Hi Donna,

> i'm wanting to setup a group (in the sys account) that only
> 'op' and 'sm' users have 'x'ecute access to but only 'sm'
> users have all the other accesses to (particularily write).
> i'm going to place command files in this group that are
> meant for 'op' and 'sm' users only.
...

It seems that the standard group access=() controls won't meet
your needs.  What would be nice is if an ACD could be applied to
the group, but this isn't possible now.  Do you have the choice
of creating a directory under /SYS (or under a group in SYS)?
If so you can put an ACD on the directory similar to:
    :altsec /SYS/dirname;repacd=(x:operator.sys)

This would deny all users except operator.sys (and users with SM)
all accesses except for eXecute.  Also, SM can write anywhere.

You can also put the directory name in the HPPATH variable,
e.g. setvar hppath hppath + ",/SYS/dirname"

Your OP and SM users can enter the script name without needing
to prefix the name with "./" or "/" etc, so it appears to be
just like any other unqualified script file name.

HTH,
Jeff Vance, CSY