z/OS DFSMShsm Implementation and Customization Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Protecting DFSMShsm storage administrator commands with RACF FACILITY class profiles

z/OS DFSMShsm Implementation and Customization Guide
SC23-6869-01

Security administrators are now responsible for authorizing users and storage administrators to DFSMShsm commands. Each storage administrator command can be protected through the following RACF® FACILITY class profile:
  • STGADMIN.ARC.command
  • STGADMIN.ARC.command.parameter

Storage administrators must have READ access authority to the profile in order to use the command or command and parameter. A security administrator can create the following fully qualified, specific profiles (Table 1) to authorize or deny the use of DFSMShsm storage administrator commands.

Table 1. RACF FACILITY Class Profiles for DFSMShsm Storage Administrator Commands
Command name RACF FACILITY class resource name
ABACKUP STGADMIN.ARC.ABACKUP STGADMIN.ARC.ABACKUP.agname
ARECOVER STGADMIN.ARC.ARECOVER STGADMIN.ARC.ARECOVER.agname STGADMIN.ARC.ARECOVER.agname.REPLACE
ADDVOL STGADMIN.ARC.ADDVOL
ALTERDS STGADMIN.ARC.ALTERDS
ALTERPRI STGADMIN.ARC.ALTERPRI
AUDIT STGADMIN.ARC.AUDIT
AUTH STGADMIN.ARC.AUTH
BACKDS STGADMIN.ARC.BACKDS STGADMIN.ARC.BACKDS.NEWNAME STGADMIN.ARC.BACKDS.RETAINDAYS
BACKVOL STGADMIN.ARC.BACKVOL
BDELETE STGADMIN.ARC.BDELETE
CANCEL STGADMIN.ARC.CANCEL
DEFINE STGADMIN.ARC.DEFINE
DELETE STGADMIN.ARC.DELETE
DELVOL STGADMIN.ARC.DELVOL
DISPLAY STGADMIN.ARC.DISPLAY
EXPIREBV STGADMIN.ARC.EXPIREBV
FIXCDS STGADMIN.ARC.FIXCDS
FREEVOL STGADMIN.ARC.FREEVOL
FRBACKUP STGADMIN.ARC.FB.cpname
FRDELETE STGADMIN.ARC.FD.cpname
Start of changeFRRECOVEnd of change Start of changeSTGADMIN.ARC.FR.cpname STGADMIN.ARC.FR.NEWNAMEEnd of change
HOLD STGADMIN.ARC.HOLD
LIST STGADMIN.ARC.LIST 2 

Exception: STGADMIN.ARC.LC.cpname, when COPYPOOL(cpname) keyword is specified .
LOG STGADMIN.ARC.LOG
MIGRATE STGADMIN.ARC.MIGRATE
PATCH STGADMIN.ARC.PATCH
QUERY STGADMIN.ARC.QUERY
RECALL STGADMIN.ARC.RECALL
RECOVER STGADMIN.ARC.RECOVER STGADMIN.ARC.RECOVER.NEWNAME
RECYCLE STGADMIN.ARC.RECYCLE
RELEASE STGADMIN.ARC.RELEASE
REPORT STGADMIN.ARC.REPORT
SETMIG STGADMIN.ARC.SETMIG
SETSYS STGADMIN.ARC.SETSYS
STOP STGADMIN.ARC.STOP
SWAPLOG STGADMIN.ARC.SWAPLOG
TAPECOPY STGADMIN.ARC.TAPECOPY
TAPEREPL STGADMIN.ARC.TAPEREPL
TRAP STGADMIN.ARC.TRAP
UPDATEC STGADMIN.ARC.UPDATEC
Note:
  1. If a storage administrator has access to the AUTH command, their use of it creates, alters, or deletes MCU records. DFSMShsm does not use these MCU records for authorization checking while the FACILITY class is active.
  2. The FACILITY class resource name used to protect the LIST COPYPOOL command depends on whether a specific copy pool name is specified in the command. When a copy pool name is not specified, LIST COPYPOOL is protected by the STGADMIN.ARC.LIST resource. When a specific copy pool name is specified, LIST COPYPOOL(cpname) is protected by the resource STGADMIN.ARC.LC.cpname.
Parent topic: RACF FACILITY class profiles for DFSMShsm

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014