Using an External Security Manager to control Tape Manager resources

If you use an External Security Manager (ESM), that supports the RACROUTE macro and the FACILITY class, you can configure Tape Manager to use the ESM as its authorization mechanism instead of using its own internal authorization mechanisms. A number of the facilities managed by Tape Manager can alternatively be managed by an ESM, as described in the discussion of the profiles that follows.

Overview of setup using IBM Resource Access Control Facility (RACF)

The TxTMM ID must have authority to issue checks for access to a resource on behalf of another user. An example on how to do this for IBM® Resource Access Control Facility (RACF®) is provided; however, refer to the latest documentation for your particular release of ESM for details.

To use RACF as the authorization mechanism, perform the following steps:

  1. Authorize communication with the RACF/VM server through IUVC.
  2. Authorize third-party authorization checks.
  3. Identify the RACF/VM server to which RACROUTE will be sent.
  4. Specify site appropriate settings in the External_Security configuration statement.
  5. Ensure that RACF profiles and permissions are in place for the External Security configuration settings.

Each of these steps is described below.

Authorize communication with RACF/VM

The TxTMM service machine communicates with RACF through IUCV. There are two options for authorizing this communication. You should consider which option is appropriate for your system's security administration policies.

The more general option is to have the RACF/VM server (usually called RACFVM) include an IUCV ALLOW statement in its directory entry. This will permit any user in the system to establish communication with the RACF server.

The more restricted option is to have Tape Manager include an IUCV statement for the RACF/VM server (for example, IUCV RACFVM PRIORITY MSGLIMIT 255) in its directory entry. This approach permits only the users with an IUCV RACFVM statement in their directory entry to establish communication with the RACF server.

Authorize third-party checks

Authority to issue third-party authorization checks is controlled by the ICHCONN profile in the FACILITY class in RACF/VM. You must create this profile if it does not exist and give the Tape Manager server (TxTMM) UPDATE access to it.

Identify the RACF/VM server

The RACROUTE interface must be able to identify the RACF/VM server. This is done with the RACF SERVMACH file, which is normally loaded to the CMS Y-disk during RACF installation. If you want to use a different RACF server, or your installation has removed the RACF SERVMACH file from general access, you should provide a tailored RACF SERVMACH file to the Tape Manager service machine TxTMM.

Specify the security settings in the External_Security configuration file statement

Update the Tape Manager configuration file SYS CONFIG to specify External_Security_Manager YES to enable profile checking.

Privileged_User_Authority
When set to YES, this setting activates ESM checking for both the system administrator profile and the operations profile.
Private_Pool_Authority
When set to YES, this setting activates ESM checking for the pool administrator profile, the pool volume profile and the pool free tape profile.
System_Authority
When set to YES, this setting activates ESM checking for the system free pool profile, the system pool definition profile and the system high-level qualifier profile.

The profiles are described in the discussion that follows. Refer to the Tape Manager configuration documentation in this guide for additional information on the External_Security statement.

Two runtime options (ESM and NOESM) are supported to override the External_Security_Manager setting at start up, without the need to modify the configuration file. An example of a command to autolog the TMM machine and force the ESM setting to NO would be:

CP XAUTOLOG TMTMM # NOESM

This command will pass the NOESM runtime option to the TMM machine at start up, as long as the site allows the log on parameter to be passed to the program. If the command is entered from the command line, it may be necessary to use an escape character (typically a double quote) to pass the pound sign as a parameter, depending on the CP TERM settings.

Using the NOESM option can be a convenient way to start Tape Manager in a situation where Tape Manager typically runs with an ESM, but the ESM is not available for some reason. Remember that only administrators that are defined in the Admins statement in the Tape Manager configuration file will have administrator privileges when running with the NOESM option.

The settings available in the External_Security configuration statement can also be modified dynamically by a system administrator using the CNFGSET ESM command, but the configuration settings in the Tape Manager configuration file will take effect when Tape Manager is restarted. Refer to the POOLACC and CMDAUTH commands in the IBM Tape Manager for z/VM® User Guide for more information about the native security facilities provided by Tape Manager.

Define Tape Manager FACILITY class profiles and grant permissions

If an extended profile qualifier has been set in the External_Security configuration statement, the extended form of the profile names that follow should be used and the value of the extended qualifier should be substituted for "qual". The use of these profiles is enabled only if External_Security_Manager YES is specified in the External_Security configuration statement.

The profiles must be defined in the FACILITY class and that class must be active in the External Security Manager. A brief explanation is provided in the profile descriptions when the protection offered by the external security profiles differs substantially from the protection offered by the security provided in Tape Manager.

Using the administrator profile to authorize system administrators

This section applies to the following authorities:

EUM.AUTH.ADMN  or  EUM.qual.AUTH.ADMN

The system administrator profile is used to check for administrator authority when Privileged_User_Authority YES is specified in the External_Security configuration statement. Otherwise, Tape Manager will check for that authority based on the security settings provided by Tape Manager. The profile is valid when using the Tape Manager catalog or when using a z/OS® DFSMS Removable Media Manager catalog (RMM catalog).

An access authority of READ to the profile will provide administrator authority to an individual or group when profile checking is active. Consider creating a user group for those users that require system administrator authority and providing that group READ access to the profile. Administrators have broad authority and are not subject to the standard operational security checks, with the exception that an administrator may not mount a tape in a private pool without an appropriate permission for the pool.

Note: It is strongly recommended that an appropriate group of system administrators and operations ID's be defined using the Admins and Operations statements in the Tape Manager configuration file. This provides sufficient operational authority in the event that it is necessary to operate Tape Manager when the ESM is not available. Additional permissions can be granted by system administrators using the CMDAUTH command when the ESM is not active.

Using the operations profile to authorize operations users

This section applies to the following authorities:

EUM.AUTH.OPER  or  EUM.qual.AUTH.OPER

The operations profile is used to check for operations authority when Privileged_User_Authority YES is specified in the External_Security configuration statement. Otherwise, Tape Manager will check for that authority based on the security settings provided by Tape Manager. The profile is valid in Tape Manager catalog and RMM catalog operations.

An access of READ to the profile will provide operations authority to an individual or group when profile checking is active. Consider creating a user group for those users that require operations authority and providing that group READ access to the profile.

Operators are permitted to issue commands that are necessary to monitor and operate the system on a normal basis. These commands include the ability to manage Tape Manager devices and automated tape libraries, manage tape mount requests, query volume information, quiesce the system (allowing only administrator commands), and manage communications between Tape Manager nodes in a Shared Catalog environment.

Using the command profile to authorize the use of commands

This section applies to the following authorities:

EUM.CMND.command  or  EUM.qual.CMND.command

The command profile is used to check for the authority of a user, other than a system administrator, to issue a specific command when Command_Authority YES is specified in the External_Security configuration statement. The profile is valid in Tape Manager catalog and RMM catalog operations.

Note: There is no similar check for the authority to issue a specific command with the security provided by Tape Manager. ESM support is required.

An access permission of READ provides a user the authority to issue the command while a permission of NONE means that a user cannot use the command. The authority to use a command is not necessarily sufficient authority for the command to execute successfully – that authority only ensures that the command will not be rejected based on the command name.

For example, if a command requires administrator authority, the issuer must also be a system administrator for the command to complete successfully. Consider using a generic form of this command (such as, EUM.CMND.* or EUM.qual.CMND.*), with a universal access of READ, to provide the same default ability for any user to issue any command, as when an ESM is not used to protect the commands.

Using the pool administrator profile to authorize a private pool administrator

This section applies to the following authorities:

EUM.POOLADMN.pool_owner.pool_name  or  EUM.qual.POOLADMN.pool_owner.pool_name

The pool administrator profile is used to check for pool administrator authority for a private pool (pool_owner pool_name) when Private_Pool_Authority YES is specified in the External_Security configuration statement. The profile is valid only in Tape Manager catalog operations. By default, only system administrators (defined on the Admins statement in the Tape Manager configuration file) can modify the settings of a private tape pool.

Providing a user that is not an administrator an access of READ to the profile will permit the user to manage the settings of a specific private tape pool. To allow the user to manage multiple pools with the same owner, consider using a generic profile (such as, EUM.POOLADMN.pool_owner.* or EUM.qual.POOLADMN.pool_owner.*).

The external security pool administrator authority is different than the same authority with Tape Manager. When the security provided by Tape Manager is used, a pool administrator has full authority to the volumes in the pool. With external security, however, the pool administrator authority is restricted to modifying the pool settings and additional authority to the volumes must be provided via the POOLVOLS profile to provide the authority to mount volumes in the pool.

Using the pool volume profile to control access to private pool volumes

This section applies to the following authorities:

EUM.POOLVOLS.pool_owner.pool_name  or  EUM.qual.POOLVOLS.pool_owner.pool_name

The pool volume profile is used to protect tape volumes that are in a private pool (pool_owner pool_name) when Private_Pool_Authority YES is specified in the External_Security configuration statement. The profile is valid only in Tape Manager catalog operations.

The three access permissions that can be used with this profile are ALTER, UPDATE and READ. These permissions correspond to the TAPE, WRITE and READ authorities that are used with the security provided by Tape Manager.
  • Providing TAPE access to a private pool (with ALTER) allows the user to modify volume attributes for volumes in the pool (using the TAPEMOD command), and to mount volumes in the pool with either read or write access.
  • Providing WRITE access to the pool (with UPDATE) allows the user to mount volumes in the pool with either read or write access.
  • Providing READ access to the pool (with READ) allows the user to mount volumes in the pool with READ access.
To manage multiple pools with the same owner, consider using a generic profile (such as, EUM.POOLVOLS.pool_owner.* or EUM.qual.POOLVOLS.pool_owner.*). If this profile is not defined (or the facility class is inactive for some reason), the user ID that corresponds to the pool owner will have TAPE access to the pool by default.

Using the pool free tape profile to allow a private pool to be used as a scratch pool for another private pool

This section applies to the following authorities:

EUM.POOLFREE.pool_owner.pool_name  or  EUM.qual.POOLFREE.pool_owner.pool_name

The pool free tape profile is used to check for the authority to use a private tape pool (pool_owner pool_name) as a free pool for another private pool when Private_Pool_Authority YES is specified in the External_Security configuration statement. The profile is valid only in Tape Manager catalog operations.

A private tape pool can contain scratch volumes or the pool can draw scratch volumes from another private pool or the system free pool. The authority to this profile is checked when a pool is being defined that uses a private free pool or when an existing pool is being modified to use a private free pool.

The security provided by Tape Manager requires the owner of the pool being defined or modified to have free-tape authority for the free pool. With external security, the user that issues the command to define or modify the pool must have READ access to this profile, regardless of the pool owner of the pool to be defined or modified.

To manage multiple pools with the same owner, consider using a generic profile (such as, EUM.POOLFREE.pool_owner.* or EUM.qual.POOLFREE.pool_owner.*). If this profile is not defined (or the facility class is inactive for some reason), the user ID that corresponds to the pool owner will have the authority to use the pool as a free pool by default.

Using the system free pool profile to allow the system tape pool to be used as a free pool for a private pool

This section applies to the following authorities:

EUM.SYS.SCRATCH  or  EUM.qual.SYS.SCRATCH

The system free pool profile is used to check for the authority to use the system free pool as the free pool for a private pool when System_Authority YES is specified in the External_Security configuration. The profile is valid only in Tape Manager catalog operations.

A private tape pool can contain scratch volumes or the pool can draw scratch volumes from another private pool or the system free pool. The authority to this profile is checked when a pool is being defined that uses the system free pool or when an existing pool is being modified to use the system free pool.

The security provided by Tape Manager requires the owner of the pool being defined or modified to have authority use the system free pool. With external security, the user that issues the command to define or modify the private tape pool must have READ access to this profile, regardless of the pool owner of the pool to be defined or modified.

To manage multiple pools with the same owner, consider using a generic profile (such as, EUM.POOLFREE.pool_owner.* or EUM.qual.POOLFREE.pool_owner.*). If this profile is not defined (or the facility class is inactive for some reason), the user ID that corresponds to the pool owner will have the authority to use the pool as a free pool by default.

Using the system pool definition profile to permit the definition a of private tape pool by the pool owner

This section applies to the following authorities:

EUM.SYS.POOLDEF  or  EUM.qual.SYS.POOLDEF

The system pool definition profile is used to check for the authority to define a private tape pool when System_Authority YES is specified in the External_Security configuration. The profile is valid only in Tape Manager catalog operations.

The profile is checked for READ access when a user ID that is not a system administrator attempts to define a private tape pool. A user with READ access to this profile can only define private tape pools for which the user is a pool owner. When this permission is granted, consider granting the user pool administration authority for pools owned by that user to provide the authority to modify the settings of any pools the user defines.

Using the system high-level qualifier menu to manage data set names

This section applies to the following authorities:

EUM.SYS.HLQ.hlq  or  EUM.qual.SYS.HLQ.hlq

The system high-level qualifier (HLQ) profile is used to check for the authority to create a data set with the high-level qualifier when System_Authority YES is specified in the External_Security configuration statement. The profile is valid only in Tape Manager catalog operations.

If a profile is not defined, the user ID that corresponds to "hlq" is allowed to use that high-level qualifier by default. Providing UPDATE access to the profile is equivalent to providing DEFINE authority to the HLQ with the security provided by Tape Manager.
  • A user ID that requests a tape mount that will create a data set with high-level qualifier "hlq" requires UPDATE access to the profile.
  • A user ID that is not a system administrator and uses the TAPEDSN command to create a data set that begins with the high-level qualifier "hlq" requires UPDATE access to the profile.
  • A user ID that is not a system administrator and uses the TAPEDSN command to rename a data set to a data set name that begins with the high-level qualifier "hlq" requires UPDATE access to the profile.
  • A user ID that is not a system administrator and uses the TAPEDSN command to query data sets that have a high-level qualifier of "hlq" requires READ access to the profile.
The security provided by Tape Manager for the same functions requires DEFINE authority in all cases, including TAPEDSN QRY.