Setting the CP Disposition for Access Requests
Until you have RACF® installed to your satisfaction, you might want CP to continue to make access decisions for some of your resources; for example, nodes, minidisks, and commands. (For the protected commands in VM, refer to z/VM: RACF Security Server Security Administrator's Guide.
The SYSSEC macro establishes a relationship between RACF's response to an access request and the final disposition of that request.
The defaults for SYSSEC parameters are shown in Table 1.
You should be careful about changing the CP Disposition on minidisk relationships. Do not change it to Disallow Access. Resources are not defined when IBMUSER logs on after the initial IPL. If you disallow access, IBMUSER is not granted access to CMS minidisks that IBMUSER requires to initialize the RACF database.
See z/VM: RACF Security Server Macros and Interfaces. for a description of the SYSSEC macro.
| RACF Response | CP Disposition |
|---|---|
| Access Permitted | Allow Access |
| Resource Undefined | Defer to CP |
| Access Denied | Disallow Access |
| Access denied, but warning mode is set for resource | Defer to CP |
In the figure, if a user attempts to LINK to a minidisk that has not been defined to RACF, the request is deferred to VM. VM permits the user to link if the user has supplied a valid LINK password.
To update or change the SYSSEC macro invocation parameters in HCPRWA,
put a local modification on to HCPRWA RPIBASE0. See Applying
local service and local modifications
in z/VM®: Service Guide for the steps on how to
apply a local modification to HCPRWA.