DFSMShsm protects data sets from unauthorized access by controlling access to data sets.

Access can be controlled by the use of both passwords and security programs at the same time. However, system-managed data sets are not password protected. If a data set is password protected and security-program protected, DFSMShsm allows access to the data set without checking the password if the security program authorizes the access.

DFSMShsm also provides protection against unauthorized use or deletion of its owned tape volumes.

To provide security program protection, DFSMShsm calls the system authorization facility (SAF) when any unauthorized user enters a command that manipulates a data set or its backup copies.

As an installation option, users can submit batch jobs containing DFSMShsm commands in secure systems without RACF®. DFSMShsm retrieves the user ID from the time sharing option (TSO) protected step control block for a TSO batch request and associates it with the request so that authorization can be checked.

DFSMShsm optionally creates a backup profile for the most recent backup version of a cataloged data set if the data set is protected with a RACF discrete data set profile when it is backed up. DFSMShsm maintains only one backup profile for all the backup versions of the cataloged data set. The backup profile is used to recreate the discrete data set profile if it does not exist when the data set is recovered. When all backup versions of a data set are deleted, the related backup profile is also deleted.

DFSMShsm-owned data on DASD is named so that it can be protected by RACF generic profiles.