z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


DASD volume authority

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

By defining profiles in the DASDVOL class, you can define DASD volumes to RACF® and authorize users to perform maintenance operations (such as dump, restore, scratch, and rename) without having access to the data set profiles protecting the data sets. (If a user does not have the necessary DASDVOL authority, he or she must have the necessary authority in the DATASET class to each of the data sets on the volume.)

The access authority that you give to a user depends on the product that the user is using:
  • If the user is using DFSMSdss, the access authority required depends on the specific action that the user is requesting (for example, DUMP with DELETE or DUMP without DELETE). For a complete description of the access authorities required, see z/OS DFSMSdss Storage Administration.
  • If the user is using the DADSM scratch function, ALTER access authority allows the user to scratch data sets on the volume.
    Note: If a data set protected by a discrete profile is scratched, the discrete profile is deleted, or, in the case of a multivolume data set, the volume serial number is removed from the data set profile.
  • If the user is using the Device Support Facilities (ICKDSF) program, ALTER allows the user to rename DASD volumes.
  • Other products can also check for authorization in the DASDVOL class.

    Exception: DASDVOL authority does not allow users to perform DFSMSdss logical operations on SMS-managed data sets. To allow logical operations, you can either give the user the OPERATIONS (or group-OPERATIONS) attribute or, if you have the necessary software, define the user as an authorized storage administrator. For more information on the latter alternative, see DFSMSdss storage administration.

As an alternative to assigning the OPERATIONS or group-OPERATIONS attribute, DASDVOL authority allows you to authorize operations personnel to access only those volumes that they must maintain. Using DASDVOL authority is also more efficient for functions such as volume dumping, because only one authorization check for the volume needs to be issued, instead of individual requests for each data set on the volume. For a description of the OPERATIONS attribute, see The OPERATIONS attribute.

If the volume serials do not readily allow the use of * or % as generic characters in DASDVOL profile names, consider creating profiles in the GDASDVOL class. See Creating resource group profiles.

Parent topic: Protecting data sets on DASD and tape

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014