DFSMS restrictions
To ensure that security is not compromised in a multilevel-secure system:
- Do not use the Object Access Method (OAM) for access to OAM objects. OAM is a component of DFSMSdfp. OAM object support for content management-type applications does not support multilevel security.
- DFSMSdss does not support the name-hiding function. If you plan to activate the name-hiding function, protect DFSMSdss functions from all users except those required to do storage management functions. You can use RACF® program control to do this. For information on program control, see z/OS Security Server RACF Security Administrator's Guide. In addition, you can protect certain DFSMSdss keywords by defining FACILITY class resource profiles and restricting access to those profiles. For information on using RACF FACILITY class profiles to protect DFSMSdss, see z/OS DFSMSdfp Storage Administration.
- DFSMShsm does not support the name-hiding function.
If you plan to activate the name-hiding function, you should protect
the DFSMShsm commands
LIST and QUERY from all users except those required to do storage
management functions. You can use profiles in the FACILITY class to
protect these commands. For example, to prevent any user other than
USER5 from issuing the LIST command:
RDEFINE FACILITY STGADMIN.ARC.LIST UACC(NONE) PERMIT STGADMIN.ARC.LIST CLASS(FACILITY) USER(USER5) ACCESS(READ)