z/OS DFSMSrmm Implementation and Customization Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Recommendations for using RACF tape profile processing

z/OS DFSMSrmm Implementation and Customization Guide
SC23-6874-00

When you do not use the DEVSUPxx TAPEAUTHxxx options to control tape data set security, these steps are recommended. For optimal security, make TAPEVOL and TAPEDSN active with either TPRACF(P) or TPRACF(A) to:
  • Obtain full protection at the volume and the data set level
  • Avoid the need to predefine volumes to individual users
  • Avoid the need to use ADSP or PROTECT=YES which eliminates exit code that is not standard
  • Use generic tape data set profiles
Note:
  1. The maximum number of entries for data sets that a TVTOC can contain is 500.
    Attention:
    Processing that creates large numbers of TVTOC entries and large access lists, for example, could result in an attempt to exceed the maximum profile size.
  2. The maximum number of volumes that any data set on the tape with an entry in the TVTOC can span is 42.
  3. The maximum number of volumes that any data set on tape without a TVTOC can span is limited only by the maximum profile size.
When both TAPEDSN and TAPEVOL are active, RACF can create two different types of TVTOC profiles:
  • An automatic TVTOC tape volume profile.
  • A nonautomatic TVTOC tape volume profile.
  • The NOSET option on the DELDSD command can be used to remove a discrete tape data set profile without deleting the tape volume profile. For more information, see z/OS Security Server RACF Command Language Reference.

Although we discourage this, it is possible to have no tape protection, or to use only TAPEVOL profiles. If you have no tape security, you cannot control the creation and use of data on tape. If you use only TAPEVOL profiles to protect tape volumes, you must maintain the access lists in the TAPEVOL profiles to allow access to data. Consider the use of either DEVSUPxx TAPEAUTHDSN or TAPEDSN so that access to tape data is covered by your normal, existing, generic data set profiles.

There is a potential security exposure with scratch volumes that have no RACF profile, but with DFSMSrmm active in protect mode, you can prevent reading of scratch tapes.

You can use either DEVSUPxx TAPEAUTHDSN or TAPEDSN on its own to provide data set level security. RACF cannot, however, guarantee full data set name integrity (only the last 17 characters of the data set name that are recorded in the tape label). Run DFSMSrmm in protect mode to ensure that full 44-character data set names are validated. With TAPEDSN only, you lack control of access to tape volumes at the volume level. If you do not use protect mode, your system security could be circumvented and tape data could be accessed.

You can prevent volume usage on individual systems by using the DFSMSrmm REJECT command in the EDGRMMxx parmlib member. You can reject volumes that are defined to DFSMSrmm based on your chosen pool prefix using the REJECT command in parmlib. See Implementing PRTITION and OPENRULE parmlib commands for additional information on the PRTITION and OPENRULE commands.

Parent topic: Controlling RACF tape profile processing

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014