z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Defining tape volumes with a TVTOC

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

To provide protection for tape data sets, you (or an assigned administrator) can predefine individual tape volumes to RACF® using the RDEFINE command with the TAPEVOL class and TVTOC operand. Tape volumes defined with the RDEFINE command and TVTOC operand are called scratch pool volumes.

When RACF processes the RDEFINE command with the TVTOC operand, it places the user ID of the command issuer in the access list of the volume with ALTER authority. A scratch pool volume can be used by any RACF-defined user for output (for writing). When the first user writes a data set to a scratch pool volume, RACF places the user ID of that user in the access list of the volume with ALTER authority. After RACF creates the volume's access list, only the command issuer, the first user of the volume, and any users added to the access list with UPDATE authority can write additional data sets to the volume.

For example, to define a tape volume labeled TX0050 with the attribute that it can hold a TVTOC and assign it a UACC of NONE, enter: 
RDEFINE TAPEVOL TX0050 TVTOC UACC(NONE)

After you define a tape volume with a TVTOC, you can use generic profiles to protect data sets that reside on that volume. To define a generic profile for data sets, use the ADDSD command and specify the profile name.

The following example shows how to define the generic profile USER03.*. 
ADDSD 'USER03.*'
Note:
  1. The user ID of the issuer of RDEFINE is placed automatically on the access list with ALTER only if SETROPTS ADDCREATOR is in effect.
  2. The TAPEVOL class must be active for the RDEFINE command to succeed. For more information, see Activating tape volume protection (TAPEVOL option).
  3. The TVTOC operand applies only to discrete tape volume profiles.
  4. When you issue the RDEFINE command with the TVTOC operand, you create a nonautomatic tape volume profile. For more information, see Tape volume profiles that contain a TVTOC.
  5. When you issue the ADDSD command, you can predefine a generic data set profile, or define a generic profile after the data set and TVTOC entry have been created. You can also use existing generic profiles that were created to protect DASD data sets. If you are using generic data set profiles for tape data sets, you should specify a retention period in those profiles because the SETROPTS retention period is not used.
  6. The access authorities that apply to tape volume profiles are as follows:
    NONE
    Allows no access to data on the tape volume.
    READ
    Allows users to read from the tape volume.
    UPDATE
    Allows users to read from the tape volume, and to write additional data sets to the volume.
    CONTROL
    Is equivalent to UPDATE.
    ALTER
    Allows users to read from the tape volume, to write additional data sets to the volume, and to create or destroy tape volume labels through OPEN or end-of-volume operations. For discrete tape volume profiles, allows users to change the profile, including the access list.
Parent topic: Protecting tape volumes

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014