Admins

Use the Admins statement to define the System Administrator(s). The scope of administrator privileges is discussed following the example below.

Specify the administrator IDs after the Admins keyword, being sure to leave at least one space between each ID. In the example, the System Administrators for this system are ADMINID1 and ADMINID2.

Example:

Admins ADMNID1 ADMNID2   /*Authorized users   */  

Scope of a system administrator ID

The scope of a Tape Manager system administrator ID depends on the following:

  • when Tape Manager native security is used to control administrative command authority.
  • when an External Security Manager (ESM) is used to manage that authority.

The information that follows describes how the authorities vary for a system administrator based on which type of security, native or external, is being used with Tape Manager.

Definition and Scope of System Administrator IDs with Tape Manager Native Security

An administrator ID can be defined by one of the following methods:

  • The ADMINS statement in the Tape Manager configuration file.
  • The CMDAUTH command issued by an existing system administrator.

The scope of the administrative authority in each of the above cases is identical but only system administrator IDs defined in the Tape Manager configuration file will be retained when Tape Manager is restarted. System administrators have the authority to perform a number of functions that are not permitted for the general user:

  • Define tape pools to the system and delete them from the system (Tape Manager catalog only).
  • Grant access to any private tape pool and remove that access (Tape Manager catalog only).
  • Add volumes to the system and delete them from the system (Tape Manager catalog only).
  • Request volume-specific mounts of tape volumes that reside in the system pool (Tape Manager catalog only).
  • Query and modify the attributes of any private tape pool and volumes owned by that pool (Tape Manager catalog only).
  • Issue administrator commands, such as CMDAUTH, STATUS, and QUIT, and modify configuration settings with commands, such as CNFGSET and NODECMD.
  • Dedicate tape devices to Tape Manager using the TAPEDEV command.
  • Issue SMSG STATUS commands to the DMM and LMM machines.

In general, when the behavior of a command is different for a general user and an administrative user, the difference will be described in the documentation for that command.

For additional information on Tape Manager native security, refer to the CMDAUTH and POOLACC commands in the IBM Tape Manager for z/VM User's Guide and Reference (SC18-9349).

Definition and Scope of System Administrator IDs when an External Security Manager (ESM) Controls Administrative IDs

System administrators are managed by an ESM whenever Privileged_User_Authority YES is specified in the External_Security configuration statement in the Tape Manager configuration file (SYS CONFIG), or when the CNFGSET ESM command has been issued with PRIV YES specified when ESM checking is active.

Note: Only the ESM settings specified in the configuration statement are retained when Tape Manager is restarted.

System administrators have the authority to perform a number of functions that are not permitted for the general user:

  • Define tape pools to the system and delete them from the system (Tape Manager catalog only).
  • Grant access to any private tape pool and remove that access (Tape Manager catalog only).
  • Add volumes to the system and delete them from the system (Tape Manager catalog only).
  • Request volume-specific mounts of tape volumes that reside in the system pool (Tape Manager catalog only).
  • Query and modify the attributes of any private tape pool and volumes owned by that pool (Tape Manager catalog only).
  • Issue administrator commands, such as CMDAUTH, STATUS, and QUIT, and modify configuration settings with commands, such as CNFGSET and NODECMD.
    Note: The CMDAUTH command cannot be used to manage resources that are controlled by the External Security Manager when external security is active for Tape Manager. For example, when external security is controlling Tape Manager administrative IDs, the CMDAUTH command cannot be used to define additional administrative IDs.
  • Dedicate tape devices to Tape Manager using the TAPEDEV command when the command is not restricted by the External Security Manager.

Only user IDs specified in the ADMINS configuration statement can issue SMSG STATUS commands to the DMM and LMM, and that authority is the only special authority granted by the ADMINS configuration statement. That is, a user in the ADMINS statement does not have any additional administrative authority unless the ID has also been granted administrator authority within the ESM.

In the event that an instance of Tape Manager that normally relies on an ESM for administrative checking is forced to run without the ESM available, only users in the ADMINS configuration statement will have the authority to grant Tape Manager native security permissions. It is for that reason that at least one user ID must be specified in the ADMINS configuration statement.

For additional information on how to use external security with Tape Manager, refer to Using an External Security Manager to control Tape Manager resources.