External_Security
Use the External_Security statement only if you plan to use an External Security Manager (ESM) to control access to Tape Manager resources.
Important:
For a detailed description of the ESM profiles that are used to manage the resources that can be controlled with the External_Security statement, refer to Using an External Security Manager to control Tape Manager resources.
Refer to the IBM Tape Manager for z/VM User’s Guide and Reference (SC18-9349) for more information on the CNFGSET command and for more information on Tape Manager’s native security features in the CMDAUTH and POOLACC commands.
The parameters for this statement are:
- External_Security_Manager
- Indicate YES if an ESM will be used to control access for Privileged_User_Authority, Command_Authority, Private_Pool_Authority or System_Authority, which are described below; otherwise, specify NO or do not use the External_Security statement.
- Privileged_User_Authority
- Specify YES if an ESM will be used to control checking for the system administrator profile and the operations profile.
- Command_Authority
- Type YES if an ESM will be used to control the use of Tape Manager commands; otherwise, specify NO. The Tape Manager native security classifies command issuers as either administrative users, operations users or general users, while the use of an ESM can control the use of any Tape Manager command by specific users.
- Private_Pool_Authority
- Indicate YES if an ESM will be used to control checking for pool administrator authority (using POOLADMIN profile), provide access to tape volumes in a private pool (using POOLVOLS profile), and check authority to use a private tape pool as a free pool for another private pool (using POOLFREE profile).
- System_Authority
- Choose YES if an ESM will be used to control checking for the system free-pool profile, the system pool-definition profile and the system high-level qualifier profile.
- ESM_Unavailable
- This setting controls processing when the ESM is unavailable.
Valid values are listed below.
- Use FALLBACK to fall back to the Tape Manager native security.
- Use SUSPEND to accept only the commands from the system administrators or operations users specified in the Tape Manager configuration file. The native Tape Manager security will be in effect for those users.
- Use QUIT to terminate Tape Manager when the ESM is unavailable.
- Extended_Profile_Qualifier
- The setting determines what, if any, extension will be inserted
into the second qualifier position of the standard Tape Manager ESM
security profiles when authorization checking is performed.
- Select NONE if you do not want an additional qualifier inserted.
- Choose TMMID if you want the user name of the TMM ID inserted into the second qualifier position.
- Select SYSID if you want the system name inserted into the second qualifier.
- Specify any other valid profile qualifier if you want that qualifier inserted into the second qualifier position.
Example
External_Security, /* External Security Settings */
External_Security_Manager YES, /* Use External Security Mgr */
Privileged_User_Authority YES, /* Use ESM for admn & oper auth */
Command_Authority YES, /* Use ESM for command auth */
Private_Pool_Authority YES, /* Use ESM for private pools */
System_Authority YES, /* Use ESM for system auth */
ESM_Unavailable QUIT, /* Quit if ESM unavailable */
Extended_Profile_Qualifier NONE /* No extended profile qualifier */