Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Recommendations for using RACF tape profile processing z/OS DFSMSrmm Implementation and Customization Guide SC23-6874-00 |
|
When you do not use the DEVSUPxx TAPEAUTHxxx options to control tape data set security,
these steps are recommended. For optimal security, make TAPEVOL and
TAPEDSN active with either TPRACF(P) or TPRACF(A) to:
Note:
When both TAPEDSN and TAPEVOL are active, RACF can create two different
types of TVTOC profiles:
Although we discourage this, it is possible to have no tape protection, or to use only TAPEVOL profiles. If you have no tape security, you cannot control the creation and use of data on tape. If you use only TAPEVOL profiles to protect tape volumes, you must maintain the access lists in the TAPEVOL profiles to allow access to data. Consider the use of either DEVSUPxx TAPEAUTHDSN or TAPEDSN so that access to tape data is covered by your normal, existing, generic data set profiles. There is a potential security exposure with scratch volumes that have no RACF profile, but with DFSMSrmm active in protect mode, you can prevent reading of scratch tapes. You can use either DEVSUPxx TAPEAUTHDSN or TAPEDSN on its own to provide data set level security. RACF cannot, however, guarantee full data set name integrity (only the last 17 characters of the data set name that are recorded in the tape label). Run DFSMSrmm in protect mode to ensure that full 44-character data set names are validated. With TAPEDSN only, you lack control of access to tape volumes at the volume level. If you do not use protect mode, your system security could be circumvented and tape data could be accessed. You can prevent volume usage on individual systems by using the DFSMSrmm REJECT command in the EDGRMMxx parmlib member. You can reject volumes that are defined to DFSMSrmm based on your chosen pool prefix using the REJECT command in parmlib. See Implementing PRTITION and OPENRULE parmlib commands for additional information on the PRTITION and OPENRULE commands. |
Copyright IBM Corporation 1990, 2014
|