Security considerations for availability management
DFSMShsm does not check data set security during automatic backup and dump. DFSMShsm also bypasses security checking when it processes operator commands entered at the system console or commands issued by a DFSMShsm-authorized user.
DFSMShsm checks security for data sets when a user who is not DFSMShsm-authorized issues an HBACKDS, HBDELETE, HALTERDS, or HRECOVER command. Security checking is not done when DFSMShsm-authorized users issue the user commands. If users are not authorized to manipulate data, DFSMShsm does not permit them to back up data sets, delete backup versions, change the conditions for backup versions, or recover data sets. Table 1 shows the RACF® authority required to perform each availability management function.
| DFSMShsm Function | RACF Resource Access Authority Required |
|---|---|
| Back up a data set | Update |
| Recover a backup version without specifying the NEWNAME parameter | Alter If profile recovery is required, authority is needed to create a discrete RACF profile for the recovered data set. |
| Recover a backup version and specify the NEWNAME parameter | Read authority to the data set being recovered. Alter authority to the newly named data set if one exists. If profile recovery is required, authority is needed to create a discrete RACF profile for the recovered data set. |
| Changing backup parameters | Alter |
| Deleting backup versions | Alter |