z/OS Network File System Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Datacaching attribute

z/OS Network File System Guide and Reference
SC23-6883-00

Security checking is done on the Network File System server to determine whether the requesting client user is authorized to access the data. On UNIX systems, this is done by validating the client's user ID and group ID against the file's permission codes. If the authorization checking is successful, the file data is returned to the z/OS NFS client system. Further authorization checking for subsequent access to the cached data or for other client users is done on the z/OS NFS client system.

For z/OS conventional MVS data set access through the z/OS NFS server, the user is required to present their z/OS credentials which are checked by the z/OS security system, such as RACF®, before file data is returned. Since the z/OS system does not maintain UNIX style permission codes for MVS data sets, the z/OS NFS server returns a code indicating that anyone can access the file. This is done since passing any lesser access code to the client would result in the client user not being allowed to use the cached data which was already read. When the file data is cached on the z/OS NFS client system and another client user on this system attempts to access the same file data, the z/OS NFS client checks the returned permission codes to validate access. Since the z/OS NFS server has passed a code which allows anyone access to the file, all users on the client system can access the cached data without further restrictions. If data caching is turned off, no client caching takes place and each user must pass the server security check.

Based on the installation time out values, the file data cached by the client is flushed and further attempts to access the file data again requires passing server authorization.

The installation datacaching parameter can be set and it can be overridden for each mount point so that different mount points can be handled as required for the files under that mount point.

Note:
  1. attrcaching and datacaching are not supported for Kerberos mounts (for example, krb5, krb5i, or krb5p). It is only supported for system authentication (sys) mounts.
  2. datacaching is turned off whenever there is a security negotiation from sys to any of the krb flavors during mount.
  3. If attrcaching(N) is specified, it will automatically set datacaching(N).

If the potential security exposure can not be tolerated for sensitive file data, the datacaching should not be used so that no file data is cached by the z/OS NFS client.

Parent topic: Initialization attributes for the z/OS NFS client

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014