BRMS media security

BRMS monitors and protects media operations in the following ways:

BRMS provides media protection against overwriting by checking the media inventory before BRMS uses a tape. This ensures that the volume is available for use in the media scratch pool. If the volume is unavailable, BRMS rejects it, and tries to select another volume.
Media output to each function requires that the media be of the correct class. If it is not, BRMS rejects it, logs the attempted use, and tries to select another volume.

At the Secure media parameter on the media policy, you can specify whether to apply volume security to volumes in a selected media class.

Note: Only users with *ALLOBJ or *SAVSYS authority can read a secured volume. BRMS logs any unauthorized attempts, and denies read access. To use the secure option, you also need *ALLOBJ or *SAVSYS authority. You can secure media by changing the value in the Secure Media field on the media policy that you want to use for this backup to *YES.

To prevent the accidental initialization of media, set the INZMEDBRM command to CHECK(*YES). This way, BRMS will not initialize media that contains active files. You cannot use the IBM® i INZTAP command to initialize BRMS media unless you have the appropriate user authority.

You can use the Remove Media Volumes from BRM (RMVMEDBRM) command to secure the process of removing media and media information. You can also use the Remove Media Info from BRM (RMVMEDIBRM) command. BRMS processes commands that contain the 4=Remove option (for media or media information) through the RMVMEDBRM and RMVMEDIBRM commands. For example, BRMS uses the RMVMEDBRM command to process remove requests from the Work with Media (WRKMEDBRM) command. You can process any command that allows the removal of media information, such as WRKMEDIBRM, WRKSPLFBRM, WRKOBJBRM, WRKLIBBRM, through the RMVMEDIBRM command.