The interactive and batch job access routes can be protected with guards. In this case, access is not permitted unless the conditions specified in the corresponding guard are fulfilled. The subject for whom the access conditions are checked depends on whether or not personal identification is required (see "Personal identification").
Both the global user administrator and the group administrators have the following ways of administering access control using guards:
system user administrators can create and administer GUARDS under their own user IDs and assign these to all user IDs for the purposes of system access control
group administrators can create and administer GUARDS under their own user IDs and assign these to the members of their groups for the purposes of system access control.
If the administrator in question has privilege GUARD-ADMINISTRATION, then these guards can be created and administered under any user ID and assigned to the user IDs administered by this user ID for the purposes of system access control.
The owner of the guard, that is to say the user ID under which the guard is stored, is authorized to administer the access conditions. This user ID therefore has the right to manipulate access on the part of an unknown number of user IDs. It is the responsibility of system administration to avoid such situations.
The same situation may arise if a group administrator or system user administrator is downgraded.