Previous Topic: Controlling System AccessNext Topic: Limiting a User’s Authority

How Does CA ACF2 for z/VM Work?CA ACF2 for z/VM Privileges

CA ACF2 for z/VM Privileges

Logonid record fields also specify special user privileges. Privileges give the user access to data, resources, and CA ACF2 for z/VM records. The CA ACF2 for z/VM privileges are listed below.

ACCOUNT

Indicates that this user is an account manager. An account manager can insert, delete, and change logonid records in the limits defined by his scope. (Scope is explained later in this chapter.) Account managers usually establish, maintain, and delete logonid records. The ACCOUNT privilege grants no authority for writing rules or processing other CA ACF2 for z/VM records.

SECURITY

Indicates that this user is a security administrator and can access all data, protected programs, and resources. A security administrator can insert, change, list, and delete access and resource rules and list and change certain fields of logonid records. He cannot insert or delete logonid records unless he also has the ACCOUNT privilege. He can insert, change, list, and delete any infostorage records in his scope. You can use a scope record to protect any access granted by the SECURITY privilege.

AUDIT

Indicates that this user can list logonid records, access and resource rules, entry records, shift records, zone records, scope records, and VM Option (VMO) records. He cannot update or delete logonid records, or access any resources other than those authorized to him through rules.

CONSULT

Indicates that this user can display most fields of logonid records, and update only certain nonsecurity‑related fields. The CONSULT privilege is usually given to individuals who assist other users on the system so they can answer questions about logonid record information.

LEADER

Indicates that this user has the same privileges as CONSULT, however he can only display and modify certain fields of other logonid records as defined by the SCPLIST field. (For detailed information on SCPLIST, see the Administrator Guide.)

USER

Indicates that this user can display their logonid record. You can specify whether a user with only the USER privilege can write access rules for their own data with a system‑wide option.

A user can have more than one privilege. For example, he can have both SECURITY and ACCOUNT, which gives him all authorities associated with the SECURITY privilege and all authorities associated with the ACCOUNT privilege.