DFSMShsm bypasses data set security checking during automatic space management, except after automatic recall. After automatic recall, security checking is performed by OPEN. This is to ensure that the user opening the recalled data set is authorized to use the data set.
DFSMShsm also bypasses security checking when it processes operator commands entered at the system console or commands issued by a DFSMShsm-authorized user.
DFSMShsm checks authority for a requester to access data sets when a requester who is not DFSMShsm-authorized issues an HMIGRATE, HDELETE, or HRECALL command. Security checking is not done when DFSMShsm-authorized users issue the user commands. If users are not authorized to manipulate data, DFSMShsm does not permit them to migrate data sets, delete migrated data sets, or explicitly recall data sets. DFSMShsm always does security checking for the scratch intercept when deleting migrated data sets. Table 1 shows the RACF® authority required to perform each space management function.
| DFSMShsm Function | RACF Resource Access Authority Required |
|---|---|
| Migrate a data set | Update |
| Recall a data set using HRECALL (TSO users only) | Execute |
| Delete a migrated data set | Alter |