifies how long a password remains stored in the password list. The period is specified in days and starts with the day on which one password is replaced by another.

SUSPEND-ATTRIBUTES = *UNCHANGED / *LOGON-DEFAULT / *NONE / *YES(...)
Defines the attributes for suspension. Temporary locking of a user ID or of a user of a user ID after a number of failed access attempts can be defined locally for this user ID or globally in the default attributes.

SUSPEND-ATTRIBUTES = *NONE
No suspension takes place.

SUSPEND-ATTRIBUTES = *YES(...)
Defines the parameters for suspension.

COUNT = *UNCHANGED / *LOGON-DEFAULT / <integer 0..32767>
Number of failed access attempts which are permitted in the period defined using OBSERVE-TIME. Further failed access attempts result in suspension.

OBSERVE-TIME = *UNCHANGED / *LOGON-DEFAULT / <integer 0..32767> (...)
Period within which the number of failed access attempts specified with the COUNT operand must occur. The period begins with the first failed access attempt. If the observation period terminates without any suspension taking place, the count starts again with the next failed access attempt.

OBSERVE-TIME = <integer 0..32767> (...)
Specifies the observation period.

DIMENSION = *MINUTE / *HOUR
Time unit for the observation period.

SUSPEND-TIME = *UNCHANGED / *LOGON-DEFAULT / <integer 1..32767> (...) / *UNLIMITED
Defines the duration of the suspension. During the suspension a user is informed of the suspension with message SRM3208 or SRM3209 and possibly of its duration.

SUSPEND-TIME = <integer 1..32767> (...)
Duration of the suspension.

DIMENSION = *MINUTE / *HOUR
Time unit for the suspension.

SUSPEND-TIME = *UNLIMITED
The suspension is unlimited.

SUBJECT = *UNCHANGED / *LOGON-DEFAULT / *USER-IDENTIFICATION / *INITIATOR
Defines whether the user ID or person who undertook the access attempts should be suspended.

SUBJECT = *USER-IDENTIFICATION
The user ID is suspended.
This specification is not permitted for the TSOS system ID and the security administrator’s user ID and is rejected with the message SRM3672.

SUBJECT = *INITIATOR
The “person” who undertook the access attempts is suspended (see section "Locking terminals/user IDs after unsuccessful access attempts").

INACTIVITY-LIMIT = *UNCHANGED / *LOGON-DEFAULT / *NONE / <integer 1..366> (...) / *RENEW
Specifies the time of inactivity, i.e. the time which has elapsed since the last logon after which the user ID is to be locked, or cancels a lock.

INACTIVITY-LIMIT = *NONE
Inactivity is not monitored.

INACTIVITY-LIMIT = <integer 1..366> (...)
Specifies the time until the lock becomes effective (inactivity limit).
This specification is not permitted for the system IDs and is rejected with the message SRM3673.

DIMENSION = *DAYS / *MONTHS
Time unit for the inactivity limit.

INACTIVITY-LIMIT = *RENEW
Takes the inactivity limit set as a basis to update the date for the user ID lock. As a result, a lock is canceled once more as a result of inactivity, and the monitoring phase begins anew.

DIALOG-ACCESS = *UNCHANGED / *LOGON-DEFAULT(...) / *NO / *YES(...)
This defines the system access control mechanisms which are to apply in interactive mode.

DIALOG-ACCESS = *NO
All access in interactive mode is prohibited.

DIALOG-ACCESS = *YES(...)
System access control mechanisms are to be enforced.

PASSWORD-CHECK = *UNCHANGED / *YES / *NO
This determines whether a password check is to be performed for system access in interactive mode.

REMOVE-TERMINALS =
List of data display terminals via which a LOGON is no longer possible in interactive mode. This operand is supported for reasons of compatibility. Control should preferably be exercised by means of the TERMINAL-SET operand.

REMOVE-TERMINALS = *NONE
No data display terminals are to be removed from the list of admitted terminals.

REMOVE-TERMINALS = *ALL
All data display terminals are to be removed from the list of admitted terminals.

REMOVE-TERMINALS = *PARAMETERS(...)
This explicitly lists the data display terminals to be removed from the list of admitted terminals. This specification cannot be made after admitting all terminals by means of ADD-TERMINALS=*ALL.

PROCESSOR = <name 1..8> with-wild-card>
BCAM name of the computer from which the connection to $DIALOG may be established (e.g. a PC running a data terminal emulation).

STATION = <name 1..8> with-wild-card>
Logical name of the data display terminal.

ADD-TERMINALS =
List of additional data display terminals (BCAM names) from which LOGON is permitted in interactive mode. This operand is supported for reasons of compatibility. Control should preferably be exercised by means of the operand TERMINAL-SET

ADD-TERMINALS = *NONE
No additional data display terminals are to be admitted.

ADD-TERMINALS = *ALL
All data display terminals are admitted. Lists of specific terminals, if any, are deleted. ADD-TERMINALS=*ALL is permissible only in conjunction withREMOVE-TERMINALS=*NONE.

ADD-TERMINALS = *PARAMETERS(...)
This explicitly lists the data display terminals to be admitted.

PROCESSOR = <name 1..8> with-wild-card>
BCAM name of the computer from which the connection to $DIALOG may be established (e.g. a PC running a data terminal emulation).

STATION = <name 1..8> with-wild-card>
Logical name of the data display terminal.

TERMINAL-SET = *UNCHANGED / *NO-PROTECTION / *NONE / *EXCEPTION-LIST(...) /
*MODIFY-LIST(...) / list-poss(48): <name 1..8>(...)
Specifies whether the user ID interactive mode access is protected with terminal sets.

TERMINAL-SET = *NO-PROTECTION
User ID protection by means of terminal sets is deactivated.

TERMINAL-SET = *NONE
An empty terminal set list is assigned to the user ID, i.e. no interactive mode access is permitted.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative terminal set list is assigned.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Interactive access is prohibited for the terminals with names which match the terminal names in the specified terminal sets.

The meaning of the subordinate operators is the same as for the operand TERMINAL-SET=list-poss(48): <name 1..8>(...) below.

TERMINAL-SET = *MODIFY-LIST(...)
Changes are made to an already defined terminal set list. This modification does not affect the positive or negative nature of the list.

REMOVE-TERMINAL-SETS =
Specifies terminal sets which are to be removed from the terminal set list for the user ID’s interactive access.

If no terminal set list has as yet been defined for the user ID’s interactive access, a warning is output and command execution continues. The same thing happens if one or more of the terminal sets specified for removal are not present in the list.

REMOVE-TERMINAL-SETS = *NONE
No terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = *ALL
All the terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = list-poss(48): <name 1..8>(...)
The terminal sets with the specified names are removed from the terminal set list.

The meaning of the subordinate operands is the same as for the operand TERMINAL-SET=list-poss(48): <name 1..8>(...) below.

ADD-TERMINAL-SETS =
Specifies terminal sets which are to be added to the terminal set list for the user ID’s interactive access.

If no terminal set list has as yet been defined for the user ID’s interactive access then a positive list is implicitly created. If one or more of the terminal sets that are to be added is already present in the list, a warning is issued.

ADD-TERMINAL-SETS = *NONE
No terminal sets are added to the defined terminal set list.

ADD-TERMINAL-SETS = *ALL
All the terminal sets are added to the terminal set list.

ADD-TERMINAL-SETS = list-poss(48): <name 1..8>(...)
The terminal sets with the specified names are added to the defined terminal set list.

The meaning of the subordinate operands is the same as for the TERMINAL-SET=list-poss(48): <name 1..8>(...) operand below.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive terminal set list is assigned. Interactive access is permitted for the terminals with names which match the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
For global user administrators, this specification has the same effect as SCOPE=*SYSTEM.

For group administrators, this specification has the same effect as SCOPE=*GROUP(GROUP-ID= *OWN).

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the group corresponding to the user ID is assigned.

SCOPE = *SYSTEM
A publicly owned terminal set is assigned.

GUARD-NAME = *UNCHANGED / *NONE / <filename 1..18 without-cat-gen-vers>
Specifies whether interactive access to a user ID is protected by a guard.

GUARD-NAME = *NONE
Interactive access to a user ID is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Access to the user ID is only permitted if the access conditions in the specified guard are fulfilled.

The protected user ID must be an authorized user of the specified guard. When the guard is evaluated, only the time conditions Date, Time and Weekday are considered. The user ID that has to be permitted as subject in the guard’s access condition depends on the operand PERSONAL-LOGON. If PERSONAL-LOGON=*NO applies, then the protected user ID is considered to be the subject of the access condition. If PERSONAL-LOGON=*YES applies, the subject is the personal user ID.

PERSONAL-LOGON = *UNCHANGED / *NO / *YES / *PRIVILEGED
Specifies whether a personal user ID is required alongside the logon user ID for interactive access.

PERSONAL-LOGON = *NO
Only the logon user ID is required.

PERSONAL-LOGON = *YES
A personal user ID is required in addition to the logon user ID.

PERSONAL-LOGON = *PRIVILEGED
A personal user ID is required in addition to the logon user ID.

In addition, the dialog task is assigned not only the privileges for the logon ID, but also those for the personal ID (except for TSOS, if available).

The specification for logging all events (AUDIT-SWITCH=*ON) is transferred from the settings of the SAT preselection for logging the personal user ID (USER-AUDITING) to the dialog task.

If the logon ID is group administrator and the personal ID user administrator, the dialog task takes over the role of the group administrator and is not assigned the USER-ADMINISTRATION privilege.

The set union of the privileges can be displayed using the following command:

/SHOW-PRIVILEGE INFORMATION = *RUN-PRIVILEGE(...)

BATCH-ACCESS = *UNCHANGED / *LOGON-DEFAULT(...) / *NO / *YES(...)
This defines the system access control mechanisms to apply in batch mode.

BATCH-ACCESS = *NO
All access in batch mode is prohibited.

BATCH-ACCESS = *YES(...)
System access control mechanisms are to be enforced.

PASSWORD-CHECK = *UNCHANGED / *YES / *NO / *GUARD(...)
This determines whether a password check is to be performed for system access in batch mode.

PASSWORD-CHECK = *GUARD(...)
The right to start batch jobs without a password is administered using a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Batch jobs may be started without a password if the access conditions in the specified guard are fulfilled for the calling user ID.

The protected user ID must be an authorized user of the specified guard. It is necessary to distinguish between two cases for the evaluation of the guard:

REMOVE-USER-ACCESS =
This determines the user IDs which are no longer to be allowed to start batch jobs under this user ID.

REMOVE-USER-ACCESS = *NONE
No modifications are made to the existing authorization status.

REMOVE-USER-ACCESS = *ALL
All user IDs from the existing list are removed.

REMOVE-USER-ACCESS = *OWNER
The user ID specified via USER-IDENTIFICATION is no longer allowed to start batch jobs.

REMOVE-USER-ACCESS = *GROUP
None of the user IDs in the group of the user ID specified via USER-IDENTIFICATION are allowed to start batch jobs under this user ID (with the exception of the one specified via USER-IDENTIFICATION itself).

REMOVE-USER-ACCESS = *OTHERS
None of the user IDs of the computer is allowed to start batch jobs under this user ID (with the exception of the user ID specified via USER-IDENTIFICATION and the members of its user group).

REMOVE-USER-ACCESS = *CONSOLE
No batch jobs may be started under this user ID by an operator who does not have a separate user ID.

REMOVE-USER-ACCESS = <name 1..8>
None of the user IDs in the specified list is allowed to start batch jobs under this user ID.

ADD-USER-ACCESS =
This specifies additional user IDs which are to be permitted to start batch jobs under this user ID.

ADD-USER-ACCESS = *NONE
No additional user IDs are defined.

ADD-USER-ACCESS = *ALL
All user IDs may start batch jobs. Lists of specific user IDs, if any, are deleted. ADD-USER-ACCESS=*ALL is permissible only in conjunction with REMOVE-USER-ACCESS=*NONE.

ADD-USER-ACCESS = *OWNER
The user ID specified via USER-IDENTIFICATION may start batch jobs.

ADD-USER-ACCESS = *GROUP
All user IDs which are members of the same group as the user ID specified via USER-IDENTIFICATION may start batch jobs under this user ID, with the exception of the one specified via USER-IDENTIFICATION itself.

ADD-USER-ACCESS = *OTHERS
All user IDs of the same computer as the user ID specified via USER-IDENTIFICATION may start batch jobs under this user ID, but not the user ID itself or the members of its user group.

ADD-USER-ACCESS = *CONSOLE
Batch jobs may be started under this user ID by an operator who does not have a separate user ID.

ADD-USER-ACCESS = <name 1..8>
All user IDs of the specified list may start batch jobs under this user ID.

GUARD-NAME = *UNCHANGED / *NONE / <filename 1..18 without-cat-gen-vers>
Specifies whether batch access to a user ID is protected by a guard.

GUARD-NAME = *NONE
Batch access to the user ID is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Batch access to the user ID is only permitted if the access conditions in the specified guard are fulfilled for the calling user ID.

The protected user ID must be an authorized user of the specified guard. It is necessary to distinguish between two cases for the evaluation of the guard:

OPERATOR-ACCESS-TERM = *UNCHANGED / *LOGON-DEFAULT(...) / *YES(...) / *NO
Defines the authentication methods to be used for interactive partners in operator mode. Details of the operator authentication facilities are provided in the “Introduction to System Administration” [2].

OPERATOR-ACCESS-TERM = *YES(...)
Specifies that access checks are to be executed.

PASSWORD-CHECK = *UNCHANGED / *YES / *NO
Specifies whether password checking is to be executed in the dialog.

OPERATOR-ACCESS-TERM = *NO
Operator mode is not permitted for this user ID.

OPERATOR-ACCESS-PROG = *UNCHANGED / *LOGON-DEFAULT(...) / *YES(...) / *NO
Defines the authentication methods which are to apply to programmed operators (PROP-XT). Details of the operator authentication facilities are provided in the “Introduction to System Administration” [2].

OPERATOR-ACCESS-PROG = *YES(...)

PASSWORD-CHECK = *UNCHANGED / *YES / *NO
Specifies whether or not a password check is to be performed for the specified operator.

OPERATOR-ACCESS-PROG = *NO
The access class OPERATOR-ACCESS-PROGRAM is locked for the programmed operator.

OPERATOR-ACCESS-CONS = *UNCHANGED / *LOGON-DEFAULT(...) / *YES(...) / *NO
Determines whether access to the physical console is permitted in incompatible mode under this user ID.

OPERATOR-ACCESS-CONS = *YES(...)
Console access is permitted.

PASSWORD-CHECK = *UNCHANGED / *YES / *NO
Specifies whether or not a console check is performed on console access

OPERATOR-ACCESS-CONS = *NO
No console access is possible.

POSIX-RLOGIN-ACCESS = *UNCHANGED / *LOGON-DEFAULT(...) / *YES(...) / *NO
The access class attributes for POSIX remote login can be defined.

POSIX-RLOGIN-ACCESS = *YES(...)
The BS2000 user ID is open for system access via POSIX remote login.

PASSWORD-CHECK = *UNCHANGED / *YES / *NO
Specifies whether or not a password check is performed on access via POSIX remote login.

TERMINAL-SET = *UNCHANGED / *NO-PROTECTION / *NONE / *EXCEPTION-LIST(...) /
*MODIFY-LIST(...) / list-poss(48): <name 1..8>(...)
Specifies whether or not the user ID is protected for access via POSIX remote login. Only the processor name of the UNIX client may therefore be specified in the corresponding terminal set entry. The station name *ANY should therefore be specified.

TERMINAL-SET = *NO-PROTECTION
The user ID is not protected with terminal sets.

TERMINAL-SET = *NONE
The user ID is assigned to an empty terminal set for POSIX remote login, i.e. no POSIX remote login is permitted.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative list of terminal sets is assigned.

TERMINAL-SET = *NONE
The negative list is empty, i.e. there is no restriction to POSIX remote login.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Access via POSIX remote login is prohibited for the UNIX clients with names corresponding to the terminal names in the specified terminal sets.

The meaning of the subordinate operands is the same as for the TERMINAL-SET=list-poss(48): <name 1..8>(...) operand below.

TERMINAL-SET = *MODIFY-LIST(...)
Changes are made to an already defined terminal set list. The modification has no effect on whether the list is a positive or negative list

REMOVE-TERMINAL-SETS =
Specifies the terminal sets that are to be removed from the list of terminal sets for the user ID’s POSIX remote login access.

If no terminal set list has as yet been defined for the user ID’s POSIX remote login access, a warning is output and command execution continues. The same thing happens if one or more of the terminal sets specified for removal are not present in the list.

REMOVE-TERMINAL-SETS = *NONE
No terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = *ALL
All the terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = list-poss(48): <name 1..8>(...)
The terminal sets with the specified names are removed from the terminal set list.

The meaning of the subordinate operands is the same as for the TERMINAL-SET=list-poss(48): <name 1..8>(...) operand below.

ADD-TERMINAL-SETS =
Specifies terminal sets which are to be added to the terminal set list for the user ID’s POSIX remote login access.

If no terminal set list has as yet been defined for the user ID’s POSIX remote login access then a positive list is implicitly created. If one or more of the terminal sets that are to be added is already present in the list, a warning is issued.

ADD-TERMINAL-SETS = *NONE
No terminal sets are added to the defined terminal set list.

ADD-TERMINAL-SETS = list-poss(48): <name 1..8>(...)
The terminal sets with the specified names are added to the defined terminal set list.

The meaning of the subordinate operands is the same as for the TERMINAL-SET=list-poss(48): <name 1..8>(...) operand below.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive terminal set list is assigned. Access via POSIX remote login is permitted for the UNIX clients with names which match the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
By default, a global system administrator assigns global terminal sets and a group administrator assigns local terminal sets

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the user ID’s group is assigned.

SCOPE = *SYSTEM
A publicly owned terminal set is assigned.

GUARD-NAME = *UNCHANGED / *NONE / <filename 1..18 without-cat-gen-vers>
Specifies whether access via POSIX remote login is protected by a guard.

GUARD-NAME = *NONE
Access via POSIX remote login is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Access via POSIX remote login is only permitted if the access conditions in the specified guard are fulfilled. The protected user ID must be an authorized user of the specified guard. When the guard is evaluated, only the time conditions Date, Time and Weekday are considered. The subject of the access condition is the protected user ID.

POSIX-RLOGIN-ACCESS = NO
The BS2000 user ID is not allowed system access via POSIX remote login.

POSIX-REMOTE-ACCESS = *UNCHANGED / *LOGON-DEFAULT(...) / *YES(...) / *NO
The BS2000 user ID for system access via a POSIX remote command is enabled or disabled.

TERMINAL-SET = *UNCHANGED / *NO-PROTECTION / *NONE / *EXCEPTION-LIST(...) /
*MODIFY-LIST(...) / list-poss(48): <name 1..8>(...)
Specifies whether the user ID is protected for access via a POSIX remote command with terminal sets. Only the processor name of the UNIX client may therefore be specified in the corresponding terminal set entry. The station name *ANY should therefore be specified.

TERMINAL-SET = *NO-PROTECTION
The user ID is not protected with terminal sets.

TERMINAL-SET = *NONE
The user ID is assigned to an empty terminal set list for access via a POSIX remote command, i.e. no access via a POSIX remote command is permitted.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative list of terminal sets is assigned.

TERMINAL-SET = *NONE / list-poss(48): <name 1..8>(...)
The negative list is empty, i.e. there is no restriction to access via a POSIX remote command.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Access via a POSIX remote command is prohibited for the UNIX clients with names corresponding to the terminal names in the specified terminal sets.

The meaning of the subordinate operands is the same as for the TERMINAL-SET=list-poss(48): <name 1..8>(...) operand below.

TERMINAL-SET = *MODIFY-LIST(...)
Changes are made to an already defined terminal set list. The modification has no effect on whether the list is a positive or negative list

REMOVE-TERMINAL-SETS =
Specifies terminal sets which are to be removed from the terminal set list for the user ID’s access via POSIX remote command.

If no terminal set list has as yet been defined for the user ID’s access via a POSIX remote command, a warning is output and command execution continues. The same thing happens if one or more of the terminal sets specified for removal are not present in the list.

REMOVE-TERMINAL-SETS = *NONE
No terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = *ALL
All the terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = list-poss(48): <name 1..8>(...))
The terminal sets with the specified names are removed from the terminal set list.

The meaning of the subordinate operands is the same as for the TERMINAL-SET=list-poss(48): <name 1..8>(...) operand below.

ADD-TERMINAL-SETS =
Specifies terminal sets which are to be added to the terminal set list for the user ID’s access via POSIX remote command.

If no terminal set list has as yet been defined for the user ID’s access via POSIX remote command then a positive list is implicitly created. If one or more of the terminal sets that are to be added is already present in the list, a warning is issued.

ADD-TERMINAL-SETS = *NONE
No terminal sets are added to the defined terminal set list.

ADD-TERMINAL-SETS = list-poss(48): <name 1..8>(...))
The terminal sets with the specified names are added to the defined terminal set list.

The meaning of the subordinate operands is the same as for theTERMINAL-SET=list-poss(48): <name 1..8>(...) operand below.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive terminal set list is assigned. Access via POSIX remote command is permitted for the UNIX clients with names which match the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
By default, a global system administrator assigns global terminal sets and a group administrator assigns local terminal sets

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the user ID’s group is assigned.

SCOPE = *SYSTEM
A publicly owned terminal set is assigned.

GUARD-NAME = *UNCHANGED / *NONE / <filename 1..18 without-cat-gen-vers>
Specifies whether access via a POSIX remote command is protected by a guard.

GUARD-NAME = *NONE
Access via POSIX remote command is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Access via POSIX remote command is only permitted if the access conditions in the specified guard are fulfilled. The protected user ID must be an authorized user of the specified guard. When the guard is evaluated, only the time conditions Date, Time and Weekday are considered. The subject of the access condition is the UNIX/POSIX user ID under which the rsh or rcp command was issued. This user ID does not have to exist in the BS2000 system.

POSIX-REMOTE-ACCESS = *NO
The BS2000 user ID is locked for system access via a POSIX remote command.

NET-DIALOG-ACCESS = *UNCHANGED / *LOGON-DEFAULT(...) / *YES(...) / *NO
Specifies whether interactive access from the network is permitted.

NET-DIALOG-ACCESS = *YES(...)
Interactive access from the network is permitted.

PASSWORD-CHECK = *YES / *NO
Specifies whether the login password should be checked when access is performed via the network.

REMOVE-PRINCIPAL =
Specification for access using the Kerberos authentication.
Deletes Kerberos names from the list of Kerberos names which have access to this user ID.

REMOVE-PRINCIPAL = *NONE
No names are removed from the list of Kerberos names.

REMOVE-PRINCIPAL = *ALL
The list of Kerberos names is emptied, but remains valid. Clients who can present a Kerberos ticket when requested are rejected.

REMOVE-PRINCIPAL = list-poss(48): <composed-name 1..1800 with-under with-wild> /
<c-string 1..1800 with-low>
The Kerberos names specified are deleted from the list.

ADD-PRINCIPAL =
Specification for access using the Kerberos authentication.
Adds Kerberos names to the list of Kerberos names which have access to this user ID.

ADD-PRINCIPAL = *NONE
No further name is added to the list of Kerberos names.

ADD-PRINCIPAL = *NO-PROTECTION
Protection by Kerberos authentication is canceled for the user ID. Any list of Kerberos names which exists is deleted. The client is not requested to present a Kerberos ticket; access is assigned directly to the DIALOG-ACCESS class.

ADD-PRINCIPAL = *ALL
Protection by Kerberos authentication is canceled for the user ID. Any list of Kerberos names which exists is deleted. However, the client is requested to present a Kerberos ticket. The Kerberos name this contains is displayed in the logon history and used as audit identification. If the client does not support Kerberos authentication, access is assigned to the DIALOG-ACCESS class.

ADD-PRINCIPAL = list-poss(48): <composed-name 1..1800 with-under with-wild> /
<c-string 1..1800 with-low>
The Kerberos names specified are added to the list.

TERMINAL-SET = *UNCHANGED / *NO-PROTECTION / *NONE / *EXCEPTION-LIST(...) /
*MODIFY-LIST(...) / list-poss(48): <name 1..8>(...)
Specifies whether the user ID should be protected for network access with terminal sets.

TERMINAL-SET = *NO-PROTECTION
The user ID is not protected with terminal sets.

TERMINAL-SET = *NONE
The user ID is assigned to an empty terminal set list, i.e. no network access is permitted.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative list of terminal sets is assigned.

TERMINAL-SET = *NONE / list-poss(48): <name 1..8>(...)
The negative list is empty, i.e. there is no restriction to network access.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Network access is prohibited for the terminals with names corresponding to the terminal names in the specified terminal sets.

The meaning of the subordinate operands is the same as for the TERMINAL-SET operand below.

TERMINAL-SET = *MODIFY-LIST(...)
Changes are made to an already defined terminal set list. The modification has no effect on whether the list is a positive or negative list.

REMOVE-TERMINAL-SETS =
Specifies terminal sets which are to be removed from the terminal set list for the user ID’s network access.
If no terminal set list has as yet been defined for the user ID’s network access, a warning is output and command execution continues. The same thing happens if one or more of the terminal sets specified for removal are not present in the list.

REMOVE-TERMINAL-SETS = *NONE
No terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = *ALL
All the terminal sets are removed from the terminal set list.

REMOVE-TERMINAL-SETS = list-poss(48): <name 1..8>(...)
The terminal sets with the specified names are removed from the terminal set list.

The meaning of the subordinate operands is the same as for the TERMINAL-SET=list-poss(48): <name 1..8>(...) operand below.

ADD-TERMINAL-SETS =
Specifies terminal sets which are to be added to the terminal set list for the user ID’s network access.

If no terminal set list has as yet been defined for the user ID’s network access then a positive list is implicitly created. If one or more of the terminal sets that are to be added is already present in the list, a warning is issued.

ADD-TERMINAL-SETS = *NONE
No terminal sets are added to the defined terminal set list.

ADD-TERMINAL-SETS = list-poss(48): <name 1..8>(...)
The terminal sets with the specified names are added to the defined terminal set list.

The meaning of the subordinate operands is the same as for the TERMINAL-SET=list-poss(48): <name 1..8>(...) operand below.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive terminal set list is assigned. Network access is permitted for the terminals with names which match the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
By default, a global system administrator assigns global terminal sets and a group administrator assigns local terminal sets

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the user ID’s group is assigned.

SCOPE = *SYSTEM
A publicly owned terminal set is assigned.

GUARD-NAME = *UNCHANGED / *NONE / <filename 1..18 without-cat-gen-vers>
Specifies whether network access is protected by a guard.

GUARD-NAME = *NONE
Network access is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Network access is only permitted if the access conditions in the specified guard are fulfilled. The protected user ID must be an authorized user of the specified guard. When the guard is evaluated, only the time conditions Date, Time and Weekday are considered. The subject of the access condition is the protected user ID.

NET-DIALOG-ACCESS = *NO
The BS2000 user ID is locked for interactive access from the network via a TranSON server.

Command return codes

Example

The examples are based on the assumption that the following SET-LOGON-PROTECTION command has been issued:

The result of this is that no DIALOG logon for TSOS can now be performed for the terminals specified in terminal set AREA52. Instead, all the terminals present in the terminal set HOMEBASE are able to perform access.

/modify-logon-protection user-identification=tsos, -
        password=*parameters(lifetime-interval=3(dimension=*months))

The password must now be changed at least every three months.

/modify-logon-protection user-identification=tsos, -
        batch-access=*yes(add-user-access=(*group,X,Y))

In addition to TSOS itself, all members of the user group of TSOS as well as the user IDs X and Y are now authorized to start batch jobs under the TSOS user ID.

Output: