Controlling access to z/OS FBA devices

Access from z/OS systems to z/OS FBA devices may be controlled using a standard device security profile if desired. See Security Server Administrator’s Guide for more details. An example using RACF to control access to z/OS FBA device 2000 is:

Remember that the device's class must be on the RACLIST and refreshed for this checking to be in effect. Once this resource is defined, the PERMIT command can be used to grant access to users.

Access to LPARs may also be controlled using device candidate lists in HCD. For more information, see z/OS HCD User's Guide.

Access to z/OS FBA devices from distributed systems may also be controlled. Storage network administrators can use fabric zoning to control what systems can access the devices. Storage administrators can also use LUN masking.

When z/OS FBA devices are to be used by both z/OS and distributed systems, the software product using the devices can provide security controls dynamically using the SCSI Persistent Reserve command. Using Persistent Reserve, the software product’s distributed client can isolate access to the disk from other distributed systems without affecting z/OS’s access to the device.

The combination of using Persistent Reserve, along with security product controls from z/OS, can create a secure environment for storing data on z/OS FBA devices.