Using the ADDSD command for a tape data set results in two discrete
profiles: an automatic tape volume profile that contains a tape volume
table of contents (TVTOC) and a tape data set profile. This means
that RACF® provides:
- Checking of the RACF security
retention period (the number of days that must elapse before the data
set can be deleted or overwritten).
- Verification for the full 44-character data set names.
- Protection for multiple data sets on a volume if all of the data
sets have the same access requirements.
- Multivolume data set protection.
- RACF protection for the
volume.
- Automatic deletion of the data set and tape volume profiles when
the data set or tape volume is overwritten and discrete protection
for the data set has expired.
Normally, you use the SET operand
(which is the default) on the ADDSD command. If the tape volume and
data set profiles get out of synchronization (that is, if the tape
volume profile refers to a data set profile that does not exist or
vice versa), use either the NOSET or SETONLY operand. Use NOSET if
you have a data set profile but no tape volume profile. Use SETONLY
if you have a tape volume profile but no data set profile.
- Having ADSP or specifying PROTECT=YES on the JCL DD statement
also results in two discrete profiles, just as the ADDSD command does.
- Data management calls RACF in
the DATASET class.
For tapes being opened for input, data management issues a RACROUTE
REQUEST=AUTH, CLASS=DATASET, DSTYPE=T macro. For tapes being opened
for output, data management issues a RACROUTE REQUEST=DEFINE, CLASS=DATASET,
DSTYPE=T macro.
RACF authorizes access to
protected tape data sets through RACF authorization
checking. RACF bypasses any
tape data set password protection. If the tape data set is not RACF-protected
or the tape protection option is not active, data management authorizes
access to tape data sets by password protection.
The following notes apply to ICH408I messages when you use generic
TAPEVOL profiles:
- The WARNING option does not provide the expected ICH408I warning
messages when added to a generic TAPEVOL profile.
- The ICH408I message that is issued when access to a tape data
set is denied includes incorrect information when the data set is
protected by both a DATASET profile and a generic TAPEVOL profile
(without the WARNING option). When the data set is protected by only
a TAPEVOL profile and access is denied, the ICH408I message correctly
indicates the ACCESS ALLOWED level based on the TAPEVOL
profile. However, when the data set is protected by both profiles
and the DATASET profile would allow access, access is denied but the
ICH408I message incorrectly indicates the ACCESS ALLOWED level
based on the DATASET profile instead of the TAPEVOL profile.