This command serves to define protection attributes for existing user IDs.

The following are authorized to issue this command:

• Global user administrators (users possessing the USER-ADMINISTRATION privilege) may issue this command with respect to all user IDs

• Group administrators possessing at least the MANAGE-MEMBERS privilege may issue this command with respect to user IDs which are members of their own user group or any of its subgroups

The operand value *LOGON-DEFAULT means that the default setting defined with the /SET- or /MODIFY-LOGON-DEFAULTS command is taken over for the operand.

USER-IDENTIFICATION = <name 1..8>
User ID whose protection attributes are to be defined.

PUBSET = *HOME / <cat-id 1..4>
Pubset in whose user catalog the protection attributes are to be entered.

PUBSET = *HOME
The entry is made on the home pubset.

PUBSET = <cat-id 1..4>
The entry is made on the specified pubset.

EXPIRATION-DATE = *LOGON-DEFAULT / *NONE / <date 8..10> / <integer 0..366>
The user ID is to be suspended after the specified date. This means that LOGON is no longer possible via this user ID but the files cataloged under the user ID are retained. During the period specified in the EXPIRATION-WARNING operand of the password, the user attempting LOGON receives message SRM3201 on SYSOUT.

EXPIRATION-DATE = *NONE
The user ID will not be suspended after a specific date.

EXPIRATION-DATE = <date 8..10>
Expiration date of the user ID.

EXPIRATION-DATE = <integer 0..366>
Lifetime of the user ID.

EXPIRATION-WARNING = *LOGON-DEFAULT / *STD / <integer 0..366>
This defines the period, in days, within which the user is warned before the expiration date of the password is exceeded. The default value is 28 days.

PASSWORD = *PARAMETERS(...)
Definitions concerning passwords.

LOGON-PASSWORD = *NONE / *SECRET / <c-string 1..8> / <c-string 9..32> / <x-string 1..16>
Password to be entered by the user.

LOGON-PASSWORD = *NONE
No password is defined for this user ID.

LOGON-PASSWORD = *SECRET
Display of the requested password is suppressed.

ENCRYPTION = *YES / *NO
This determines whether the password is to be stored as entered or in encrypted form.

ENCRYPTION = *YES
The password is encrypted as defined in the system parameter ENCRYPT.

MANAGEMENT = *LOGON-DEFAULT / *USER-CHANGE-ONLY / *BY-USER / *BY-ADMINISTRATOR
This determines who is to be authorized to manage the password and with what restrictions.

MANAGEMENT = *USER-CHANGE-ONLY
The user may define and modify the password but not delete it.

MANAGEMENT = *BY-USER
The user may define, modify and delete the password.

MANAGEMENT = *BY-ADMINISTRATOR
The password may be modified via the system administration commands /MODIFY-USER-ATTRIBUTES and /MODIFY-LOGON-PROTECTION only.

MINIMAL-LENGTH = *LOGON-DEFAULT / *NONE / <integer 1..8>
This specifies the minimum length of a password to be entered by the user. When using long passwords please see notes on "Password protection".

MINIMAL-LENGTH = *NONE
No minimum password length is defined. The maximum length for user-defined passwords is 8 characters.

MINIMAL-LENGTH = <integer 1..8>
This specifies the minimum length of a password to be entered by the user (in number of characters). When this operand is used the password must end with a character other than a blank.

MINIMAL-COMPLEXITY = *LOGON-DEFAULT / *NONE / <integer 1..4>
This specifies the minimum complexity of a password to be entered by the user. When using long passwords please see notes on "Password protection".

MINIMAL-COMPLEXITY = *NONE
The complexity of user-defined passwords is entirely at the discretion of the user.

MINIMAL-COMPLEXITY = <integer 1..4>
There are four levels of complexity (each level implying all subordinate levels): 

INITIAL-LIFETIME = *LOGON-DEFAULT / *STD / *EXPIRED / <integer 0..366> /<date 8..10>
This defines the first lifetime cycle.

INITIAL-LIFETIME = *STD
The expiration date of the password is calculated from LIFETIME-INTERVAL.

INITIAL-LIFETIME = *EXPIRED
The entered logon password is identified as ‘expired’. The owner of the user ID must first declare a new logon password before being able to continue working under his/her user ID. For more detailed information, see the UNLOCK-EXPIRATION operand.

INITIAL-LIFETIME = <integer 0..366>
Lifetime of the password.

INITIAL-LIFETIME = <date 8..10>
Expiration date of the password.

LIFETIME-INTERVAL = *LOGON-DEFAULT / *UNLIMITED / <integer 1..366>(...)
This defines the intervals at which the user has to change the password. If the password is not changed within this period, the user ID is suspended. During the final month of the user ID’s lifetime, the user attempting LOGON receives message SRM3201 on SYSOUT.

LIFETIME-INTERVAL = *UNLIMITED
The user is not forced to change the password.

LIFETIME-INTERVAL = <integer 1..366>(...)
This specifies the interval at which the user has to change the password.

DIMENSION = *DAYS / *MONTHS
Unit of the specified value. When *MONTHS is specified, the maximum permissible value for “integer” is 12.

EXPIRATION-WARNING = *LOGON-DEFAULT / *STD / <integer 0..366>
This defines the period, in days, within which the user is warned before the expiration date of the user ID is exceeded. The default value is 28 days.

UNLOCK-EXPIRATION = *LOGON-DEFAULT / *BY-ADMINISTRATOR-ONLY / *BY-USER
Specifies who is authorized to replace an expired password with a new one.

UNLOCK-EXPIRATION = *BY-ADMINISTRATOR-ONLY
When the expiration date of the password is exceeded, the user ID is locked. System administration must enter a new logon password before the owner of the user ID can access the system again.

UNLOCK-EXPIRATION = *BY-USER
When the expiration date of the password is exceeded, the user enjoys restricted access in interactive mode following entry of the expired password. In this case, the user is only able to declare a new password or terminate the interactive task.

PASSWORD-MEMORY = *LOGON-DEFAULT / *NONE / *YES(...)
Specifies whether the old password is to be entered in a list when the password is changed. Passwords which are present in this list must not be assigned as a new password in the event of a password change. In addition, the frequency of password changes can be restricted.

PASSWORD-MEMORY = *NONE
No password list is created. If such a list already exists, it is deleted. The frequency with which passwords can be changed is not restricted.

PASSWORD-MEMORY = *YES(...)
A password list is created. In addition, a maximum is specified for the number of password modifications which may be performed during a defined period.

The operands PERIOD, CHANGES-PER-PERIOD and BLOCKING-TIME interact as follows:

• • • PERIOD <= BLOCKING-TIME

• • • CHANGES-PER-PERIOD <= (100 * PERIOD) / BLOCKING-TIME

PERIOD = 1 / <integer 1..32767>
Specifies a period during which a maximum number of password changes can be specified using the CHANGES-PER-PERIOD operand. The period is specified in days. The default setting is a period of one day.

CHANGES-PER-PERIOD = 1 / <integer 1..100>
Specifies the maximum number of password changes permitted during the period specified using the PERIOD operand. Password changes to the password *NONE are disregarded by the counter. By default, the password can be changed once a day.

BLOCKING-TIME = 100 / <integer 1..32767>
Specifies how long a password remains stored in the password list. The period is specified in days and starts with the day on which one password is replaced by another. By default, a used password is blocked for 100 days.

SUSPEND-ATTRIBUTES = *LOGON-DEFAULT / *NONE / *YES(...)
Defines the attributes for suspension. Temporary locking of a user ID or of a user of a user ID after a number of failed access attempts can be defined locally for this user ID or globally in the default attributes.

SUSPEND-ATTRIBUTES = *NONE
No suspension takes place.

SUSPEND-ATTRIBUTES = *YES(...)
Defines the parameters for suspension.

COUNT = *LOGON-DEFAULT / <integer 0..32767>
Number of failed access attempts which are permitted in the period defined using OBSERVE-TIME. Further failed access attempts result in suspension.

OBSERVE-TIME = *LOGON-DEFAULT / <integer 0..32767> (...)
Period within which the number of failed access attempts specified with the COUNT operand must occur. The period begins with the first failed access attempt. If the observation period terminates without any suspension taking place, the count starts again with the next failed access attempt.

OBSERVE-TIME = <integer 0..32767> (...)
Specifies the observation period.

DIMENSION = *MINUTE / *HOUR
Time unit for the observation period.

SUSPEND-TIME = *LOGON-DEFAULT / <integer 1..32767> (...) / *UNLIMITED
Defines the duration of the suspension. During the suspension a user is informed of the suspension with message SRM3208 or SRM3209 and possibly of its duration.

SUSPEND-TIME = <integer 1..32767> (...)
Duration of the suspension.

DIMENSION = *MINUTE / *HOUR
Time unit for the suspension.

SUSPEND-TIME = *UNLIMITED
The suspension is unlimited.

SUBJECT = *LOGON-DEFAULT / *USER-IDENTIFICATION / *INITIATOR
Defines whether the user ID or person who undertook the access attempts should be suspended.

SUBJECT = *USER-IDENTIFICATION
The user ID is suspended.
This specification is not permitted for the TSOS system ID and the security administrator’s user ID and is rejected with the message SRM3672.

SUBJECT = *INITIATOR
The “person” who undertook the access attempts is suspended (see section "Locking terminals/user IDs after unsuccessful access attempts").

INACTIVITY-LIMIT = *LOGON-DEFAULT / *NONE / <integer 1..366> (...)
Specifies the time of inactivity, i.e. the time which has elapsed since the last logon after which the user ID is to be locked. The lock can be canceled using the /MODIFY-USER-ATTRIBUTES command.

INACTIVITY-LIMIT = *NONE
Inactivity is not monitored.

INACTIVITY-LIMIT = <integer 1..366> (...)
Specifies the time until the lock becomes effective (inactivity limit).
This specification is not permitted for the system IDs and is rejected with the message SRM3673.

DIMENSION = *DAYS / *MONTHS
Time unit for the inactivity limit.

DIALOG-ACCESS = *LOGON-DEFAULT(...) / *YES(...) / *NO
This defines the system access control mechanisms which are to apply in interactive mode.

DIALOG-ACCESS = *YES(...)
This defines that system access control mechanisms are to be implemented.

PASSWORD-CHECK = *YES / *NO
This determines that a password check is to be performed for system access in interactive mode.

TERMINALS-ALLOWED =
Specifies the terminals from which access is permitted. This operand is supported for reasons of compatibility. Control by means of the TERMINAL-SET operand is preferable.

If both the TERMINALS-ALLOWED and TERMINAL-SET operands are specified, please refer to the note on the TERMINAL-SET operand in SET-LOGON-PROTECTION.

TERMINALS-ALLOWED = *ALL
All data display terminals are admitted.

TERMINALS-ALLOWED = *PARAMETERS(...)
System access under this user ID in interactive mode is restricted to the specified data display terminals (BCAM names).

PROCESSOR = <name 1..8 with-wild>
BCAM name of the computer from which the connection to $DIALOG may be established (e.g. a PC running a data terminal emulation).

STATION = <name 1..8 with-wild-card>
Logical name of the data display terminal.

TERMINAL-SET =
Specifies whether the user ID is protected with terminal sets.

Note

If both the TERMINALS-ALLOWED (!=*ALL) and TERMINAL-SET (!= *NO-PROTECTION) operands are specified, please note the following:

The terminal is initially checked on the basis of the terminal list (TERMINALS-ALLOWED). If this permits access then the terminal set list is no longer checked. Any possible contradictory specifications in a negative list or in the guard of a terminal set are ignored. The terminal set list is only checked if the examination of the terminal list returns the result ‘No access’. The result of this check then determines whether access is currently permitted or not.

TERMINAL-SET = *NO-PROTECTION
The user ID is not protected with terminal sets.

TERMINAL-SET = *NONE
An empty terminal set list is assigned to the user ID, i.e. no interactive mode access is permitted.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative terminal set list is assigned.

TERMINAL-SET = *NONE / list-poss(48): <name 1..8>(...)
The negative list is empty, i.e. there is no restriction to interactive access.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Interactive access is prohibited for the terminals with names corresponding to the terminal names in the specified terminal sets.

The meaning of the subordinate operators is the same as for the TERMINAL-SET=(...) operand below.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive terminal set list is assigned. Interactive access is permitted for the terminals with names which match the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
By default, a global system administrator assigns global terminal sets and a group administrator assigns local terminal sets.

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the group corresponding to the user ID is assigned.

SCOPE = *SYSTEM
A publicly owned terminal set is assigned.

GUARD-NAME =
Specifies whether interactive access to a user ID is protected by a guard.

GUARD-NAME = *NONE
Interactive access to a user ID is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Access to the user ID is only permitted if the access conditions in the specified guard are fulfilled.

The protected user ID must be an authorized user of the specified guard. When the guard is evaluated, only the time conditions Date, Time and Weekday are considered. The user ID that has to be permitted as subject in the guard’s access condition depends on the PERSONAL-LOGON operand. If PERSONAL-LOGON=*NO applies, the protected user ID is considered to be the subject of the access condition. If PERSONAL-LOGON=*YES applies, the subject is the personal user ID.

PERSONAL-LOGON =
Specifies whether a personal user ID is required alongside the logon user ID for interactive access.

PERSONAL-LOGON = *NO
Only the logon user ID is required.

PERSONAL-LOGON = *YES
A personal user ID is required in addition to the logon user ID.

PERSONAL-LOGON = *PRIVILEGED
A personal user ID is required in addition to the logon user ID.

In addition, the dialog task is assigned not only the privileges for the logon ID, but also those for the personal ID (except for TSOS, if available).

The specification for logging all events (AUDIT-SWITCH=*ON) is transferred from the settings of the SAT preselection for logging the personal user ID (USER-AUDITING) in the dialog task.

If the logon ID is group administrator and the personal ID user administrator, the dialog task takes over the role of the group administrator and is not assigned the USER-ADMINISTRATION privilege.

The set union of the privileges can be displayed using the following command:

/SHOW-PRIVILEGE INFORMATION = *RUN-PRIVILEGE(...)

DIALOG-ACCESS = *NO
The system access class DIALOG is not admitted for this user ID.

BATCH-ACCESS = *LOGON-DEFAULT(...) / *YES(...) / *NO
Defines whether and which system access control mechanisms are to apply in batch mode.

BATCH-ACCESS = *YES(...)
This defines that system access control mechanisms are to be implemented.

PASSWORD-CHECK = *YES / *NO /*GUARD(...)
This determines whether a password check is to be performed for batch jobs.

PASSWORD-CHECK = *GUARD(...)
The right to start batch jobs without a password is administered by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Batch jobs may be started without a password if the access conditions in the specified guard are satisfied for the user ID which is attempting access.

The protected user ID must be an authorized user of the specified guard. It is necessary to distinguish between two cases for the evaluation of the guard:

USER-ACCESS =
Specifies which user IDs may start batch jobs under this user ID.

If both the USER-ACCESS and GUARD-NAME operands are specified, please refer to the note on the GUARD-NAME operand in SET-LOGON-PROTECTION.

USER-ACCESS = *ALL
All user IDs may start batch jobs via any console.

USER-ACCESS = *OWNER
The user ID specified via USER-IDENTIFICATION may start batch jobs.

USER-ACCESS = *GROUP
All user IDs which are members of the same group as the user ID specified via USER-IDENTIFICATION may start batch jobs under this user ID, with the exception of the one specified via USER-IDENTIFICATION itself.

USER-ACCESS = *OTHERS
All user IDs of the same computer as the user ID specified via USER-IDENTIFICATION may start batch jobs under this user ID, but not the user ID itself or the members of its user group.

USER-ACCESS = *CONSOLE
No batch jobs may be started under this user ID by an operator not having a separate user ID.

USER-ACCESS = <name 1..8>
All specified user IDs may start batch jobs under this user ID.

GUARD-NAME =
Specifies whether batch access to a user ID is protected by a guard.

Note

If both the USER-ACCESS (!=*ALL) and GUARD-NAME (!=*NONE) operands are specified, please note the following:

The user ID is initially checked on the basis of the User Access List. If this permits access then the guard is no longer checked. Any possible contradictory specifications in the guard are ignored. The guard is only checked if the examination of the User Access List returns the result ‘No access’. The result of this check then determines whether access is currently permitted or not.

GUARD-NAME = *NONE
Batch access to the user ID is not protected with a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Batch access to the user ID is only permitted if the access conditions in the specified guard are fulfilled for the user ID which is attempting access.

The protected user ID must be an authorized user of the specified guard. It is necessary to distinguish between two cases for the evaluation of the guard:

BATCH-ACCESS = *NO
The system access class BATCH is locked for the user ID.

OPERATOR-ACCESS-TERM = *LOGON-DEFAULT(...) / *YES(...) / *NO
Defines the authentication methods to be used for an interactive partner connected via a terminal in operator mode. Details of the operator authentication facilities are provided in the “Introduction to System Administration” [2].

OPERATOR-ACCESS-TERM = *YES(...)
Operator mode is permitted for this user ID.

PASSWORD-CHECK = *YES / *NO
Specifies whether a password check is to be executed in operator mode.

OPERATOR-ACCESS-TERM = *NO
Operator mode is not permitted for this user ID.

OPERATOR-ACCESS-PROG = *LOGON-DEFAULT(...) / *YES(...) / *NO
Defines the authentication methods to be used in operating mode for programmed operators (PROP-XT).

OPERATOR-ACCESS-PROG = *YES(...)

PASSWORD-CHECK = *YES / *NO
Specifies whether a password check is to be executed for the programmed operator.

OPERATOR-ACCESS-PROG = *NO
The access class OPERATOR-ACCESS-PROGRAM is not permitted for a programmed operator.

OPERATOR-ACCESS-CONS = *LOGON-DEFAULT(...) / *YES(...) / *NO
Specifies whether access to the physical console in incompatible mode is permitted under this user ID.

OPERATOR-ACCESS-CONS = *YES(...)

PASSWORD-CHECK = *YES / *NO
Specifies whether or not a password check is performed on console access.

OPERATOR-ACCESS-CONS = *NO
No console access is possible.

POSIX-RLOGIN-ACCESS = *LOGON-DEFAULT(...) / *YES(...) / *NO
The access class attributes for POSIX remote login can be defined.

POSIX-RLOGIN-ACCESS = *YES(...)
The BS2000 user ID is allowed system access via POSIX remote login.

PASSWORD-CHECK = *YES / *NO
Specifies whether or not a password check is performed on access via POSIX remote login

TERMINAL-SET =
Specifies whether the user ID for access via POSIX remote login is protected with terminal sets.

TERMINAL-SET = *NO-PROTECTION
The user ID is not protected with terminal sets.

TERMINAL-SET = *NONE
An empty terminal set list is assigned to the user ID, i.e. no POSIX remote login is permitted.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative list of terminal sets is assigned.

TERMINAL-SET = *NONE / list-poss(48): <name 1..8>(...)
The negative list is empty, i.e. there is no restriction to POSIX remote login.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Access via POSIX remote login is prohibited for the UNIX clients with names corresponding to the terminal names in the specified terminal sets.

The meaning of the subordinate operands is the same as for the TERMINAL-SET operand below.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive list of terminal sets is assigned. Access via POSIX remote login is permitted for the UNIX clients with names corresponding to the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
By default, a global system administrator assigns global terminal sets and a group administrator assigns local terminal sets.

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the user ID’s group is assigned.

SCOPE = *SYSTEM
A publicly owned terminal set is assigned.

GUARD-NAME =
Specifies whether access via POSIX remote login is protected by a guard.

GUARD-NAME = *NONE
Access via POSIX remote login is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Access via POSIX remote login is only permitted if the access conditions in the specified guard are fulfilled. The protected user ID must be an authorized user of the specified guard. When the guard is evaluated, only the time conditions Date, Time and Weekday are considered. The subject of the access condition is the protected user ID.

POSIX-RLOGIN-ACCESS = NO
The BS2000 user ID is not allowed system access via POSIX remote login.

POSIX-REMOTE-ACCESS = *LOGON-DEFAULT(...) / *YES(...) / *NO
The BS2000 user ID for system access via a POSIX remote command is enabled or disabled.

TERMINAL-SET =
Specifies whether the user ID is protected for access via a POSIX remote command with terminal sets.

TERMINAL-SET = *NO-PROTECTION
The user ID is not protected with terminal sets.

TERMINAL-SET = *NONE
An empty terminal set list is assigned to the user ID, i.e. no access via a POSIX remote command is permitted.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative list of terminal sets is assigned.

TERMINAL-SET = *NONE / list-poss(48): <name 1..8>(...)
The negative list is empty, i.e. there is no restriction to access via a POSIX remote command.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Access via a POSIX remote command is prohibited for the UNIX clients with names corresponding to the terminal names in the specified terminal sets.

The meaning of the subordinate operands is the same as for the TERMINAL-SET operand below.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive terminal set list is assigned. Access via a POSIX remote command is permitted for the UNIX clients with names which match the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
By default, a global system administrator assigns global terminal sets and a group administrator assigns local terminal sets.

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the user ID’s group is assigned.

SCOPE = *SYSTEM
A publicly owned terminal set is assigned.

GUARD-NAME =
Specifies whether access via a POSIX remote command is protected by a guard.

GUARD-NAME = *NONE
Access via a POSIX remote command is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Access via POSIX remote command is only permitted if the access conditions in the specified guard are fulfilled. The protected user ID must be an authorized user of the specified guard. When the guard is evaluated, only the time conditions Date, Time and Weekday are considered. The subject of the access condition is the UNIX/POSIX user ID under which the rsh or rcp command was issued. This user ID does not have to exist in the BS2000 system.

POSIX-REMOTE-ACCESS = *NO
The BS2000 user ID is locked for system access via a POSIX remote command.

NET-DIALOG-ACCESS = *LOGON-DEFAULT(...) / *YES(...) / *NO
Specifies whether interactive access from the network is permitted.

NET-DIALOG-ACCESS = *YES(...)
Interactive access from the network is permitted.

PASSWORD-CHECK = *YES / *NO
Specifies whether the logon password should be checked when access is performed via the network.

PRINCIPAL =
Specifies whether access is permitted by using Kerberos authentication.

PRINCIPAL = *NO-PROTECTION
No Kerberos authentication is provided for this user ID. The client is not requested to present a Kerberos ticket, but access is assigned directly to the DIALOG-ACCESS class.

PRINCIPAL = *NONE
The list of Kerberos names is empty when created; network access is excluded.

PRINCIPAL = *ALL
No Kerberos authentication is provided for this user ID. However, the client is requested to present a Kerberos ticket. The Kerberos name this contains is displayed in the logon history and used as audit identification. If the client does not support Kerberos authentication, access is assigned to the DIALOG-ACCESS class.

PRINCIPAL = list-poss(48): <composed-name 1..1800 with-under with-wild> / <c-string 1..1800 with-low>
Specifies the list of Kerberos names of the clients which have access to this user ID provided they have a valid Kerberos ticket. If the client does not support Kerberos authentication, access is assigned to the DIALOG-ACCESS class. The Kerberos name check makes no distinction between uper and lower case. In the check wildcards are analyzed. Individual wildcards can be invalidated in <c-string> format by preceding them with a ’\’.

TERMINAL-SET =
Specifies whether the user ID should be protected for network access with terminal sets.

TERMINAL-SET = *NO-PROTECTION
The user ID is not protected with terminal sets.

TERMINAL-SET = *NONE
The user ID is assigned to an empty terminal set list, i.e. no network access is permitted.

TERMINAL-SET = *EXCEPTION-LIST(...)
A negative list of terminal sets is assigned.

TERMINAL-SET = *NONE / list-poss(48): <name 1..8>(...)
The negative list is empty, i.e. there is no restriction to network access.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
Network access is prohibited for the terminals with names corresponding to the terminal names in the specified terminal sets.

The meaning of the subordinate operands is the same as for the TERMINAL-SET operand below.

TERMINAL-SET = list-poss(48): <name 1..8>(...)
A positive list of terminal sets is assigned. Network access is permitted for the terminals with names corresponding to the terminal names in the specified terminal sets.

SCOPE =
Class of the terminal set name.

SCOPE = *STD
By default, a global system administrator assigns global terminal sets and a group administrator assigns local terminal sets.

SCOPE = *USER
A terminal set owned by the user ID is assigned.

SCOPE = *GROUP
A terminal set owned by the user ID’s group is assigned.

SCOPE = *SYSTEM
A publicly owned terminal set is assigned.

GUARD-NAME =
Specifies whether network access is protected by a guard.

GUARD-NAME = *NONE
Network access is not protected by a guard.

GUARD-NAME = <filename 1..18 without-cat-gen-vers>
Network access is only permitted if the access conditions in the specified guard are fulfilled. The protected user ID must be an authorized user of the specified guard. When the guard is evaluated, only the time conditions Date, Time and Weekday are considered. The subject of the access condition is the protected user ID.

NET-DIALOG-ACCESS = *NO
The BS2000 user ID is locked for network access.

Note

When a user entry is created by means of the /ADD-USER command,
LOCK-USER=*YES may be specified to suspend (“lock”) the user ID and thus prevent any LOGON attempts via the user ID during entry of the /SET-LOGON-PROTECTION command. Once all protection attributes have been defined, the user ID can be readmitted (“unlocked”) again by means of the /UNLOCK-USER command.

Command return codes

Example

The result of this command is that the password protecting TSOS must be changed every 60 days. System access in interactive mode is restricted to the terminals specifiede in the terminal set AREA52, and batch jobs may be started only by user jobs running under TSOS.

Passwords defined by the user XY must have at least 8 characters and include at least one letter, one digit and one special character (see the explanation of MINIMAL-COMPLEXITY=4).