When SECOS access control is only administered on a user-ID-specific basis, this offers maximum flexibility for fine-tuning in each particular case. However, it is frequently desirable to be able to define global settings for all user IDs centrally.

For global settings the /SET-LOGON-PROTECTION and /MODIFY-LOGON-PROTECTION commands offer the keyword *LOGON-DEFAULT in the appropriate operands. This means that the current global settings are always effective for the attributes for access control flagged in this way.

The global settings are specified using the /SET-LOGON-DEFAULTS and /MODIFY-LOGON-DEFAULTS commands and displayed using /SHOW-LOGON-DEFAULTS. These standard attributes become effective if no corresponding attributes are set directly for the user IDs.

Expiration dates

In addition to the attributes which are taken directly from the standard attributes, the user ID also contains expiration dates which are derived from the standard attributes. These expiration dates enjoy peer trust and initially remain unaffected when their standard attributes are modified. They include such modifications only when they are recalculated. These expiration dates comprise:

1. The expiration date of the user ID,
   which is set when the user ID is created or explicitly set by the user administrator.

2. The expiration date of the password,
   which is set when a new password is assigned.

3. The expiration date in the event of inactivity,
   which is set at the next logon.

Password management

The PASSWORD MANAGEMENT attribute is a user attribute that is contained in the BS2000 basic configuration. It is managed via the /ADD-USER and /MODIFY-USER-ATTRIBUTES commands and evaluated in the /MODIFY-USER-PROTECTION command. The default value is PASSWORD-MANAGEMENT=*BY-USER.

The access enhances the basic configuration by adding the option to freely choose the default value (LOGON-DEFAULT). In the interplay of user administration and access control the following rules apply for PASSWORD MANAGEMENT:

1. In the case of the /ADD-USER command, access control always assigns the standard attribute *LOGON-DEFAULT.

2. The value *LOGON-DEFAULT can only be replaced by using the /MODIFY-LOGON-PROTECTION command. Attempted changes by using the /MODIFY-USER-ATTRIBUTES command are ignored without comment.

3. After /MODIFY-LOGON-PROTECTION was used to assign a value other than *LOGON-DEFAULT to an ID, that value can be further changed by using /MODIFY-USER-ATTRIBUTES; It can, however, not be changed back to *LOGON-DEFAULT. This value only exists in the access control and the only way to explicitly assign it is the /MODIFY-LOGON-PROTECTION command.

4. The current meaning of the *LOGON-DEFAULT value can be determined with /SHOW-LOGON-DEFAULT and changed any time with /MODIFY-LOGON-DEFAULT. The default value is *USER-CHANGE-ONLY.

5. To show that the access control is active, the /SHOW-USER-ATTRIBUTES command for PASSWORD-MANAGEMENT constantly displays the value *BY-LOGON-PROTECT. The actually applicable value can only be determined by using the /SHOW-LOGON-PROTECTION command.

6. The /SHOW-LOGON-PROTECTION command always outputs the effectively applicable value of the PASSWORD MANAGEMENT. Because of this, it is not always directly apparent whether this value is explicitly assigned to the ID or if *LOGON-DEFAULT is assigned to the ID and the output value is the current meaning of *LOGON-DEFAULT.