External_Security

Use the External_Security statement only if you plan to use an External Security Manager (ESM) to control access to Tape Manager resources.

Important:

For a detailed description of the ESM profiles that are used to manage the resources that can be controlled with the External_Security statement, refer to Using an External Security Manager to control Tape Manager resources.

Refer to the IBM Tape Manager for z/VM User’s Guide and Reference (SC18-9349) for more information on the CNFGSET command and for more information on Tape Manager’s native security features in the CMDAUTH and POOLACC commands.

The parameters for this statement are:

External_Security_Manager
Indicate YES if an ESM will be used to control access for Privileged_User_Authority, Command_Authority, Private_Pool_Authority or System_Authority, which are described below; otherwise, specify NO or do not use the External_Security statement.
If NO is specified, the CNFGSET command can be used to activate ESM checking dynamically once Tape Manager is started. In this case, the subsequent settings in this statement will be used unless those settings are overridden when the CNFGSET command is issued.
Privileged_User_Authority
Specify YES if an ESM will be used to control checking for the system administrator profile and the operations profile.
Specify NO if the Tape Manager native security will be used to control privileged users.
Command_Authority
Type YES if an ESM will be used to control the use of Tape Manager commands; otherwise, specify NO. The Tape Manager native security classifies command issuers as either administrative users, operations users or general users, while the use of an ESM can control the use of any Tape Manager command by specific users.
Private_Pool_Authority
Indicate YES if an ESM will be used to control checking for pool administrator authority (using POOLADMIN profile), provide access to tape volumes in a private pool (using POOLVOLS profile), and check authority to use a private tape pool as a free pool for another private pool (using POOLFREE profile).
Select NO if access to private tape pools resources will be controlled with the Tape Manager native security.
Note: This setting is ignored on a request node in a Shared Catalog configuration.
System_Authority
Choose YES if an ESM will be used to control checking for the system free-pool profile, the system pool-definition profile and the system high-level qualifier profile.
Specify NO to control the resources associated with these profiles using the Tape Manager native security.
Note: This setting is ignored on a request node in a Shared Catalog configuration.
ESM_Unavailable
This setting controls processing when the ESM is unavailable. Valid values are listed below.
  • Use FALLBACK to fall back to the Tape Manager native security.
  • Use SUSPEND to accept only the commands from the system administrators or operations users specified in the Tape Manager configuration file. The native Tape Manager security will be in effect for those users.
  • Use QUIT to terminate Tape Manager when the ESM is unavailable.
Extended_Profile_Qualifier
The setting determines what, if any, extension will be inserted into the second qualifier position of the standard Tape Manager ESM security profiles when authorization checking is performed.
  • Select NONE if you do not want an additional qualifier inserted.
  • Choose TMMID if you want the user name of the TMM ID inserted into the second qualifier position.
  • Select SYSID if you want the system name inserted into the second qualifier.
  • Specify any other valid profile qualifier if you want that qualifier inserted into the second qualifier position.

Example

External_Security,                   /* External Security Settings     */ 
  External_Security_Manager YES,     /* Use External Security Mgr      */ 
  Privileged_User_Authority YES,     /* Use ESM for admn & oper auth   */ 
  Command_Authority YES,             /* Use ESM for command auth       */ 
  Private_Pool_Authority YES,        /* Use ESM for private pools      */ 
  System_Authority YES,              /* Use ESM for system auth        */ 
  ESM_Unavailable QUIT,              /* Quit if ESM unavailable        */ 
  Extended_Profile_Qualifier NONE    /* No extended profile qualifier  */