To use Resource Access Control Facility (RACF) for tape volumes or data sets, the BLP JCL option must be disallowed completely, or restricted to authorized users.

A system programmer can specify that RACF is to control which users can use the BLP option. This is done by activating the TAPEVOL class and defining profile ICHBLP in the FACILITY class. For further information see z/OS Security Server RACF Security Administrator's Guide.

For more information on additional controls over some BLP usage, see the z/OS DFSMSrmm Implementation and Customization Guide.