The CHANGE PROTECTION command modifies access rights for an
    access control list entry (ACE) in an access control list (ACL)
    for an element. When you specify FOR GENERIC MCS_CONTEXT or FOR
    REPOSITORY, this command can also add an ACE to a default access
    control list.

    CHANGE PROTECTION affects a change in place. CDO changes the
    values you specify, and other values remain the same.

    You must have CONTROL access rights to change protection for an
    element or a repository.

    The POSITION clause identifies the ACE you are changing by
    its relative position within the ACL. For example, POSITION
    3 indicates the third ACE in the ACL. If you specify a number
    greater than the number of existing ACEs, CDO changes the last
    ACE in the ACL.

    The id parameter specifies the user or users affected by the
    ACE you are changing. The clause consists of one or more UIC,
    general, or system-specified identifiers.

    If you specify more than one identifier, a user's process must
    hold all the identifiers before CDO grants the access rights
    indicated in the ACE.

    The ACCESS clause specifies access rights provided by the ACE.
    See the DEFINE PROTECTION command for more information on access
    rights.

    The ACCESS clause is especially useful when you need to restrict
    access to a context or to a repository. For example, by modifying
    this clause you can restrict access to a single user for OpenVMS
    BACKUP or VERIFY operations.

    The DEFAULT_ACCESS clause is only valid for contexts (specified
    as GENERIC MCS_CONTEXT) or repositories. The clause specifies
    the default access rights for each new element you create.
    If a context is set, the new element receives default access
    rights defined for this context. If a context is not set, the
    new element receives the default access rights defined for the
    repository.