Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Protecting data z/OS DFSMS Using Magnetic Tapes SC23-6858-00 |
|
Data on IBM standard volumes can be protected by either RACF or data set password protection. In an IBM system-managed tape library, data set password protection is not supported. IBM recommends RACF instead of data set password protection. For more information see z/OS DFSMSdfp Advanced Services. Note: All checking for authorization will be bypassed if
security processing is suppressed. This can occur, for example, when
the program properties table entry for the job step program is marked
to suppress security checking. Only the system programmer can update
the program properties table. For information about the program properties
table, see z/OS MVS Initialization and Tuning Reference.
RACF allows you to control access to either the tape volumes or the individual data sets on the tape. RACF protection at the volume level overrides RACF protection at the data set level. Seez/OS Security Server RACF Security Administrator's Guide for information on how to activate these levels of RACF protection, and how they interact with each other and with your own tape management system, if applicable. DFSMSrmm supports RACF protection, but not password protection. For more information about DFSMSrmm and RACF, see z/OS DFSMSrmm Implementation and Customization Guide. The following principles apply to RACF protection at the volume
level:
If the tape volume is defined to RACF, the user has UPDATE access authority, and PROTECT=YES has not been specified in the JCL, the user can open the volume to read or write. If the tape volume is defined to RACF and the user has UPDATE authority, and PROTECT=YES has been specified in the JCL, and the tape is not a RACF scratch volume, the request fails. If the tape volume is defined to RACF and the user has READ but not UPDATE access authority, or if the user has UPDATE access but PROTECT=YES has been specified in the JCL and the volume is a RACF scratch tape volume, the system does not grant the user access to read until it has ensured that the user will not be able to write on the tape. The user cannot access the volume until one of the following conditions is met:
If the tape volume is not defined to RACF, access is granted and processing continues. For an overview of RACF protection for tape volumes, see z/OS Security Server RACF Security Administrator's Guide. For information on how DFSMSrmm can help you manage RACF security for your tape volumes, see z/OS DFSMSrmm Implementation and Customization Guide. Data set password protection is described in z/OS DFSMSdfp Advanced Services. |
Copyright IBM Corporation 1990, 2014
|