z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Tape data set and tape volume protection (TAPEDSN active and TAPEVOL active)

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Using the ADDSD command for a tape data set results in two discrete profiles: an automatic tape volume profile that contains a tape volume table of contents (TVTOC) and a tape data set profile. This means that RACF® provides:
  • Checking of the RACF security retention period (the number of days that must elapse before the data set can be deleted or overwritten).
  • Verification for the full 44-character data set names.
  • Protection for multiple data sets on a volume if all of the data sets have the same access requirements.
  • Multivolume data set protection.
  • RACF protection for the volume.
  • Automatic deletion of the data set and tape volume profiles when the data set or tape volume is overwritten and discrete protection for the data set has expired.

    Normally, you use the SET operand (which is the default) on the ADDSD command. If the tape volume and data set profiles get out of synchronization (that is, if the tape volume profile refers to a data set profile that does not exist or vice versa), use either the NOSET or SETONLY operand. Use NOSET if you have a data set profile but no tape volume profile. Use SETONLY if you have a tape volume profile but no data set profile.

  • Having ADSP or specifying PROTECT=YES on the JCL DD statement also results in two discrete profiles, just as the ADDSD command does.
  • Data management calls RACF in the DATASET class.

For tapes being opened for input, data management issues a RACROUTE REQUEST=AUTH, CLASS=DATASET, DSTYPE=T macro. For tapes being opened for output, data management issues a RACROUTE REQUEST=DEFINE, CLASS=DATASET, DSTYPE=T macro.

RACF authorizes access to protected tape data sets through RACF authorization checking. RACF bypasses any tape data set password protection. If the tape data set is not RACF-protected or the tape protection option is not active, data management authorizes access to tape data sets by password protection.

The following notes apply to ICH408I messages when you use generic TAPEVOL profiles:
  • The WARNING option does not provide the expected ICH408I warning messages when added to a generic TAPEVOL profile.
  • The ICH408I message that is issued when access to a tape data set is denied includes incorrect information when the data set is protected by both a DATASET profile and a generic TAPEVOL profile (without the WARNING option). When the data set is protected by only a TAPEVOL profile and access is denied, the ICH408I message correctly indicates the ACCESS ALLOWED level based on the TAPEVOL profile. However, when the data set is protected by both profiles and the DATASET profile would allow access, access is denied but the ICH408I message incorrectly indicates the ACCESS ALLOWED level based on the DATASET profile instead of the TAPEVOL profile.
Parent topic: Choosing which tape-related options to use

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014