Recommendations for tape security
For optimum tape security, exploiting the capabilities of DFSMSrmm,
DFSMSdfp, and RACF, it is recommended that you use of these:
- In DEVSUPxx:
- TAPEAUTHDSN=YES
- TAPEAUTHF1=YES
- TAPEAUTHRC4=FAIL
- TAPEAUTHRC8=FAIL
- In EDGRMMxx:
- OPTION TPRACF(N)
- In RACF:
- SETROPTS NOTAPEDSN NOCLASSACT(TAPEVOL)
The combination of DFSMSrmm, DFSMSdfp, and RACF ensures:
- Full 44 character data set name validation.
- Validation that the correct volume is mounted.
- Control the overwriting of existing tape data sets.
- Management of tape data set retention.
- Control over the creation and destruction of tape volume labels.
- No limitations caused by RACF TAPEVOL profile sizes and TVTOC limitations.
- All tape data sets on a volume have a common authorization.
- Use of generic DATASET profiles, enabling common authorization with DASD data sets.
- Authorization for all tape data sets regardless of the tape label type.
- Authorization for the use of bypass label processing (BLP).
- Exploitation of RACF 'erase on scratch' support.
- Use of DFSMSrmm FACILITY class profiles for data sets unprotected by RACF. Your authorization to use a volume outside of DFSMSrmm control with 'ignore' processing also enables authorization to the data sets on that volume.