z/OS DFSMShsm Implementation and Customization Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Defining the DFSMShsm security environment for DFSMShsm-owned data sets

z/OS DFSMShsm Implementation and Customization Guide
SC23-6869-01

The SETSYS commands control the relationship of DFSMShsm to RACF® and control the way DFSMShsm prevents unauthorized access to DFSMShsm-owned data sets. You can use the following SETSYS commands to define your security environment:
  • How DFSMShsm determines the user ID when RACF is not installed and active.
  • Whether to indicate that migration copies and backup versions of data sets are RACF protected.
  • How DFSMShsm protects scratched data sets.

Figure 1 is an example of a typical DFSMShsm security environment.

Figure 1. Sample SETSYS Commands to Define the Security Environment for DFSMShsm
 
/***********************************************************************/
/* SAMPLE SETSYS COMMANDS THAT DEFINE THE DFSMSHSM SECURITY ENVIRONMENT*/
/***********************************************************************/
/*
SETSYS NOACCEPTPSCBUSERID
SETSYS NOERASEONSCRATCH
SETSYS NORACFIND
/*

DFSMShsm maintains the security of those data sets that are RACF protected.

DFSMShsm does not check data set security for:
  • Automatic volume space management
  • Automatic dump
  • Automatic backup
  • Automatic recall
  • Operator commands entered at the system console
  • Commands issued by a DFSMShsm-authorized user

DFSMShsm checks security for data sets when a user who is not DFSMShsm-authorized issues a nonauthorized user command (HALTERDS, HBDELETE, HMIGRATE, HDELETE, HBACKDS, HRECALL, or HRECOVER). Security checking is not done when DFSMShsm-authorized users issue the DFSMShsm user commands. If users are not authorized to manipulate data, DFSMShsm does not permit them to alter the backup parameters of a data set, delete backup versions, migrate data, delete migrated data, make backup versions of data, recall data sets, or recover data sets.

Authorization checking is done for the HCANCEL and CANCEL commands. However the checking does not include security checking the user’s authority to access a data set. Whether a user has comprehensive or restricted command authority controls whether RACF authority checking is performed for each data set processed by the ABACKUP command. Refer to z/OS DFSMShsm Storage Administration for more information about authorization checking during aggregate backup.

Parent topic: Specifying commands that define your DFSMShsm environment

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014