Re: VOLCAT RACF protection

2021-10-06 Thread Russell Witt 
Juan,

I agree with your guess that "authorized system users" would indicate OAM. 
However, DFSMSrmm probably does not update the VOLCAT/TCDB directly; just like 
my own CA 1 does not update the VOLCAT/TCDB directly. Using LCS services; we 
instruct OAM to change the status of a volume (SCRATCH ==> PRIVATE or PRIVATE 
==> SCRATCH) or to eject a tape out of the physical library. And then OAM will 
tell the Library Manager and update the VOLCAT/TCDB based on the instructions 
we have given it. And it is also OAM that is changing the VOLCAT when a tape is 
changed from SCRATCH to PRIVATE because it was mounted to satisfy a 
scratch-request. Since I doubt that anyone would want to fail the update of the 
VOLCAT/TCDB at that point (the Library Manager has already mounted the tape; 
and the VOL1/HDR1/HDR2 have probably been re-written as well) - I believe that 
OAM will bypass any security checking when the VOLCAT/TCDB is updated.

Russell Witt
CA 1 Architect
Broadcom

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Juan Mautalen
Sent: Tuesday, October 5, 2021 2:22 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: VOLCAT RACF protection

Hi:

Regarding RACF protection of VOLCAT (tape volume catalog), I found the 
following paragraph in IBM DFSMS documentation:

<<<<<
In general, tape users do not require any RACF access authority to the VOLCAT. 
During job processing, the updates to the VOLCAT are made by authorized system 
users. However, the VOLCAT still needs a data set profile and should be defined 
with UACC(NONE). Storage administrators using ISMF should have READ access to 
STGADMIN.IGG.LIBRARY and IDCAMS users should have an access level to 
STGADMIN.IGG.LIBRARY appropriate to the function being performed. For the 
required RACF access level when using IDCAMS, refer to "Required Security 
Authorization for VOLCAT Operations" in z/OS DFSMS Access Method Services 
Commands.
>>>>>

How do you understand “authorized system users” in this context?
Is it talking about system tasks that don’t even bother to check RACF authority 
to the VOLCAT?

What about, for instance, address spaces like OAM or DFRMM?
Don’t they need any RACF authority over the DATASET profile protecting VOLCAT?

PD: cross posted to the RACF list

Thanks in advance for your help,

Juan G. Mautalen

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

VOLCAT RACF protection

2021-10-05 Thread Juan Mautalen 
Hi:

Regarding RACF protection of VOLCAT (tape volume catalog), I found the 
following paragraph in IBM DFSMS documentation:

<
In general, tape users do not require any RACF access authority to the VOLCAT. 
During job processing, the updates to the VOLCAT are made by authorized system 
users. However, the VOLCAT still needs a data set profile and should be defined 
with UACC(NONE). Storage administrators using ISMF should have READ access to 
STGADMIN.IGG.LIBRARY and IDCAMS users should have an access level to 
STGADMIN.IGG.LIBRARY appropriate to the function being performed. For the 
required RACF access level when using IDCAMS, refer to "Required Security 
Authorization for VOLCAT Operations" in z/OS DFSMS Access Method Services 
Commands.
>

How do you understand “authorized system users” in this context?
Is it talking about system tasks that don’t even bother to check RACF authority 
to the VOLCAT?

What about, for instance, address spaces like OAM or DFRMM?
Don’t they need any RACF authority over the DATASET profile protecting VOLCAT?

PD: cross posted to the RACF list

Thanks in advance for your help,

Juan G. Mautalen

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN