Setting the level of access for the DFSMSrmm resources

When you define the DFSMSrmm resources, you need to authorize levels of access to these resources. DFSMSrmm checks the resource and the level of access to ensure that users are authorized to request certain tasks. For example, if you attempt to change an owned volume, DFSMSrmm checks to ensure that you have at least UPDATE access to resource STGADMIN.EDG.MASTER.

When checking authorization to use RMM subcommands and operands, DFSMSrmm checks in this sequence:

CONTROL access to STGADMIN.EDG.MASTER. If the user is authorized, no further checking is performed.
Next, DFSMSrmm checks for specific subcommand operands and for each operand that requires specific authorization checks for the required access. If the resource is not protected, authorization continues with the next step. If the resource is protected, but the user is not authorized, the subcommand fails.
Finally, DFSMSrmm continues with ownership checks and RELEASE and FORCE checking, if required.

Because of the way authorization is checked, it is not necessary to have CONTROL access to STGADMIN.EDG.MASTER to perform many of the regular administrative tasks.

Table 1 shows the access that is required to perform DFSMSrmm functions.

Table 1. Authorized functions
When You Define	With Access	Then
STGADMIN.EDG.ACTIONS.action^1,5	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.ACTIONS.action^1,5	UPDATE	You are allowed to set the specific release action with the TSO DFSMSrmm subcommand CHANGEVOLUME with option RELEASEACTION.
STGADMIN.EDG.AV.status.volser⁶	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.AV.status.volser⁶	UPDATE	You are allowed to add volumes to the DFSMSrmm tape inventory with the TSO DFSMSrmm subcommand ADDVOLUME with option STATUS(status).
STGADMIN.EDG.CD.COPYFROM.dsname	Entity not defined	Based on STGADMIN.EDG.MASTER access.
	READ	You are permitted to copy attributes and update retention for identically named data sets.
	UPDATE	You are permitted to copy attributes and update retention for any two data set records.
STGADMIN.EDG.CD.VX	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.CD.VX	UPDATE	Allows any data set to be updated.
STGADMIN.EDG.CMOVE.location.destination	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.CMOVE.location.destination	UPDATE	You are allowed to confirm that the move or eject has occurred for either a single volume or globally³ with the TSO DFSMSrmm subcommand CHANGEVOLUME with option CONFIRMMOVE, as well as to reverse a previous move confirmation with option NOCONFIRMMOVE.
STGADMIN.EDG.CRLSE.action^1,5	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.CRLSE.action^1,5	UPDATE	You are allowed to confirm that the specific release action has been performed either for a single volume or globally with the TSO DFSMSrmm subcommand CHANGEVOLUME with option CONFIRMRELEASE, as well as to reverse a previous release action confirmation with option NOCONFIRMRELEASE. In addition, it enables the DELETEVOLUME REPLACE subcommand to be specified for a volume waiting to be replaced.
STGADMIN.EDG.CV.[HOLD\|NOHOLD].volser	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.CV.[HOLD\|NOHOLD].volser	UPDATE	You are permitted to set and reset the volume HOLD attribute.
STGADMIN.EDG.CV.RM	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.CV.RM	UPDATE	Allows any volume to be updated.
STGADMIN.EDG.DV.SCRATCH.volser	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.DV.SCRATCH.volser	UPDATE	You are allowed to remove scratch volumes from the DFSMSrmm tape inventory with the TSO DFSMSrmm subcommand DELETEVOLUME with option REMOVE.
STGADMIN.EDG. EDGUPDT.UPDATE	Entity not defined	Same as UPDATE access.
	NONE	No authority is granted to use EDGUPDT UPDATE function.
	UPDATE	You can use the EDGUPDT UPDATE function.
STGADMIN.EDG.FORCE	Entity not defined	Information previously recorded by DFSMSrmm cannot be changed.
STGADMIN.EDG.FORCE	UPDATE	Information previously recorded by DFSMSrmm can be changed based on access to STGADMIN.EDG.MASTER.
STGADMIN.EDG.HOUSEKEEP	Entity not defined	Same as READ access
STGADMIN.EDG.HOUSEKEEP	READ	Any of the inventory management facilities can be invoked.
STGADMIN.EDG.HOUSEKEEP.RPTEXT	Entity not defined	Same as READ access
STGADMIN.EDG.HOUSEKEEP.RPTEXT	READ	RPTEXT inventory management function can be invoked.
STGADMIN.EDG.IGNORE.TAPE.volser	Entity not defined	Volumes cannot be ignored using the DFSMSrmm installation exit.
	READ	Volumes that are to be ignored by DFSMSrmm for input requests are allowed to be opened.
	UPDATE	Volumes that are to be ignored by DFSMSrmm for output requests are allowed to be opened.
STGADMIN.EDG.IGNORE.TAPE.RMM.volser	Entity not defined	Access is based on the STGADMIN.EDG.IGNORE.TAPE.volser setting. Use of the STGADMIN.EDG.IGNORE.TAPE.RMM.volser profile allows volumes that are defined to DFSMSrmm to be ignored.
	READ	Volumes that are defined to DFSMSrmm can be ignored by DFSMSrmm for input requests are allowed to be opened.
	UPDATE	Volumes that are defined to DFSMSrmm can be ignored by DFSMSrmm for output requests are allowed to be opened.
STGADMIN.EDG.IGNORE.TAPE.NORMM.volser	Entity not defined	Access is based on the STGADMIN.EDG.IGNORE.TAPE.volser setting. Use of the STGADMIN.EDG.IGNORE.TAPE.NORMM.volser profile allows volumes that are not defined to DFSMSrmm to be ignored.
	READ	Volumes not defined to DFSMSrmm that are to be ignored for input requests are allowed to be opened.
	UPDATE	Volumes not defined to DFSMSrmm that are to be ignored for output requests are allowed to be opened.
STGADMIN.EDG.INIT	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.INIT	UPDATE	You are allowed to specify whether a volume should be initialized or not. You can specify INITIALIZE(YES) to indicate that a volume requires initialization, and INITIALIZE(NO) to indicate that the volume does not need to be initialized.
STGADMIN.EDG.LABEL.volser	Entity not defined	A volume must be in user status to switch from NL or to change to label types at OPEN time.
	UPDATE	Standard labels can be created on a non-scratch volume for an AL or SL output request.
	ALTER	Standard labels can be created on a scratch volume during a nonspecific volume request for AL or SL.
STGADMIN.EDG.LIST	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.LIST	CONTROL	You are allowed to list and search resources defined in the DFSMSrmm inventory. This option can be used to replace CONTROL access to STGADMIN.EDG.MASTER in a name-hiding environment or when COMMANDAUTH(DSN) is in use.
STGADMIN.EDG.LISTCONTROL	Entity not defined	Functions are based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.LISTCONTROL	CONTROL	You are allowed to use the RMM LISTCONTROL subcommand.
STGADMIN.EDG.MASTER	Entity not defined	Same as CONTROL access.
	READ	These functions can be performed: List all control data set information except vital record specifications and control information Search for all control data set information except vital record specifications Update your own owner ID details Request a scratch volume for yourself Release an owned volume when the STGADMIN.EDG.RELEASE resource is not protected
	UPDATE	Same as READ access, plus: Some non-restricted fields can be updated for owned volumes and data sets based on user ID. See z/OS DFSMSrmm Managing and Using Removable Media, RMM CHANGEVOLUME subcommand information, for a list of the non-restricted fields. See Using RACF options for authorizing RMM TSO subcommands for information about changing information using DFSMSrmm command authorization by data set name.
	CONTROL	Same as UPDATE access, plus: You can Define, change, and delete any control data set entries except vital record specifications List control information when the STGADMIN.EDG.LISTCONTROL resource is not protected
STGADMIN.EDG.MOVES.location.destination	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.MOVES.location.destination	UPDATE	You are allowed to initiate the move with the TSO DFSMSrmm subcommand CHANGEVOLUME with either option LOC(destination)⁴ or LOANLOC(destination)^2,4, as well as to initiate the eject of a volume to a previously specified destination with option EJECT^4,7.
STGADMIN.EDG.NOLABEL.volser	Entity not defined	A volume must be in user status to switch to NL at OPEN time.
	UPDATE	You are allowed to destroy labels on a non-scratch volume for a no label output request.
	ALTER	You are allowed to destroy labels on a scratch volume during a nonspecific volume request for no labels.
STGADMIN.EDG.OPERATOR	Entity not defined	Same as UPDATE access.
	NONE	No authority is granted to use EDGINERS to initialize, scan, and erase volumes.
	READ	EDGINERS can be used to scan volumes.
	UPDATE	Same as READ access, plus EDGINERS can be used to initialize and erase volumes.
STGADMIN.EDG.OWNER.userid	Entity not defined	No authority is granted to update volume information except based on STGADMIN.EDG.MASTER access.
	NONE	Based on STGADMIN.EDG.MASTER access.
	UPDATE	Some non-restricted fields for volumes and data sets owned by userid can be updated. Also a volume owned by userid can be released. See z/OS DFSMSrmm Managing and Using Removable Media, RMM CHANGEVOLUME subcommand information, for a list of the non-restricted fields. See Using RACF options for authorizing RMM TSO subcommands for information about changing information using DFSMSrmm command authorization by data set name.
STGADMIN.EDG.RELEASE	Entity not defined	Based on STGADMIN.EDG.MASTER access.
STGADMIN.EDG.RELEASE	READ	You are allowed to use the RMM DELETEVOLUME RELEASE subcommand to release an owned volume.
STGADMIN.EDG.RESET.SSI	Entity not defined	You cannot use the EDGRESET utility to remove DFSMSrmm from the system. If you have no security product installed, you can use EDGRESET to remove DFSMSrmm from the system.
STGADMIN.EDG.RESET.SSI	ALTER	You are allowed to withdraw DFSMSrmm from the system during error recovery or problem during implementation.
STGADMIN.EDG.VRS	Entity not defined	Same as CONTROL access.
	READ	You are allowed to list and search for all vital record specifications.
	CONTROL	Same as READ access, plus: You can define and delete vital record specifications.
STGADMIN.EDG.INERS.WRONGLABEL	Entity not defined	Use of the EDGINERS EXEC statement PARM IGNORE and RMMPROMPT parameters is denied.
	UPDATE	You are allowed to use the EDGINERS EXEC statement PARM RMMPROMPT parameter.
	CONTROL	You are allowed to use the EDGINERS EXEC statement PARM IGNORE parameter.
Note: Action can be either SCRATCH, RETURN, REPLACE, NOTIFY, ERASE, or INIT. To set a loan, the entity STGADMIN.EDG.MOVES.current location.loan location is used. To confirm a global move with the TSO DFSMSrmm subcommand CV CMOVE (ALL,ALL), the RACF entity STGADMIN.EDG.CMOVE.ALL.ALL is checked. When the destination is not set or blank, for example, when you issue the CHANGEVOLUME command with either the operand LOCATION or LOANLOC with a blank location, or when you eject a volume that has no destination set, the entity STGADMIN.EDG.MOVES.locationA.locationA is used. locationA is the current location of the volume. To grant access to a list of actions, for example, when you issue the CHANGEVOLUME subcommand CV CRLSE(INIT,NOTIFY,ERASE), every single action resource is checked, and access is granted only if all single actions are granted. Status can be either SCRATCH, USER, MASTER, or VOLCAT. For an EJECT, the same entity is checked that is used to check if the user is allowed to start the move.