Selective device access control

This topic provides information about use of selective device access control in a TS7700 Grid configuration.

Selective device access control (SDAC) allows exclusive access to one or more VOLSER ranges by only certain logical control units or subsystem IDs within a composite library for host-initiated mounts, ejects, and changes to attributes or categories.

You can use SDAC to configure hard partitions at the LIBPORT-ID level for independent host logical partitions or system complexes. Hard partitioning prevents a host logical partition or system complex with an independent tape management configuration from inadvertently modifying or removing data owned by another host. It also prevents applications and users on one system from accessing active data on volumes owned by another system.

SDAC is enabled by using FC 5271, Selective device access control. For more information about this feature, see the topic Feature details in the Related information section. Each instance of this feature enables definition of eight SDAC groups, excluding the default group. This feature license key must be installed on all clusters in the grid before SDAC is enabled.
Important: If a cluster is to be joined to a grid that has SDAC enabled, the feature key must be installed on the joining cluster before the join is attempted. Otherwise, SDAC can be disabled on the grid when the join occurs.

You can specify one or more LIBPORT-IDs per SDAC group. Each access group is given a name and assigned mutually exclusive VOLSER ranges. Use the Library port access groups panel on the TS7700 Management Interface to create and configure library port access groups for use with SDAC. Access control is imposed as soon as a VOLSER range is defined. As a result, selective device protection applies retroactively to pre-existing data. For more information, see the topic Library port access groups in the Related information section.

When using library port access groups on a system where both FC 5271 (SDAC) and FC 5275 (add virtual devices) are in use, you must define separate SDA groups for each and modify their defaults accordingly.

Host controls

An integral part of the function is the control of the input-output definition file (IODF) configuration on the host that controls which devices can be used by the various host partitions. The host IODF configuration activity needs to be access controlled (i.e. remote access control file [RACF]) to assure devices adhere to the hard partitioning definition. Restricted access to the MI (Management Interface) panels that control the definition of the access groups and configuring them to the volser ranges is also required to assure security.

For a host services and storage service provider, it is assumed that the provider owns the hosts and the storage so that the configuration can be controlled by the above protection.

Depending on the model and installed features there is a minimum of 16 and a maximum of 31 logical control units in each cluster giving a maximum of 496 devices per cluster. Library port IDs from each cluster in a Grid should be included in an access group for high availability access and for disaster recover testing. You are allowed to define 50 volser ranges. Each volser range needs to be a unique set of volumes, which means there can be no overlap between ranges. New volumes that are inserted which are not covered by an existing volser range will be covered by the default access group until a valid volser range is defined for it. The volser ranges and access group panel can be provided only if the feature is installed on all clusters within the Grid.

The access control is imposed as soon as an access group is assigned to a volser range. This allows all pre-existing data to be retroactive with respect to selective device access control protection.

Expected configuration and use scenarios

The main goal of the configuration phase is to setup independent sysplexes that are hard partitioned for devices, volumes and scratch categories. Sharing any three of these items across sysplexes is not supported.
  • The customers that use this function have 2 to 8 sysplexes installed, all running independent instances of tape management software. This means that they do not share common TCDB databases.
  • Each sysplex defines its own set of ranges of virtual volumes and associate each range to the corresponding sysplex group name. Therefore, any one volume should only be defined within one of the up to 8 sysplexes.
  • Each sysplex defines its own scratch category that must be unique to its sysplex.
  • Each sysplex has exclusive access to one or more LIBPORT-IDs within the TS7700. Each sysplex should only configure the LIBPORT-IDs that it anticipates using and therefore, only the devices associated with these LIBPORT-IDs are varied on.
  • An access group for each sysplex should be defined. Each access group definition then has only the LIBPORT-IDs defined within it that correspond to the LIBPORT-IDs configured for that sysplex. Overlap between sysplexes and therefore storage group name LIBPORT-ID definitions is not expected, except when sysplex volume sharing is necessary.
  • Access group names should be created with LIBPORT-IDs along with the SDAC volser ranges at the TS7700.
  • As volumes are inserted into the TS7700, only the sysplex that has a corresponding volume range definition processes the volumes and moves them into its independent scratch category.
Once configured, the following items are examples of usage requirements.
  • Any attempt of one sysplex to access private volumes of another sysplex or attempt to manipulate their properties should fail.
  • Any attempt of one sysplex to issue a scratch mount to a category that does not contain volumes that can be accessed by the device should fail. Thus, independent scratch categories are required.
  • Any accidental or malicious manual volume configuration in one sysplex that overlaps another sysplex should not cause any harm. It is not possible to:
    • Manipulate the other sysplexes private volumes or scratch volumes
    • Return to scratch the other sysplex's private volumes
    • Eject another sysplex's volumes
    • Move another sysplex's volumes into any scratch category and then proceed to Eject the volumes
  • If a sysplex wants to surrender a volume range to another sysplex, perform the following:
    • Undefine them at sysplex A
    • Define them at sysplex B
    • Change the access group on the SDAC volser range to allow sysplex B devices to access the volumes
    • Or, define a common or shared group name
Parent topic: Data access and availability
Related information
Feature details
Library port access groups