Access Authority for Minidisks on z/VM

Minidisks on z/VM® can have one of the following access authorities:

NONE

Does not allow users to access the minidisk.

Attention
Anyone who has READ, UPDATE, CONTROL, or ALTER authority to a protected minidisk can copy the data in it. If users copy the data to a minidisk for which they can control the security characteristics, they can potentially downgrade the security characteristics of the copied files. For this reason, you will probably want to assign a UACC of NONE, and then selectively permit a small number of users to access your minidisk, as their needs become known. See z/VM: RACF® Security Server General User's Guide for information on how to permit selected users or groups to access a minidisk.

Attention

Anyone who has READ, UPDATE, CONTROL, or ALTER authority to a protected minidisk can copy the data in it. If users copy the data to a minidisk for which they can control the security characteristics, they can potentially downgrade the security characteristics of the copied files. For this reason, you will probably want to assign a UACC of NONE, and then selectively permit a small number of users to access your minidisk, as their needs become known. See z/VM: RACF® Security Server General User's Guide for information on how to permit selected users or groups to access a minidisk.

READ

Allows users to read from the minidisk. This enables users to request any read-only link mode on the CP LINK command. Read-only link modes include R, RR, SR, and ER. (Note that users who can read files on a minidisk can copy or print them.)

UPDATE

Allows users to read from, or write to, the minidisk. This enables users to request any of the read-only and some of the write link modes on the CP LINK command. The allowed write link modes include W, WR, SW, and EW.

CONTROL

Allows users to read from, or write to, the minidisk. This enables users to request any of the read-only link modes and all of the write link modes except MW on the CP LINK command. In addition to the link modes allowed for READ and UPDATE access, users may request a link mode of M, MR, or SM.

ALTER

Allows users to read from, or write to, the minidisk. This enables users to request any valid link mode on the CP LINK command, including MW (multiwrite).

Unlike other general resource classes, ALTER access to a discrete VMMDISK profile does not, by itself, allow a user to read, alter, or delete the profile, or to modify its access list.

As an alternative approach to allow users to manage VMMDISK profiles, you can create a group to own the profiles and connect users to that group with the SPECIAL attribute. For example, to enable users USERA and USERB to manage VMMDISK profiles for USER1.191, use the following RACF commands:

ADDGROUP ADMVMMD
RALTER VMMDISK USER1.191 OWNER(ADMVMMD)     
CONNECT (USERA USERB) GROUP(ADMVMMD) SPECIAL

Users with ALTER access to a generic VMMDISK profile have no authority over the profile itself.

Note: For a description of the different CP LINK access modes, refer to z/VM: CP Commands and Utilities Reference.