DFSMSrmm does not provide any security functions itself but relies on installed security products to process requests. For example, DFSMSrmm relies on the installed security product to confirm that a user is authorized to perform a particular function using an RMM TSO subcommand.

DFSMSrmm uses the z/OS SAF interface to perform authorization checks and other security processing, as described in SAF calls for authorization checking. DFSMSrmm issues RACROUTE requests that RACF, or a functionally equivalent security product, can process.

Protecting DFSMSrmm resources with RACF profiles describes security profile names and class name. If you have not installed a security product, you could write a SAF router exit to handle the calls that DFSMSrmm makes to the interface.

DFSMSrmm also uses the SAF interface to create, update, and delete tape-related security profiles and access lists as described in SAF and RACF calls for creating, updating and deleting security profiles. When you update the volume access list in the control data set, DFSMSrmm uses the RACF ICHEINTY macro to delete the entire access list and allows you to use the SAF interface to add the required access list. If your system does not support this function, do not use or update the DFSMSrmm volume access lists contained in the control data set.