Ok, I got it now - Thank you!

Thank you,

Scott


-----Original Message-----
From: The IBM z/VM Operating System [mailto:[email protected]] On Behalf 
Of Bruce Hayden
Sent: Thursday, May 20, 2010 9:29 AM
To: [email protected]
Subject: Re: Override file/modify command

The modify command replaces (I think the actual term would be
"overrides") the current definition.  So, if you use:
MODIFY COMMAND SHUTDOWN PRIVCLASS S
MODIFY COMMAND FORCE    PRIVCLASS S
then SHUTDOWN and FORCE have been removed from Class A and only users
with Class S can use them.  If you want to allow both Class A and
Class S users to use these commands, you must code:
MODIFY COMMAND SHUTDOWN PRIVCLASS AS
MODIFY COMMAND FORCE    PRIVCLASS AS

And, I would also specify the IBMCLASS operand, so you know which
version of the command is being modified.  Commands with more than one
IBMCLASS require it:
MODIFY COMMAND SHUTDOWN IBMCLASS A PRIVCLASS S
MODIFY COMMAND FORCE IBMCLASS A  PRIVCLASS S

I misspoke a bit - Q COMMANDS doesn't show you the current user priv
class of the command, it shows you if you can issue it and if so,
which IBM class it is in.  (IBMCLASS=NONE means that you are not
allowed to issue that command.)  As Rich Corak pointed out, use LOCATE
CMDBK to find out the current user priv class.  This is what CMDTABLE
EXEC uses to create its table.

On Thu, May 20, 2010 at 10:19 AM, Wandschneider, Scott
<[email protected]> wrote:
> Bruce,
>
> Is my modify command "adding" class S to FORCE and SHUTDOWN?  I thought it 
> was to *replace* class A with class S.  What am I missing?
>
> From SYSTEM CONFIG file:
> MODIFY COMMAND SHUTDOWN PRIVCLASS S
> MODIFY COMMAND FORCE    PRIVCLASS S
>
> Output from CMDTABLE
> FORCE                             IBMCLASS=A  PRIVCLASS=S
> SHUTDOWN                          IBMCLASS=A  PRIVCLASS=S
>
> Logon as OPERATOR
> q cplevel
> z/VM Version 5 Release 4.0, service level 0902 (64-bit)
> Generated at 06/05/2009 19:43:17 EDT
> IPL at 02/21/2010 07:31:30 EDT
> Ready; T=0.01/0.01 09:58:13
>
> id
> OPERATOR AT ZVM8MVS  VIA RSCS     05/20/2010 09:58:45 EDT      THURSDAY
> Ready; T=0.01/0.01 09:58:45
>
> q priv *
> Privilege classes for user OPERATOR
>        Currently: ABCDEFGP
>        Directory: ABCDEFGP
> The privilege classes are not locked against changes.
> Ready; T=0.01/0.01 09:59:02
>
> q command force
> FORCE        IBMCLASS=NONE
> Ready; T=0.01/0.01 09:59:13
>
> q command shutdown
> SHUTDOWN     IBMCLASS=NONE
> Ready; T=0.01/0.01 09:59:22
> set priv * +s
> Privilege classes for user OPERATOR
>        Currently: ABCDEFGPS
>        Directory: ABCDEFGP
> The privilege classes are not locked against changes.
> Ready; T=0.01/0.01 10:00:36
>
> q command force
> FORCE        IBMCLASS=A
> Ready; T=0.01/0.01 10:00:42
>
> q command shutdown
> SHUTDOWN     IBMCLASS=A
> Ready; T=0.01/0.01 10:00:55
>
> Thank you,
>
> Scott
>
> -----Original Message-----
> From: The IBM z/VM Operating System [mailto:[email protected]] On 
> Behalf Of Bruce Hayden
> Sent: Wednesday, May 19, 2010 4:27 PM
> To: [email protected]
> Subject: Re: Override file/modify command
>
> I'm not sure....   Enter Q COMMANDS FORCE on OPERATOR to see if it is
> allowed to issue the FORCE command, and if so, what priv class is
> allowing it to do it.
>
> On Wed, May 19, 2010 at 3:09 PM, Wandschneider, Scott
> <[email protected]> wrote:
>> I have the following in my production SYS CONFIG file yet OPERATOR, who does 
>> *not* have privilege class S was able to issue a FORCE command this past 
>> weekend and cause a user to be hung at LOGOFF/FORCE ending.
>>
>> MODIFY COMMAND SHUTDOWN PRIVCLASS S
>> MODIFY COMMAND FORCE    PRIVCLASS S
>>
>> What am I missing?
>>
>> Thank you,
>>
>> Scott
>>
>
>
>
> --
> Bruce Hayden
> z/VM and Linux on System z ATS
> IBM, Endicott, NY
>
> Confidentiality Note: This e-mail, including any attachment to it, may 
> contain material that is confidential, proprietary, privileged and/or 
> "Protected Health Information," within the meaning of the regulations under 
> the Health Insurance Portability & Accountability Act as amended.  If it is 
> not clear that you are the intended recipient, you are hereby notified that 
> you have received this transmittal in error, and any review, dissemination, 
> distribution or copying of this e-mail, including any attachment to it, is 
> strictly prohibited. If you have received this e-mail in error, please 
> immediately return it to the sender and delete it from your system. Thank you.
>



-- 
Bruce Hayden
z/VM and Linux on System z ATS
IBM, Endicott, NY

Confidentiality Note: This e-mail, including any attachment to it, may contain 
material that is confidential, proprietary, privileged and/or "Protected Health 
Information," within the meaning of the regulations under the Health Insurance 
Portability & Accountability Act as amended.  If it is not clear that you are 
the intended recipient, you are hereby notified that you have received this 
transmittal in error, and any review, dissemination, distribution or copying of 
this e-mail, including any attachment to it, is strictly prohibited. If you 
have received this e-mail in error, please immediately return it to the sender 
and delete it from your system. Thank you.

Reply via email to