Using an External Security Manager to control Tape Manager resources
If you use an External Security Manager (ESM), that supports the RACROUTE macro and the FACILITY class, you can configure Tape Manager to use the ESM as its authorization mechanism instead of using its own internal authorization mechanisms. A number of the facilities managed by Tape Manager can alternatively be managed by an ESM, as described in the discussion of the profiles that follows.
Overview of setup using IBM Resource Access Control Facility (RACF)
The TxTMM ID must have authority to issue checks for access to a resource on behalf of another user. An example on how to do this for IBM® Resource Access Control Facility (RACF®) is provided; however, refer to the latest documentation for your particular release of ESM for details.
To use RACF as the authorization mechanism, perform the following steps:
- Authorize communication with the RACF/VM server through IUVC.
- Authorize third-party authorization checks.
- Identify the RACF/VM server to which RACROUTE will be sent.
- Specify site appropriate settings in the External_Security configuration statement.
- Ensure that RACF profiles and permissions are in place for the External Security configuration settings.
Each of these steps is described below.
Authorize communication with RACF/VM
The TxTMM service machine communicates with RACF through IUCV. There are two options for authorizing this communication. You should consider which option is appropriate for your system's security administration policies.
The more general option is to have the RACF/VM server (usually called RACFVM) include an IUCV ALLOW statement in its directory entry. This will permit any user in the system to establish communication with the RACF server.
The more restricted option is to have Tape Manager include an IUCV statement for the RACF/VM server (for example, IUCV RACFVM PRIORITY MSGLIMIT 255) in its directory entry. This approach permits only the users with an IUCV RACFVM statement in their directory entry to establish communication with the RACF server.
Authorize third-party checks
Authority to issue third-party authorization checks is controlled by the ICHCONN profile in the FACILITY class in RACF/VM. You must create this profile if it does not exist and give the Tape Manager server (TxTMM) UPDATE access to it.
Identify the RACF/VM server
The RACROUTE interface must be able to identify the RACF/VM server. This is done with the RACF SERVMACH file, which is normally loaded to the CMS Y-disk during RACF installation. If you want to use a different RACF server, or your installation has removed the RACF SERVMACH file from general access, you should provide a tailored RACF SERVMACH file to the Tape Manager service machine TxTMM.
Specify the security settings in the External_Security configuration file statement
Update the Tape Manager configuration
file SYS CONFIG to specify External_Security_Manager YES
to
enable profile checking.
- Privileged_User_Authority
- When set to YES, this setting activates ESM checking for both the system administrator profile and the operations profile.
- Private_Pool_Authority
- When set to YES, this setting activates ESM checking for the pool administrator profile, the pool volume profile and the pool free tape profile.
- System_Authority
- When set to YES, this setting activates ESM checking for the system free pool profile, the system pool definition profile and the system high-level qualifier profile.
The profiles are described in the discussion that
follows. Refer to the Tape Manager configuration documentation in
this guide for additional information on the External_Security
statement.
Two
runtime options (ESM and NOESM) are supported to override the External_Security_Manager
setting
at start up, without the need to modify the configuration file. An
example of a command to autolog the TMM machine and force the ESM
setting to NO would be:
CP XAUTOLOG TMTMM # NOESM
This command will pass the NOESM runtime option to the TMM machine at start up, as long as the site allows the log on parameter to be passed to the program. If the command is entered from the command line, it may be necessary to use an escape character (typically a double quote) to pass the pound sign as a parameter, depending on the CP TERM settings.
Using
the NOESM option can be a convenient way to start Tape Manager in
a situation where Tape Manager typically runs with an ESM, but the
ESM is not available for some reason. Remember that only administrators
that are defined in the Admins
statement in the Tape
Manager configuration file will have administrator privileges when
running with the NOESM option.
The settings available in the External_Security
configuration
statement can also be modified dynamically by a system administrator
using the CNFGSET ESM command, but the configuration settings in the
Tape Manager configuration file will take effect when Tape Manager
is restarted. Refer to the POOLACC and CMDAUTH commands in the IBM Tape Manager for z/VM® User Guide for more information about
the native security facilities provided by Tape Manager.
Define Tape Manager FACILITY class profiles and grant permissions
If an extended profile qualifier has been set
in the External_Security
configuration statement,
the extended form of the profile names that follow should be used
and the value of the extended qualifier should be substituted for
"qual". The use of these profiles is enabled only if External_Security_Manager
YES
is specified in the External_Security
configuration
statement.
The profiles must be defined in the FACILITY class and that class must be active in the External Security Manager. A brief explanation is provided in the profile descriptions when the protection offered by the external security profiles differs substantially from the protection offered by the security provided in Tape Manager.
Using the administrator profile to authorize system administrators
This section applies to the following authorities:
EUM.AUTH.ADMN or EUM.qual.AUTH.ADMN
The
system administrator profile is used to check for administrator authority
when Privileged_User_Authority YES
is specified in
the External_Security
configuration statement. Otherwise,
Tape Manager will check for that authority based on the security settings
provided by Tape Manager. The profile is valid when using the Tape
Manager catalog or when using a z/OS® DFSMS
Removable Media Manager catalog (RMM catalog).
An access authority of READ to the profile will provide administrator authority to an individual or group when profile checking is active. Consider creating a user group for those users that require system administrator authority and providing that group READ access to the profile. Administrators have broad authority and are not subject to the standard operational security checks, with the exception that an administrator may not mount a tape in a private pool without an appropriate permission for the pool.
Admins
and Operations
statements
in the Tape Manager configuration file. This provides sufficient operational
authority in the event that it is necessary to operate Tape Manager
when the ESM is not available. Additional permissions can be granted
by system administrators using the CMDAUTH command when the ESM is
not active.Using the operations profile to authorize operations users
This section applies to the following authorities:
EUM.AUTH.OPER or EUM.qual.AUTH.OPER
The
operations profile is used to check for operations authority when Privileged_User_Authority
YES
is specified in the External_Security
configuration
statement. Otherwise, Tape Manager will check for that authority based
on the security settings provided by Tape Manager. The profile is
valid in Tape Manager catalog and RMM catalog operations.
An access of READ to the profile will provide operations authority to an individual or group when profile checking is active. Consider creating a user group for those users that require operations authority and providing that group READ access to the profile.
Operators are permitted to issue commands that are necessary to monitor and operate the system on a normal basis. These commands include the ability to manage Tape Manager devices and automated tape libraries, manage tape mount requests, query volume information, quiesce the system (allowing only administrator commands), and manage communications between Tape Manager nodes in a Shared Catalog environment.
Using the command profile to authorize the use of commands
This section applies to the following authorities:
EUM.CMND.command or EUM.qual.CMND.command
The
command profile is used to check for the authority of a user, other
than a system administrator, to issue a specific command when Command_Authority
YES
is specified in the External_Security
configuration
statement. The profile is valid in Tape Manager catalog and RMM catalog
operations.
An access permission of READ provides a user the authority to issue the command while a permission of NONE means that a user cannot use the command. The authority to use a command is not necessarily sufficient authority for the command to execute successfully – that authority only ensures that the command will not be rejected based on the command name.
For
example, if a command requires administrator authority, the issuer
must also be a system administrator for the command to complete successfully.
Consider using a generic form of this command (such as, EUM.CMND.*
or EUM.qual.CMND.*
),
with a universal access of READ, to provide the same default ability
for any user to issue any command, as when an ESM is not used to protect
the commands.
Using the pool administrator profile to authorize a private pool administrator
This section applies to the following authorities:
EUM.POOLADMN.pool_owner.pool_name or EUM.qual.POOLADMN.pool_owner.pool_name
The
pool administrator profile is used to check for pool administrator
authority for a private pool (pool_owner pool_name
)
when Private_Pool_Authority YES
is specified in the External_Security
configuration
statement. The profile is valid only in Tape Manager catalog operations.
By default, only system administrators (defined on the Admins
statement
in the Tape Manager configuration file) can modify the settings of
a private tape pool.
Providing a user that is not an administrator
an access of READ to the profile will permit the user to manage the
settings of a specific private tape pool. To allow the user to manage
multiple pools with the same owner, consider using a generic profile
(such as, EUM.POOLADMN.pool_owner.*
or EUM.qual.POOLADMN.pool_owner.*
).
The external security pool administrator authority is different than the same authority with Tape Manager. When the security provided by Tape Manager is used, a pool administrator has full authority to the volumes in the pool. With external security, however, the pool administrator authority is restricted to modifying the pool settings and additional authority to the volumes must be provided via the POOLVOLS profile to provide the authority to mount volumes in the pool.
Using the pool volume profile to control access to private pool volumes
This section applies to the following authorities:
EUM.POOLVOLS.pool_owner.pool_name or EUM.qual.POOLVOLS.pool_owner.pool_name
The
pool volume profile is used to protect tape volumes that are in a
private pool (pool_owner pool_name
) when Private_Pool_Authority
YES
is specified in the External_Security
configuration
statement. The profile is valid only in Tape Manager catalog operations.
- Providing TAPE access to a private pool (with ALTER) allows the user to modify volume attributes for volumes in the pool (using the TAPEMOD command), and to mount volumes in the pool with either read or write access.
- Providing WRITE access to the pool (with UPDATE) allows the user to mount volumes in the pool with either read or write access.
- Providing READ access to the pool (with READ) allows the user to mount volumes in the pool with READ access.
EUM.POOLVOLS.pool_owner.*
or EUM.qual.POOLVOLS.pool_owner.*
).
If this profile is not defined (or the facility class is inactive
for some reason), the user ID that corresponds to the pool owner will
have TAPE access to the pool by default.Using the pool free tape profile to allow a private pool to be used as a scratch pool for another private pool
This section applies to the following authorities:
EUM.POOLFREE.pool_owner.pool_name or EUM.qual.POOLFREE.pool_owner.pool_name
The
pool free tape profile is used to check for the authority to use a
private tape pool (pool_owner pool_name
) as a free
pool for another private pool when Private_Pool_Authority
YES
is specified in the External_Security
configuration
statement. The profile is valid only in Tape Manager catalog operations.
A private tape pool can contain scratch volumes or the pool can draw scratch volumes from another private pool or the system free pool. The authority to this profile is checked when a pool is being defined that uses a private free pool or when an existing pool is being modified to use a private free pool.
The security provided by Tape Manager requires the owner of the pool being defined or modified to have free-tape authority for the free pool. With external security, the user that issues the command to define or modify the pool must have READ access to this profile, regardless of the pool owner of the pool to be defined or modified.
To manage multiple pools with the
same owner, consider using a generic profile (such as, EUM.POOLFREE.pool_owner.*
or EUM.qual.POOLFREE.pool_owner.*
).
If this profile is not defined (or the facility class is inactive
for some reason), the user ID that corresponds to the pool owner will
have the authority to use the pool as a free pool by default.
Using the system free pool profile to allow the system tape pool to be used as a free pool for a private pool
This section applies to the following authorities:
EUM.SYS.SCRATCH or EUM.qual.SYS.SCRATCH
The
system free pool profile is used to check for the authority to use
the system free pool as the free pool for a private pool when System_Authority
YES
is specified in the External_Security
configuration.
The profile is valid only in Tape Manager catalog operations.
A private tape pool can contain scratch volumes or the pool can draw scratch volumes from another private pool or the system free pool. The authority to this profile is checked when a pool is being defined that uses the system free pool or when an existing pool is being modified to use the system free pool.
The security provided by Tape Manager requires the owner of the pool being defined or modified to have authority use the system free pool. With external security, the user that issues the command to define or modify the private tape pool must have READ access to this profile, regardless of the pool owner of the pool to be defined or modified.
To manage multiple
pools with the same owner, consider using a generic profile (such
as, EUM.POOLFREE.pool_owner.*
or EUM.qual.POOLFREE.pool_owner.*
).
If this profile is not defined (or the facility class is inactive
for some reason), the user ID that corresponds to the pool owner will
have the authority to use the pool as a free pool by default.
Using the system pool definition profile to permit the definition a of private tape pool by the pool owner
This section applies to the following authorities:
EUM.SYS.POOLDEF or EUM.qual.SYS.POOLDEF
The
system pool definition profile is used to check for the authority
to define a private tape pool when System_Authority YES
is
specified in the External_Security
configuration.
The profile is valid only in Tape Manager catalog operations.
The profile is checked for READ access when a user ID that is not a system administrator attempts to define a private tape pool. A user with READ access to this profile can only define private tape pools for which the user is a pool owner. When this permission is granted, consider granting the user pool administration authority for pools owned by that user to provide the authority to modify the settings of any pools the user defines.
Using the system high-level qualifier menu to manage data set names
This section applies to the following authorities:
EUM.SYS.HLQ.hlq or EUM.qual.SYS.HLQ.hlq
The
system high-level qualifier (HLQ) profile is used to check for the
authority to create a data set with the high-level qualifier when System_Authority
YES
is specified in the External_Security
configuration
statement. The profile is valid only in Tape Manager catalog operations.
- A user ID that requests a tape mount that will create a data set with high-level qualifier "hlq" requires UPDATE access to the profile.
- A user ID that is not a system administrator and uses the TAPEDSN command to create a data set that begins with the high-level qualifier "hlq" requires UPDATE access to the profile.
- A user ID that is not a system administrator and uses the TAPEDSN command to rename a data set to a data set name that begins with the high-level qualifier "hlq" requires UPDATE access to the profile.
- A user ID that is not a system administrator and uses the TAPEDSN command to query data sets that have a high-level qualifier of "hlq" requires READ access to the profile.