z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Defining tape volumes without a TVTOC

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can also define tape volumes without using the TVTOC operand. When you define a tape volume in this manner, RACF® does not maintain a TVTOC to control access to data sets on the volume. Instead, RACF controls access to data sets on the tape volume using only the access list in the volume's profile. Users with at least READ authority to the volume can read any data on the tape. Users with at least UPDATE authority to the volume can write data on the tape.

The following sequence of commands shows how to define a tape volume without a TVTOC and how to control access to the data sets on that volume.
  1. To define and protect a tape volume, issue the RDEFINE command with the appropriate operands and assign a UACC of NONE to the volume. 
    RDEFINE TAPEVOL profile-name UACC(NONE)
    For example, to define a tape volume labeled 123456 and assign it a UACC of NONE, issue the following command. 
    RDEFINE TAPEVOL 123456 UACC(NONE)

    The RDEFINE command adds a profile for the tape volume to the RACF database.

  2. To allow a user access to the volume for the purpose of creating data sets, issue the PERMIT command with the appropriate operands and give the user UPDATE access authority. For tape volume 123456, enter the command as follows. 
    PERMIT 123456 CLASS(TAPEVOL) ID(userid or groupname) ACCESS(UPDATE)

    UPDATE access authority allows a user to read and write data sets to the tape volume. You should not assign ALTER access authority to a general user because ALTER allows a user to overwrite the tape label.

  3. If other users want to access the data on the tape volume, issue the PERMIT command with the appropriate operands and access authority. For example, to give another user READ access authority to tape volume 123456, issue the following command. 
    PERMIT 123456 CLASS(TAPEVOL) ID(userid or groupname) ACCESS(READ)

    Note that a user must have sufficient authority to issue the PERMIT command. Because you gave the user who requested the tape volume UPDATE access authority, that user does not have sufficient authority to allow other users to access the tape volume.

  4. When a user has finished working with the tape volume, issue the PERMIT command and specify the RESET(ALL) operand. RESET(ALL) deletes the entire current standard and conditional access lists from the tape volume's profile. For tape volume 123456, enter the command as follows.
    PERMIT 123456 CLASS(TAPEVOL) RESET(ALL)

    If you delete only the access lists from a tape volume profile, you retain RACF protection for data on the volume. (In this case, no users can access the data.) If you delete the tape volume profile itself, you have no RACF protection for data on the volume. (Any user can access the data.)

Parent topic: Protecting tape volumes

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014