The standard division into VM2000 administrator commands and VM administrator commands can be modified in the following two ways:
Restricting the command or function range for the VM2000 administrator.
Extending the command or function range for the VM administrator.
Restrictions for the VM2000 administrator
The command/function range for the VM2000 administrator can be restricted:
When initializing the monitor VM, with /CREATE-VM ...,ADMIN-PRIVILEGES=*MINIMUM.In the current VM2000 session, with
/MODIFY-VM-ATTRIBUTES ...,ADMIN-PRIVILEGES=*MINIMUM.
The following table shows the restrictions for the individual commands when ADMIN-PRIVILEGES=*MINIMUM is specified.
Operation group | Command | Restrictions |
|---|---|---|
Starting the guest system on a VM | START-VM | (1) |
Resource management | MODIFY-VM-ATTRIBUTES | (3) |
Command processing via procedure call | CALL-VM-PROCEDURE | (2) |
Suspending a VM | HOLD-VM | (1) |
Canceling a wait state | RESUME-VM | (1) |
Terminating ADMIN or VC dialog | END-VM-DIALOG | (2) |
Output of VM2000 monitored data | SHOW-VM-STATUS | (2) |
(1) | These commands are no longer usable by the VM2000 administrator. |
(2) | The VM2000 administrator may use these commands only for the monitor VM. |
(3) | This command can be used by the VM2000 administrator for the monitor VM with the exception of the |
All other commands remain unaffected. This enables VM2000 operation in which the VM2000 administrator is largely separated from the VMs.
For reasons of security it is not possible to revoke a restriction imposed by the operand ADMIN-PRIVILEGES=*MINIMUM during the current VM2000 session.
Extensions for the VM administrator
The command/function range can be extended for the VM administrator:
when initializing a VM (except for the monitor VM), with
/CREATE-VM ...,ADMIN-PRIVILEGES=*MAXIMUMafter initializing a VM (except for the monitor VM), with
/MODIFY-VM-ATTRIBUTES...,ADMIN-PRIVILEGES=*MAXIMUM
/CREATE- or /MODIFY-VM-DEFINITION. Detailed information can be found in the section "Working with VM definitions".The following table shows the extensions for the individual commands if ADMIN-PRIVILEGES=*MAXIMUM is specified.
Operation group | Command | Extensions |
|---|---|---|
Device management for a VM | ADD-VM-DEVICES | (1) |
MODIFY-VM-DEVICE-USAGE | (1) | |
Information services | SHOW-VM-DEVICE-STATUS | (2) |
SHOW-VM-RESOURCES | (2) | |
Resource management | MODIFY-VM-ATTRIBUTES | (1) |
(1) | The VM administrator may also use these commands for his/her own VM, with all the attendant functions. |
(2) | The VM administrator may also use these commands, with all the attendant functions. |
All other commands remain unaffected. The VM administrator cannot access any other VMs. This enables VM2000 operation in which some of the management functions can be dealt with by the VM administrators (e.g. test runs).
The extensions are revoked with /MODIFY-VM-ATTRIBUTES ...,ADMIN-PRIVILEGES=*STD or with /DELETE-VM.