A protection code controls the type of access allowed (or denied)
    to a particular user or group of users. It has the following
    format:

    [category:list of access allowed(,category:list of access allowed,...)]

    o  Category

       User categories include system (S), owner (O), group (G),
       and world (W). Each category can be abbreviated to its first
       character. Categories have the following definition:

       System      Any user process or application whose UIC is
                   in the range 1 through 10 (octal), has SYSPRV
                   privilege, or is in the same group as the owner
                   and holds GRPPRV.
       Owner       Any user process or application whose UIC is
                   identical to the UIC of the object.
       Group       Any user process or application whose Group UIC is
                   identical to the group UIC of the object.
       World       Any user process or application on the system.

       When specifying more than one user category, separate the
       categories with commas, and enclose the entire code in
       parentheses. You can specify user categories and access types
       in any order.

       A null access specification means no access, so when you omit
       an access type for a user category, that category of user
       is denied that type of access. To deny all access to a user
       category, specify the user category without any access types.
       Omit the colon after the user category when you are denying
       access to a category of users.

    o  access-list

       For files, the access types include read (R), write (W),
       execute (E), or delete (D). The access type is assigned
       to each ownership category and is separated from its
       access types with a colon (:); for example, SET SECURITY
       /PROTECTION=(S:RWE,O:RWE,G:RE,W). File access types have the
       following meanings:

       Read     Gives you the right to read, print, or copy a disk
                file. With directory files, the right to read or list
                a file and use a file name with wildcard characters
                to look up files. Read access implies execute access.
       Write    Gives you the right to write to or change the
                contents of a file, but not delete it. Write access
                allows modification of the file characteristics that
                describe the contents of the file. With directory
                files, the right to make or delete an entry in the
                catalog of files.
       Execute  Gives you the right to execute a file that contains
                an executable program image or DCL command procedure.
                With a directory file, the right to look up files
                whose names you know.
       Delete   Gives you the right to delete the file. To delete
                a file, you must have delete access to the file and
                write access to the directory that contains the file.
       Control  Gives you the right to file characteristics,
                including the protection code and ACL. Special
                restrictions apply to changing the owner of a file.