Associating Privilege Classes with Users and Commands
After you have associated the commands with the types of users, you can assign a different class to each type of user. Then, each command can be assigned a list of classes that correspond to the users who need access. In the example table, each asterisk is replaced by a new user class, and then these classes are collected to the “New Class” column for each command. See Table 1.
| Command | IBM- Defined Class | New Class | SAD I | SSP J | JSP K | SA L | SO M | DBA N | SE O | U1 P | U2 Q |
|---|---|---|---|---|---|---|---|---|---|---|---|
| ACNT | A | L | L | ||||||||
| ATTN | G | PQ | P | Q | |||||||
| XAUTOLOG | A | IJ | I | J | |||||||
| XAUTOLOG | B | KLMN | K | L | M | N | |||||
| XAUTOLOG | G | P | P | ||||||||
| CHANGE | D | MN | M | N | |||||||
| CHANGE | G | PQ | P | Q | |||||||
| DEDICATE | A | J | J | ||||||||
| DEFINE | A | M | M | ||||||||
| DEFINE | G | PQ | P | Q | |||||||
| IPL | G | PQ | P | Q | |||||||
| MESSAGE | A | JK | J | K | |||||||
| MESSAGE | B | M | M | ||||||||
| SAVESYS | E | IJ | I | J | |||||||
| SPOOL | G | PQ | P | Q | |||||||
| DIAG04 | C,E | IJKM | I | J | K | M | |||||
| DIAG3C | A,B,C | IJKL | I | J | K | L |
An important distinction to make here is that the user classes with access to system functions and resources (classes I through O) do not have access to any commands that are useful for controlling their own virtual machines (for example, SPOOL). Only the two general user classes (P and Q) have access to these commands. Class P users have more access to more powerful commands than do class Q users. With this arrangement, the system administrator can independently control a user's access to system and virtual machine commands. To assign classes to each user, the system administrator defines at least two classes to key sophisticated users such as system programmers. An unsophisticated general user might be assigned to class Q; a system programmer would be assigned to classes J and P. In this way, the system programmer gains access to both the class J system commands and to the class P virtual machine commands.
Note also that whereas the class A and B MESSAGE commands are listed, the class ANY MESSAGE command is not. User class modification does not affect class ANY commands.