To protect DFSMSrmm functions, you need to use an external security product, such as RACF. Invocations to the product are made by DFSMSrmm through the System Authorization Facility (SAF). If RACF is not installed, you must provide equivalent function with the SAF interface described in Using the SAF interface.

This topic explains how you can define RACF profiles to protect DFSMSrmm functions. Define RACF profiles and authorize DFSMSrmm users to various levels of access, either CONTROL, READ, ALTER, or UPDATE. These access levels vary depending on the security requirements of your installation. DFSMSrmm supports a role-based authorization model where you can allow a storage administrator to perform all tasks, or you can delegate regular tasks to others. See Setting the level of access for the DFSMSrmm resources for additional details.

In addition, Controlling RACF tape profile processing describes how to use the DFSMSrmm parmlib OPTION TPRACF command and VLPOOL command and your installation's RACF options to control the actions that DFSMSrmm takes on RACF tape profiles.