z/OS DFSMSdfp Advanced Services
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Using Password Protected Data Sets

z/OS DFSMSdfp Advanced Services
SC23-6861-01

This information covers password protection for data sets. The use of password protection is not recommended, but is provided for compatibility with other IBM® operating systems. You should use RACF® protection (using SAF) instead.

The password protection described does not apply to data sets and catalogs managed by the Storage Management Subsystem (SMS) or to VSAM data sets. SMS ignores passwords. In addition, the PROTECT macro and SVC does not support a volume on a unit defined as dynamic.

If a SAF (system authorization facility)-compliant security product is active and provides protection for the data set, then the system bypasses password protection for that data set. Additionally, the system always bypasses password protection for VSAM and for SMS-managed data sets. The system provides SMS-managed data set and catalog protection through the SAF interface. For more SAF information, see "System Authorization Facility" in z/OS MVS Programming: Assembler Services Guide, and z/OS MVS Programming: Assembler Services Reference ABE-HSP.

For information about VSAM data set protection, see z/OS DFSMS Using Data Sets and z/OS DFSMS Access Method Services Commands.

The following are some reasons to use SAF instead of password protection:
  • If you give a password to someone, you have no control over to whom they choose to give it.
  • Data sets tend to have various passwords, making you write them down. This is less secure than if you can memorize one SAF password.
  • Batch job access or interactive non-TSO access requires that a system operator supply a password. Your communication to the operator is likely to be insecure. That operator might not be present when your job runs. The operator might have to give each data set's password to other operators.
  • The program is halted while each password is supplied. This is contrary to the increased automation of modern systems.
  • There is no way to know who has used a particular password.
  • It is human nature not to change passwords, especially if there are many. As time passes, there is a greater danger of them being exposed.
  • If more than a small number of data sets have passwords, then the time for the system to find the PASSWORD data set entry increases greatly. With RACF, the increase is much less. With a RACF generic profile there is no increase in search time when a new data set uses the same profile.
  • With DASD shared between systems, the password definitions on each system are independent. They can get out of synchronization.
  • The PASSWORD data set entry contains the data set name but not the volume serial number. If you create a data set before defining a password, you could find that someone has already defined a password for that data set name. Your data set will require the existing password just to scratch or rename it.
  • Password protection is not supported on system-managed volumes or on dynamic devices.
To use the data set protection feature of the operating system, create and maintain a PASSWORD data set consisting of records that associate the names of the protected data sets with the passwords assigned to each data set. The ways to maintain the PASSWORD data set consist of:
  • Writing your own routines
  • Using the PROTECT macro instruction
  • Using the utility control statements of the IEHPROGM utility program
  • If you have TSO, using the TSO PROTECT command.

This information discusses only the first two methods. The last two methods are discussed in the publications shown in the following list.

Before using this information, you should be familiar with the contents of the following publications:

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014