Protecting data

Data on IBM standard volumes can be protected by either RACF or data set password protection. In an IBM system-managed tape library, data set password protection is not supported.

IBM recommends RACF instead of data set password protection. For more information see z/OS DFSMSdfp Advanced Services.

Note: All checking for authorization will be bypassed if security processing is suppressed. This can occur, for example, when the program properties table entry for the job step program is marked to suppress security checking. Only the system programmer can update the program properties table. For information about the program properties table, see z/OS MVS Initialization and Tuning Reference.

RACF allows you to control access to either the tape volumes or the individual data sets on the tape. RACF protection at the volume level overrides RACF protection at the data set level. Seez/OS Security Server RACF Security Administrator's Guide for information on how to activate these levels of RACF protection, and how they interact with each other and with your own tape management system, if applicable.

DFSMSrmm supports RACF protection, but not password protection. For more information about DFSMSrmm and RACF, see z/OS DFSMSrmm Implementation and Customization Guide.

The following principles apply to RACF protection at the volume level:
  • ALTER access authority is required to create or destroy the tape volume label.
  • READ access authority is required to open the volume for input (open options INPUT or RDBACK). Note that if your program uses the INOUT option of OPEN and the DD statement has LABEL=(,,,IN), the system treats it as the INPUT option.
  • UPDATE access authority is required to open the volume for output (open options OUTPUT, EXTEND, INOUT, OUTIN, or OUTINX).

If the tape volume is defined to RACF, the user has UPDATE access authority, and PROTECT=YES has not been specified in the JCL, the user can open the volume to read or write.

If the tape volume is defined to RACF and the user has UPDATE authority, and PROTECT=YES has been specified in the JCL, and the tape is not a RACF scratch volume, the request fails.

If the tape volume is defined to RACF and the user has READ but not UPDATE access authority, or if the user has UPDATE access but PROTECT=YES has been specified in the JCL and the volume is a RACF scratch tape volume, the system does not grant the user access to read until it has ensured that the user will not be able to write on the tape. The user cannot access the volume until one of the following conditions is met:

  1. Hardware Protection. If the write-enable ring has been removed from the tape reel or the write-protect tab has been set to disable writing on the tape cartridge, the tape volume cannot be written on by any user, so the system safely permits the user to access the tape to read. This hardware protection cannot be circumvented by software.
  2. Logical write-protection. If the write-protect tab on an IBM magnetic tape cartridge is set to enable writing, the system issues a hardware command to prevent writing on that cartridge. If the command succeeds, the system safely allows the user to access the tape to read. An unauthorized program cannot bypass this combination of hardware and software protection.
  3. IEC.TAPERING. Your installation may choose to depend on a tape management system to prevent overwriting unexpired data on tapes. Typically, a tape management system only allows volumes with no unexpired data to be opened for output. DFSMSrmm provides facilities to prevent accidental overwriting of non-scratch volumes. The IEC.TAPERING support facilitates the operation of tape management systems because it allows all volumes to remain write-enabled (by the ring in the volume or the switch on the cartridge), eliminating the need for further operator intervention.

    If the write ring or cartridge tab is set to enable writing, the system checks if the user is authorized for read to the IEC.TAPERING profile in the RACF FACILITY class. If the user does have this authority, the system grants the user access.

    Attention: If you use the IEC.TAPERING support to allow users to read from tapes that are enabled for writing (when the users are only authorized to read), the system software cannot prevent knowledgeable users from also writing on any files on the tapes.
  4. Operator Intervention. If none of the preceding conditions are met, the system requires the operator to intervene and prevent writing on the volume. The system demounts the tape and issues a message asking the operator to remove the write-enable ring from the tape reel or change the switch on the tape cartridge. After the operator remounts the tape, the system continues to protect the volume from unauthorized writing by repeating the preceding checks, beginning with the check for hardware protection, until one of the conditions is met.

If the tape volume is not defined to RACF, access is granted and processing continues. For an overview of RACF protection for tape volumes, see z/OS Security Server RACF Security Administrator's Guide. For information on how DFSMSrmm can help you manage RACF security for your tape volumes, see z/OS DFSMSrmm Implementation and Customization Guide.

Data set password protection is described in z/OS DFSMSdfp Advanced Services.

Parent topic: IBM standard labels