Authorization

Tape Manager Admins, Operations IDs, and the DSE ID can do any of the following:
  • Query any volume.
  • Specify SYS for the pool owner.
  • Specify the PERSIST parameter.
General User IDs have these rules for issuing the TAPEQRY command:
  • Can query only volumes for which the requestor has at least READ authority.
  • Cannot specify SYS for the pool owner.
  • Cannot specify the PERSIST parameter.

The TAPEQRY command requires at least READ authority for any volumes requested. You must have Tape Manager Admins, Operations, or DSE ID authority to use the SYS operand or the PERSIST parameter.

For TAPEQRY VOL requests, a request to query the volume will be granted if the use-status of the volume is FREE and the requestor has at least READ access to the pool that previously owned the volume. The request is granted regardless of the access allowed to the pool in which the volume currently resides.
Note: The pool that previously owned the volume can be displayed using the LONG form of TAPEQRY. In that case, the pool is identified by the previous pool owner and previous pool name.

When pool access is controlled by an External Security Manager, the owner of a pool is authorized for the pool if a security profile for the pool is not defined or the facility class is not active.

When an External Security Manager (ESM) is active, the authorization requirements may be controlled by ESM profiles:

  • When Pool_Authority is YES, pool administrator authority requires READ access to the pool administrator profile for the pool being queried. Pool administrator authority for a private pool is sufficient to query volumes in the private pool, but access to the pool volume profile can suffice as well.
  • When Pool_Authority is YES, READ authority for the private pool requires at least READ access to the pool volume profile of the private pool. If the pool volume profile is not defined, the user ID that corresponds to the pool owner has TAPE authority by default.
  • When Privileged_User_Authority is YES, Tape Manager Operations authority requires READ access to the operator profile.
  • When Privileged_User_Authority is YES, Tape Manager Admins authority requires READ access to the administrator profile.

For more details, refer to the IBM Tape Manager for z/VM Installation and Administration Guide (SC18-9344).