Protecting data

The accessibility fields in the VOL1 and HDR1 labels indicate whether a volume and data set are protected against unauthorized use. Version 3 or Version 4 volumes can be protected by means of one of the following:

RACF.
IBM-supplied Version 3 or Version 4 installation exits described in ISO/ANSI installation exits. These exits can be replaced by installation-written exit routines.
Data set password protection.
Note: In a IBM system-managed library, data set password protection is not supported.
A combination of the installation exits and password protection.

Version 1 input volumes are protected by either RACF or data set password protection.

Note: All checking for authorization is bypassed if security processing is suppressed. This can occur, for example, when the program properties table entry for the job step program is marked to suppress security checking. Only the system programmer can update the program properties table. For information about the program properties table, see z/OS MVS Initialization and Tuning Reference.

RACF allows you to establish access requirements for both tape data sets and tape volumes. To protect data on tape, you can do either or both of the following:

Control access to the tape volumes.
Control access to individual tape data sets on the tape volumes.

RACF protection at the volume level overrides RACF protection at the data set level. For more information on how to activate these levels of RACF protection and how they interact with each other and with your own tape management system, see the z/OS Security Server RACF Security Administrator's Guide. DFSMSrmm supports RACF protection, but not password protection. For information about DFSMSrmm and RACF, see z/OS DFSMSrmm Implementation and Customization Guide.

The following principles apply to RACF protection at the volume level:

ALTER access authority is required to create or destroy the VOL1 label.
READ access authority is required to open the volume for input (open options INPUT or RDBACK). Note that if your program uses the INOUT option of OPEN and the DD statement has LABEL=(,,,IN), the system treats it as the INPUT option.
UPDATE access authority is required to open the volume for output (open options OUTPUT, EXTEND, INOUT, OUTIN, or OUTINX).

The user can open the volume to read or write if the tape volume is defined to RACF, the user has UPDATE access authority, and PROTECT=YES has not been specified in the JCL.

The request fails if the tape volume is defined to RACF, the user has UPDATE authority, PROTECT=YES has been specified in the JCL, and the tape is not a RACF scratch volume.

If the tape volume is defined to RACF and the user has READ but not UPDATE access authority, or if the user has UPDATE access but PROTECT=YES has been specified in the JCL and the volume is a RACF scratch tape volume, the system does not grant the user access to read until it has ensured that the user can not write on the tape. The user cannot access the volume until one of the following conditions is met:

Hardware Protection. If the write-enable ring has been removed from the tape reel or the write-protect tab has been set to disable writing on the tape cartridge, the tape volume cannot be written on. The system safely permits the user to access the tape to read. This hardware protection cannot be circumvented by software.
Logical write-protection. If the write-protect tab on an IBM magnetic tape cartridge is set to enable writing, the system issues a hardware command to prevent writing on that cartridge. If the command succeeds, the system safely allows the user to access the tape to read. An unauthorized program cannot bypass this combination of hardware and software protection.
IEC.TAPERING. Your installation may choose to depend on a tape management system to prevent accidentally overwriting tapes with unexpired data. Typically, a tape management system only allows volumes with no unexpired data to be opened for output. DFSMSrmm provides facilities to prevent accidental overwriting of non-scratch tape volumes. The IEC.TAPERING support facilitates the operation of tape management systems because it allows all volumes to remain write-enabled (by the ring in the volume or the switch on the cartridge). This eliminates the need for operator intervention.
If the write ring or the cartridge tab is set to enable writing, the system checks if the user is authorized for read to the IEC.TAPERING profile in the RACF FACILITY class. If the user does have this authority, the system grants the user access.

Attention: If you use the IEC.TAPERING support to allow users to read from tapes that are enabled for writing, when the users are only authorized to read, the system software cannot prevent knowledgeable users from writing on any files on the tapes.
Operator Intervention. If none of the preceding conditions are met, the system requires the operator to intervene and prevent writing on the volume. The system demounts the tape and issues a message asking the operator to remove the write-enable ring from the tape reel or change the switch on the tape cartridge. After the operator remounts the tape, the system continues to protect the volume from unauthorized writing by repeating the preceding checks, beginning with the check for hardware protection. This check continues until one of the previously mentioned conditions is met.

If the tape volume is not defined to RACF, access is granted and processing continues. For an overview of RACF protection for tape volumes, see z/OS Security Server RACF Security Administrator's Guide. For information on how DFSMSrmm can help you manage RACF security for your tape volumes, see z/OS DFSMSrmm Implementation and Customization Guide.

For more information on data set password protection, see z/OS DFSMSdfp Advanced Services.