z/OS DFSMSrmm Implementation and Customization Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Protecting DFSMSrmm resources with RACF profiles

z/OS DFSMSrmm Implementation and Customization Guide
SC23-6874-00

The DFSMSrmm resources you protect with RACF profiles in the FACILITY class each have an entity name prefixed with STGADMIN.EDG. Table 1 lists the DFSMSrmm resources.

For optimal security, define RACF profiles to control access to DFSMSrmm functions that are protected by the DFSMSrmm resource. If there is a RACF profile, specific or generic, that matches a DFSMSrmm resource, the resource is treated as if it has been defined. DFSMSrmm provides control for some resources, as described in Setting the level of access for the DFSMSrmm resources, even when you do not protect DFSMSrmm resources with RACF or another equivalent security product.

The TSO commands and utilities are authorized by DFSMSrmm on the system on which you run them.

Table 1. Resources you protect with RACF profiles
Define the Profile To Control the
STGADMIN.EDG.ACTIONS.action1 Setting of the release action.
STGADMIN.EDG.AV.status.volser2 Adding of volumes.
STGADMIN.EDG.CD.COPYFROM.dsname4 Use of CHANGEDATASET COPYFROM subcommand to copy the data set attributes from one data set dsname to another data set.
STGADMIN.EDG.CD.VX4 Overriding of DFSMSrmm VRSEL processing for a data set.
STGADMIN.EDG.CMOVE.location.destination Confirmation of moves and ejects.
STGADMIN.EDG.CRLSE.action1 Confirmation of the release action.
STGADMIN.EDG.CV.[HOLD|NOHOLD].volser3 Setting and resetting the volume HOLD attribute
STGADMIN.EDG.CV.RM3 Use of the RMM CHANGEVOLUME RETENTIONMETHOD subcommand to update the retention method for a volume.

Use of the RMM CHANGEVOLUME RETAINBY subcommand to update the retain by attribute of a volume managed by the EXPDT retention method.
STGADMIN.EDG.DV.SCRATCH.volser Deleting of scratch volumes.
STGADMIN.EDG.FORCE Changing of information recorded by DFSMSrmm during O/C/EOV processing.

Adding or deleting data sets on volumes or to use the DELETEVOLUME command.
STGADMIN.EDG.EDGUPDT.UPDATE Use of the EDGUPDT utility UPDATE function.
STGADMIN.EDG.HOUSEKEEP Use of DFSMSrmm inventory management functions.
STGADMIN.EDG.HOUSEKEEP.RPTEXT Use of DFSMSrmm inventory management extract function
STGADMIN.EDG.IGNORE.TAPE.volser Use of volume serial numbers that are not defined to DFSMSrmm and use of duplicate volume serial numbers to allow a volume to be ignored. If you are authorized to ignore use of a tape volume, DFSMSrmm also overrides the SAF authorization for you to access data on the tape when the data is not defined to RACF and when the user is not authorized to the data.

Recommendation: Do not assign an access level to the STGADMIN.EDG.IGNORE.TAPE.volser resource to any specific user group. When a tape volume that must be ignored by DFSMSrmm is identified, grant the user or user group the needed access level. Once the volume is no longer needed, delete the resource.
STGADMIN.EDG.IGNORE.TAPE.RMM.volser Use of duplicate volume serial numbers and to allow a volume to be ignored. If you are authorized to ignore use of a tape volume, DFSMSrmm also overrides the SAF authorization for you to access data on the tape when the data is not defined to RACF and when the user is not authorized to the data.

Recommendation: Specify UACC(NONE) to the STGADMIN.EDG.IGNORE.TAPE.RMM.volser resource. Grant a user or user group the needed access level only when access is needed. When the volume is no longer needed, delete the resource.
STGADMIN.EDG.IGNORE.TAPE.NORMM.volser Use of volume serial numbers that are not defined to DFSMSrmm to allow a volume to be ignored. If you are authorized to ignore use of a tape volume, DFSMSrmm also overrides the SAF authorization for you to access data on the tape when the data is not defined to RACF and when the user is not authorized to the data.
Recommendation: Specify UACC(NONE) to the STGADMIN.EDG.IGNORE.TAPE.NORMM.volser resource. Grant the needed access level to a user or user group only when access is needed. When the volume is no longer needed, delete the resource.
STGADMIN.EDG.INIT Setting of the INIT action.
STGADMIN.EDG.LABEL.volser Creation of standard tape labels. The variable volser can be specified as a specific volume serial number or a generic volume serial number. For example, A12345 is a specific volume serial number and AB* is a generic volume serial number. If you use generic profiles you can use these functions in a subset of your volumes. If the volume serial numbers and rack numbers match, you can control relabeling at the pool level. For example you could have a pool using rack number prefix AB*.

If you want to create an AL tape and your installation has an SL scratch pool, you need ALTER access to STGADMIN.EDG.LABEL.volser. The volser can be specified as the pool prefix of the scratch pool.

If you want to switch to an AL tape from either an SL or NL tape that has already been assigned to you, UPDATE access to STGADMIN.EDG.LABEL.volser is required.
STGADMIN.EDG.LIST List and search DFSMSrmm resources.
STGADMIN.EDG.LISTCONTROL Use of the RMM LISTCONTROL subcommand to display DFSMSrmm control data set control record information and EDGRMMxx parmlib settings.
STGADMIN.EDG.MASTER Access to information in the DFSMSrmm control data set. Assign the control data set a universal access of NONE so that DFSMSrmm grants access to various functions through STGADMIN.EDG.MASTER.
STGADMIN.EDG.MOVES.location.destination Initiation of moves and ejects.
STGADMIN.EDG.NOLABEL.volser Creation of tapes without labels.
STGADMIN.EDG.OPERATOR Use of the initialize, erase, and scan functions.
STGADMIN.EDG.OWNER.userid Access to owned resources. DFSMSrmm checks this entity only if the command issuer is not the owner of the resource and does not have CONTROL access to STGADMIN.EDG.MASTER. Use of the RMM CHANGEVOLUME subcommand to update information based on the owner.

Using STGADMIN.EDG.OWNER.userid, individual owners can permit other users to access owned volumes. An owner can be a group or department as well as an individual. Define owner resources only for those owners who will allow their volumes to be managed by another user.

STGADMIN.EDG.RELEASE Use of the RMM DELETEVOLUME RELEASE subcommand to process any release actions specified for a volume.
STGADMIN.EDG.RESET.SSI Use of the RESET facility for removing DFSMSrmm from the system. You can use the facility without defining this resource when you have no security product installed.
STGADMIN.EDG.VRS Use of the RMM LISTVRS and SEARCHVRS subcommands to obtain information about vital record specifications. Use of the RMM ADDVRS and DELETEVRS subcommands to define or remove vital record specifications.
STGADMIN.EDG.INERS.WRONGLABEL Processing for volumes mounted with the wrong label.
Note:
  1. Action can be either SCRATCH, RETURN, REPLACE, NOTIFY, ERASE, or INIT.
  2. Status can be either SCRATCH, USER, MASTER, or VOLCAT.
  3. If you use a generic profile, the minimum non-generic profile name checked for by DFSMSrmm is ‘STGADMIN.EDG.CV.’
  4. If you use a generic profile, the minimum non-generic profile name checked for by DFSMSrmm is ‘STGADMIN.EDG.CD.’
Parent topic: Authorizing DFSMSrmm users and ensuring security

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014