Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
RACF authorization of bypass label processing (BLP) z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
Your installation can specify JES initialization parameters to allow bypass label processing (BLP). For details, see z/OS JES2 Initialization and Tuning Reference and z/OS JES3 Initialization and Tuning Reference. Other factors, such as the use of a tape management system or certain other system parameters, also affect tape bypass label processing. If your installation uses a tape management system, see its product documentation. Also, see z/OS MVS Initialization and Tuning Reference for information about the TAPEAUTHDSN parameter in the DEVSUPxx member of SYS1.PARMLIB. If your system does not support BLP processing, the system converts all BLP requests to requests for nonlabeled tapes. If a labeled tape is mounted to satisfy this specification, RACF® performs authorization checking and, if the user has sufficient authority, the label is destroyed. For more information, see Tape data set and tape volume protection for nonlabeled (NL) tapes. If your system supports BLP processing, RACF provides installations with the ability
to control the use of the BLP option on JCL DD statements. To control
who can use BLP, perform the following steps:
RACF checks the user's authority to the ICHBLP resource when the user attempts to access a tape with an IBM® standard or ANSI label (even if BLP is specified on the LABEL operand of the DD statement for the tape volume). RACF performs BLP authorization checking only if the TAPEVOL class is active. If TAPEVOL is not active, data management does not call RACF to perform BLP or tape access checking. If RACF finds an ICHBLP profile, RACF verifies that the user has sufficient authority to use bypass label processing. If the user does not have sufficient authority, RACF fails the request. If RACF does not find an ICHBLP profile or if the user has sufficient authority to use bypass label processing, RACF performs authorization checking on the volume. If the user has sufficient authority to the volume, RACF grants the request. Otherwise, RACF fails the request. Note: RACF performs authorization
checking on a volume based on the volume serial number specified on
the JCL statement. Proper authorization checking, therefore, depends
on the operator mounting the correct volume.
|
Copyright IBM Corporation 1990, 2014
|