z/VM Privilege
In the z/VM system of privilege, a user can have no privileges, or be assigned to one or more privilege classes. Each privilege class represents a subset of CP commands that the system permits the user to enter.
Each privilege class, sometimes called CP privilege class, is defined around a particular job or set of tasks, thereby creating an area outside of which the user may not go. Of course, it is commonplace for a user to be assigned to more than one CP privilege class. Users are unable to enter commands in privilege classes to which they are not assigned.
- Privilege class A – The primary system operator
- The system operator is among the most powerful and privileged of all z/VM users. The system operator is responsible for the system's availability and its resources. The system operator also controls accounting, broadcasts messages, and sets performance parameters.
- Privilege class B – The system resource operator
- The system resource operator controls the allocation and de-allocation of real resources, such as memory, printers, and DASD. Note that the system resource operator does not control any resource already controlled by the system operator or the spooling operator.
- Privilege class C – System programmer
- A system programmer updates the functions of the z/VM system and can change real memory in the partition.
- Privilege class D – Spooling operator
- The spooling operator controls spool files and real unit record devices, such as punches, readers, and printers.
- Privilege class E – System analyst
- The system analyst has access to real memory and examines dumps to make sure that the system is performing as efficiently and correctly as possible.
- Privilege class F – IBM service representative
- A representative of IBM who diagnoses and solves problems by examining and accessing real input and output devices and the data they handle.
- Privilege class G – General user
- This is the most prevalent and innocuous of the CP privilege classes. The commands that privilege class G users can enter effect only their own virtual machines.
- Privilege class ANY
- The commands in this privilege class are available to any user.
It should be obvious from the discussion above that privilege classes A, B, C, D, E, and F, require individuals worthy of very significant trust and whose activities require careful auditing.
For example, users with privilege class B or C can modify an installation's system of CP
privilege. Or as another example, privilege class C users can enter the CP STORE HOST command,
allowing them to alter real memory. Because in both cases 
the Common Criteria
security policy claims would be violated (regardless of Protection Profile in use),
system
programmers and similarly privileged users must be trusted
to not tamper (and auditing must
confirm this) with the system of CP privilege.
Privilege class G users have no influence outside their own virtual machines. So, with the exception of access to storage objects, they have very little security relevance.
The ANY privilege class commands cannot violate the security policies of the system. This is because all commands in the ANY privilege class are auditable and subject to either discretionary or mandatory access control, DAC or MAC. (See Security Labels and Mandatory Access Control (MAC).) Therefore, class ANY users, together with class G users, cannot violate the security policy.
In CP, each level of privilege is discrete and not predicated on others. Furthermore, each privilege class (a subset of commands) is related to one or more function types (subsets of users). To learn more about privilege classes and function types, see z/VM: CP Commands and Utilities Reference. To learn about CP command and DIAGNOSE protection through RACF, see z/VM: RACF Security Server Security Administrator's Guide.