RACF authority needed to perform DFSMShsm functions
DFSMShsm bypasses any security checking during automatic volume space management, automatic secondary space management, and availability management.
Undirected automatic recall is caused by reference from JCL, or under TSO, to a cataloged data set that is, in fact, migrated. In such a reference, the target volume is not specified. Once recall has occurred, standard RACF® protection applies through OPEN. Table 1 shows the authority needed by TSO users to issue DFSMShsm commands.
DFSMShsm Function | RACF Resource Access Authority Required |
---|---|
Migrate a data set | UPDATE |
Recall a data set | EXECUTE |
Delete a migrated data set | ALTER |
Back up a data set | UPDATE |
Recover a backup version without specifying NEWNAME | ALTER |
Recover a backup version and specify NEWNAME | READ to original data set; ALTER on the NEWNAME |
Delete a backup version | ALTER |
Change backup characteristics | ALTER |
Aggregate backup | READ |
- HBDELETE: If the backed up data set does not exist and the data
set was protected by a discrete profile, DFSMSdfp asked RACF to delete the profile when
the data set was deleted. DFSMShsm knows that the backed up data set
was RACF-indicated. DFSMShsm fails the request on this command if
there is no backup profile or generic profile honoring access to the
data set name, or if the requester does not have ALTER authority on
either the generic profile or the backup profile.
If the backed up data set does not exist and if the data set was not RACF-indicated but was protected by a generic profile, DFSMShsm fails the request only if a generic profile that matches the original data set name does exist and the user does not have ALTER authority on that profile.
- HALTERDS: A user might set up backup characteristics for a data set that does not exist yet. As in the preceding item, DFSMShsm fails the request only if a generic profile that matches the original data set name exists and the requester does not have ALTER authority on that profile. If the data set exists, DFSMShsm fails the request if no generic profile, discrete profile, or backup profile exists honoring access to the data set name or if the requester does not have ALTER authority on the generic, the discrete, or the backup profile.