|
Category
|
Privilege
|
Activity
Permitted
|
|---|---|---|
|
None
|
None
|
Deny
activities requiring privileges
|
|
Normal
|
NETMBX
TMPMBX |
Create
network connections
Create temporary mailbox |
|
Group
|
GROUP
GRPPRV |
Control
processes in the same group
Gain access through the system protection field of the group’s objects |
|
Devour
|
ACNT
ALLSPOOL BUGCHK EXQUOTA GRPNAM PRMCEB PRMGBL PRMMBX SHMEM |
Disable
accounting
Allocate spooled devices Make bugcheck error log entries Exceed disk quotas Insert group logical names in the name table Create/delete permanent common event flag clusters Create permanent global sections Create permanent mailboxes Create/delete structures in shared memory |
|
System
|
ALTPRI
AUDIT OPER PSWAPM WORLD SECURITY SYSLCK |
Set
base priority higher than allotment
Generate audit records Perform operator functions Change process swap mode Control any process Perform security-related functions Lock systemwide resources |
|
Objects
|
DIAGNOSE
IMPORT MOUNT READALL SYSGBL VOLPRO |
Diagnose
devices
Mount a nonlabeled tape volume Execute mount volume QIO Possess read access to all system objects Create systemwide global sections Override volume protection |
|
All
|
BYPASS
CMEXEC CMKRNL IMPERSONATE DOWNGRADE LOG_IO PFNMAP PHY_IO SETPRV SHARE SYSNAM SYSPRV UPGRADE |
Disregard
protection
Change to executive mode Change to kernel mode Create detached processes of arbitrary UIC Write to a lower secrecy object or lower an object’s classification Issue logical I/O requests Map to specific physical pages Issue physical I/O requests Enable any privilege Access devices allocated to other users Insert system logical names in the name table Access objects through the system protection field Write to a higher integrity object or raise an object’s integrity level |