Thanks to all for your experiences and insight.
-----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Robert S. Hansel (RSH) Sent: Monday, February 21, 2011 5:16 AM To: IBM-MAIN@bama.ua.edu Subject: Re: RACF Resource Classes Tom, CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for RMM govern the use of DD statement parameter EXPDT=98000. Use of BLP is controlled by FACILITY class resource ICHBLP with RMM and CA@APE class resources BLPRES and BLPNORES with CA-1. Dennis, Very few installations fully implement the TAPEVOL class. By fully implement, I mean define a TAPEVOL profile for every tape with a TVTOC (Tape Volume Table of Contents) that lists every dataset on the tape by its full 44-character dsname so that RACF verifies the user is properly specifying the dsname when accessing a dataset on the tape. Most installations rely on their tape management system to verify the proper dsname is used. While the RACF TVTOC dsname validation check is somewhat more secure than the one done by the tape management system, few installations are willing to incur the overhead of maintaining and processing TAPEVOL profiles for this added level of protection. On the other hand, many installations do activate the TAPEVOL class just to enable use of FACILITY class profile ICHBLP. They don't bother to create TAPEVOL profiles. Others activate TAPEVOL in conjunction with using HSM's SETSYS TAPESECURITY(RACF or RACFINCLUDE) to have HSM automatically create and maintain TAPEVOL profiles to guard its own tapes. All this assumes PARMLIB DEVSUPxx TAPEAUTHDSN=NO is in effect; otherwise, the TAPEVOL profiles are essentially ignored. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com --------------------------------------------------------------------- 2011 RACF Training > Audit for Results - Boston - APR 12-14 > Intro & Basic Admin - Boston - MAY 10-12 Visit our website for registration & details --------------------------------------------------------------------- -----Original Message----- Date: Sun, 20 Feb 2011 19:58:48 -0500 From: Pinnacle <pinnc...@rochester.rr.com> Subject: Re: RACF Resource Classes ----- Original Message ----- From: "Givens, Dennis W." <dennis.giv...@cnasurety.com> Newsgroups: bit.listserv.ibm-main Sent: Friday, February 18, 2011 3:25 PM Subject: RACF Resource Classes >I am working on the resolution of exceptions produced by the recently >activated Health Checker feature on a Z/OS 1.10 system. > Specifically the following 2 checks: > > CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) > Check Severity: Medium > IRRH229E The class TAPEVOL is not active. > Explanation: The class is not active. IBM recommends that the > security administrator at your > installation activate this class and define in it the profiles to properly > protect your system. > Dennis, I've implemented both RMM and CA-1 in many different shops and I've never implemented TAPEVOL. It's extremely difficult to administer, and better controls are available. Not sure why Bob Hansel and Russ Witt say you need it for ICHBLP with RMM. RMM added STGADMIN.EDG profiles to handle BLP tapes that mirror the FORRES and FORNORES controls of CA-1, and that's all I've ever needed to implement for BLP under RMM. I don't know about the new TAPAUTHDSN control that they reference, I have no experience with it. Regards, Tom Conley ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html The information contained in this e-mail may contain confidential and/or privileged information and is intended for the sole use of the intended recipient. If you are not the intended recipient, you are hereby notified that any unauthorized use, disclosure, distribution or copying of this communication is strictly prohibited. If you received this e-mail in error, please reply to sender and destroy or delete the message and any attachments. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html