z/OS DFSMSrmm Implementation and Customization Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Recommendations for tape security

z/OS DFSMSrmm Implementation and Customization Guide
SC23-6874-00

For optimum tape security, exploiting the capabilities of DFSMSrmm, DFSMSdfp, and RACF, it is recommended that you use of these:
  • In DEVSUPxx:
    • TAPEAUTHDSN=YES
    • TAPEAUTHF1=YES
    • TAPEAUTHRC4=FAIL
    • TAPEAUTHRC8=FAIL
  • In EDGRMMxx:
    • OPTION TPRACF(N)
  • In RACF:
    • SETROPTS NOTAPEDSN NOCLASSACT(TAPEVOL)
The combination of DFSMSrmm, DFSMSdfp, and RACF ensures:
  • Full 44 character data set name validation.
  • Validation that the correct volume is mounted.
  • Control the overwriting of existing tape data sets.
  • Management of tape data set retention.
  • Control over the creation and destruction of tape volume labels.
  • No limitations caused by RACF TAPEVOL profile sizes and TVTOC limitations.
  • All tape data sets on a volume have a common authorization.
  • Use of generic DATASET profiles, enabling common authorization with DASD data sets.
  • Authorization for all tape data sets regardless of the tape label type.
  • Authorization for the use of bypass label processing (BLP).
  • Exploitation of RACF 'erase on scratch' support.
  • Use of DFSMSrmm FACILITY class profiles for data sets unprotected by RACF. Your authorization to use a volume outside of DFSMSrmm control with 'ignore' processing also enables authorization to the data sets on that volume.
To aid migration to this recommended environment, DFSMSrmm provides the TPRACF(CLEANUP) option, and DEVSUPxx provides TAPEAUTHRC8(WARN) and TAPEAUTHRC4(ALLOW).
Parent topic: Controlling RACF tape profile processing

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014