Giving users access authority
The access authority you can give to a user depends on the profile.
Access to data set profiles
You can give READ, UPDATE, or ALTER access to IODFs in general or to a
specific IODF.
Access to profile MVS.ACTIVATE
You must give UPDATE access to allow the user to activate a
configuration change or to use the I/O Autoconfiguration function.
You can give READ access if you want to restrict the activate function to the test option.
Access to profile CBD.CPC.IPLPARM
- NONE
- Indicated that the user is not allowed to query or change the IPLADDR
and IPLPARM attribute values. This is also the case if profile CBD.CPC.IOCDS
is not defined or RACF is not installed,
- READ
- Allows the user to query the IPLADDR and IPLPARM attribute values; however
changing the IPLADDR and IPLPARM attribute values is not allowed.
- UPDATE
- Allows the user to update the IPLADDR and IPLPARM attribute values.
Table 7 shows the relationship between HCD IPL attribute
management functions and the CBD.CPC.IPLPARM access authority. Option 2.11
refers to option 2 on the Primary Task Selection panel and option 11 on the resulting panel.
Table 7. CBD.CPC.IPLPARM access authority and HCD IPL attribute management functions| Option | HCD IPL Attribute Management Functions | RACF Authority |
|---|
| 2.11 | List System z cluster | READ (or READ authority in CBD.CPC.IOCDS) | | 2.11 | View IPL attributes | READ | | 2.11 | Update NEXT IPL attributes | UPDATE | Access to profile CBD.CPC.IOCDS
If profile CBD.CPC.IOCDS is not defined or RACF is not installed, the local
IOCDS functions (that is for processors with no SNA address specified) work
as before, that is, the operator will be requested to approve the write-IOCDS
request.
The new remote IOCDS functions (that is for processors with an SNA address
specified) require RACF authorization.
- NONE
- The user is not allowed to query or change IOCDS control information,
or to write an IOCDS (neither by HCD nor IOCP).
- READ
- Allows the user to query IOCDS control information. Changing IOCDS
control information or writing an IOCDS is not allowed (neither by HCD nor
IOCP).
- UPDATE
- Allows the user to write IOCDSs (by HCD or IOCP), or to change and view
IOCDS control information. If profile CBD.CPC.IOCDS is defined, then the
operator will not be requested to approve the writing of an IOCDS. (That
is, only users with update access to profile CBD.CPC.IOCDS are allowed to
write an IOCDS.)
Table 8 shows the relationship between IOCDS management
functions and the CBD.CPC.IOCDS access authority. The first column in the
table refers to the options you have to select to get to the HCD functions,
that is, you start with option 2 on the primary selection panel and select
options 2, 6, or 11 on the resulting panel.
Table 8. CBD.CPC.IOCDS access authority and HCD IOCDS management functions| Option | HCD IOCDS Management Functions | RACF Authority |
|---|
| 2.11 | List System z cluster | READ (or READ authority in CBD.CPC.IPLPARM) | | 2.11 | View IOCDS control information | READ | | 2.11 | Update IOCDS control information (switch
IOCDS, enable or disable write protection) | UPDATE | |
2.2
or
2.6
| Build IOCDS (SNA address not defined for
processor or batch IOCP job runs on SP 4.3 system) |
UPDATE ¹
or
Profile not defined to RACF ²
| |
2.2
or
2.6
or
2.11
| Build IOCDS (SNA address defined for processor and batch IOCP job runs on SP 5.1 system) | UPDATE ¹ | | -- | Direct invocation of IOCP |
UPDATE ¹
or
Profile not defined to RACF ²
| | ¹ The build
IOCDS function does not require authorization by the system operator,
that is, no WTOR message is written.
² A WTOR message will be issued
to the operator to authorize the build IOCDS function. | For more information on security considerations for IOCDS management, refer
to the IOCP User's Guide.
|
z/OS HCD User's Guide
Copyright IBM Corporation 1990, 2014