QUERY CPPROTECT

Read syntax diagramSkip visual syntax diagram Query CPPROTect UsersAGainstuserid*

Authorization

Privilege Class: C

Purpose

Use QUERY CPPROTECT to display protection settings of the system, of users with protection overrides, or of a specific user, as well as availability of the required machine support for each protection mode.

In addition, if the machine support was not present when z/VM was IPLed and the required service is dynamically applied later, QUERY CPPROTECT can be issued to cause CP to recognize the machine support and put previously requested CPPROTECT settings into effect.

Operands

Users
includes a display of the MODE2 settings for all users for whom a MODE2 override has been requested.
AGainst userid
displays only the MODE2 settings for a specific user.
AGainst *
displays only the MODE2 settings for the command issuer.

Usage Notes

  1. MODE1 refers to a system-wide mitigation mechanism. MODE2 refers to a mitigation mechanism that the z/VM Control Program (CP) can apply when it interacts with some users but not with others. Details on the protection modes are not provided in this publication. Authorized personnel of IBM clients can consult the IBM Z Security Portal for further information and guidance. To request access to the portal, see the instructions referenced in the SET CPPROTECT command description.
  2. To remove a user override, issue: set cpprotect mode2 against userid default.
  3. To remove all user overrides, issue: set cpprotect mode2 against all default.
  4. Users who do not appear in the QUERY CPPROTECT USERS output are operating with the default MODE2 setting.

Examples

Response 1:

The response to QUERY CPPROTECT consists of the following three lines.

Line 1: 

  MODE1 {AVAILABLE   } REQUESTED {ON        } CURRENTLY {ON        }
        {UNAVAILABLE }           {OFF       }           {OFF       }

This line indicates whether the machine support required for MODE1 function is present in the machine on which z/VM is running. The REQUESTED clause shows what setting was requested. The CURRENTLY clause shows how the system is currently running. These will differ only if the machine support is absent.

Line 2:

  MODE2 {AVAILABLE   } REQUESTED {ON        } CURRENTLY {ON        }
        {UNAVAILABLE }           {OFF       }           {OFF       }
        {INHERENT    }           {SELECTIVE }           {SELECTIVE }

This line indicates whether the machine support required for MODE2 function is present in the machine on which z/VM is running, and if present, whether it is available for optional activation or provided inherently in the machine design. The REQUESTED and CURRENTLY clauses summarize the settings that were requested and those currently in effect. These will differ if ON was requested but the machine support is absent, or if OFF was requested but the machine design inherently delivers the protection. ON and OFF indicate a setting that was requested or is currently active as the system default, with no user overrides in place. SELECTIVE indicates that there are one or more user overrides requested and currently in effect, respectively. Details on the overrides can be displayed using QUERY CPPROTECT USERS.

Line 3:

  MODE2  DEFAULT             REQUESTED {ON  } CURRENTLY {ON  }
                                       {OFF }           {OFF }

This line indicates the system-wide default setting for MODE2 as set by the most recent SET CPPROTECT MODE2 DEFAULT command. If no such command has been issued, the DEFAULT OFF setting established at z/VM IPL is shown. The default setting applies to all users except those for whom an override has been set via SET CPPROTECT MODE2 AGAINST userid.

Response 2:

The response to QUERY CPPROTECT USERS consists of Response 1 above, followed by zero or more instances of line 4, as shown below.

Lines 4 to n:

  MODE2  AGAINST userid    REQUESTED {ON  } CURRENTLY {ON  }
                                     {OFF }           {OFF }

Line 4 in this response shows the override setting for a user, as set by SET CPPROTECT MODE2 AGAINST userid {ON|OFF}. The override value applies to that user regardless of the system default or any changes to the system default. As above, the REQUESTED and CURRENTLY clauses indicate the saved request and the actual setting, according to the presence of the machine support for MODE2.

Response 3:

The response for QUERY CPPROTECT AGAINST userid consists of one line indicating the requested user's MODE2 setting, as shown below.

  MODE2  AGAINST userid    REQUESTED {ON      }  CURRENTLY {ON  }
                                     {OFF     }            {OFF }
                                     {DEFAULT }

This response is displayed for the specified user, regardless of whether an override has been established for the user. The REQUESTED clause indicates whether the user is configured to operate according to an ON or OFF per-user override or according to the system-wide default setting. The CURRENTLY clause indicates how protection is being applied to the user, based on the REQUESTED response, the system-wide default, and the presence of the required machine support.

Messages

  • HCP002E Invalid operand - operand
  • HCP003E Invalid option - command contains extra option(s) starting with option
  • HCP026E Operand missing or invalid
  • HCP045E userid not logged on