You should be familiar with the Protecting Data on Tape section in Chapter 6, Protecting Data Sets on DASD and Tape of z/OS Security Server RACF Security Administrator's Guide, when implementing a RACF® solution.

RACF can protect tapes using TAPEVOL profiles, or DATASET profiles, or both. You can direct DFSMShsm to add TAPEVOL protection to tapes it selects for output, and remove that protection automatically when it releases the tapes to the scratch pool. DFSMShsm cannot remove protection if the entire scratch pool is protected by RACF, in which case users cannot allocate or read the tapes directly. As tapes become empty, RACF TAPEVOL protection is removed and the tapes can be reused immediately; whereas tapes with expiration-date and password protection might need to be reinitialized (as determined by your tape management procedures) before a global scratch pool can reuse them. DFSMShsm can protect tape volumes with RACF by adding them to a RACF tape-volume set (HSMHSM, HSMABR or DFHSMx). All tapes in DFSMShsm's RACF tape-volume set share the same access list and auditing controls.

You should use RACF profiles to protect all HSM tapes. You can use RACF TAPEVOL profiles with the SETSYS TAPESECURITY(RACF|RACFINCLUDE) option, or use RACF DATASET profiles. RACF DATASET profiles may be used in conjunction with any of the other tape security options.