Protecting DFSMShsm storage administrator commands with RACF FACILITY class profiles
Security administrators are now responsible for authorizing
users and storage administrators to DFSMShsm commands. Each storage
administrator command can be protected through the following RACF® FACILITY class profile:
- STGADMIN.ARC.command
- STGADMIN.ARC.command.parameter
Storage administrators must have READ access authority to the profile in order to use the command or command and parameter. A security administrator can create the following fully qualified, specific profiles (Table 1) to authorize or deny the use of DFSMShsm storage administrator commands.
Command name | RACF FACILITY class resource name |
---|---|
ABACKUP | STGADMIN.ARC.ABACKUP STGADMIN.ARC.ABACKUP.agname |
ARECOVER | STGADMIN.ARC.ARECOVER STGADMIN.ARC.ARECOVER.agname STGADMIN.ARC.ARECOVER.agname.REPLACE |
ADDVOL | STGADMIN.ARC.ADDVOL |
ALTERDS | STGADMIN.ARC.ALTERDS |
ALTERPRI | STGADMIN.ARC.ALTERPRI |
AUDIT | STGADMIN.ARC.AUDIT |
AUTH | STGADMIN.ARC.AUTH |
![]() ![]() |
![]() STGADMIN.ARC.BACKDS
STGADMIN.ARC.BACKDS.NEWNAME STGADMIN.ARC.BACKDS.RETAINDAYS STGADMIN.ARC.BACKDS.DELETE ![]() |
BACKVOL | STGADMIN.ARC.BACKVOL |
BDELETE | STGADMIN.ARC.BDELETE |
CANCEL | STGADMIN.ARC.CANCEL |
DEFINE | STGADMIN.ARC.DEFINE |
DELETE | STGADMIN.ARC.DELETE |
DELVOL | STGADMIN.ARC.DELVOL |
DISPLAY | STGADMIN.ARC.DISPLAY |
EXPIREBV | STGADMIN.ARC.EXPIREBV |
FIXCDS | STGADMIN.ARC.FIXCDS |
FREEVOL | STGADMIN.ARC.FREEVOL |
FRBACKUP | STGADMIN.ARC.FB.cpname |
FRDELETE | STGADMIN.ARC.FD.cpname |
FRRECOV | STGADMIN.ARC.FR.cpname STGADMIN.ARC.FR.NEWNAME |
HOLD | STGADMIN.ARC.HOLD |
HBACKDS | STGADMIN.ARC.ENDUSER.HBACKDS.RCRS.CM (RECURSE(CROSSMOUNTS) )
STGADMIN.ARC.ENDUSER.HBACKDS.RCRS.NCM (RECURSE(NOCROSSMOUNTS) )
|
HRECOVER | STGADMIN.ARC.ENDUSER.HRECOVER.RCRS.CM ( RECURSE(CROSSMOUNTS) )
STGADMIN.ARC.ENDUSER.HRECOVER.RCRS.NCM ( RECURSE(NOCROSSMOUNTS) )
|
LIST | STGADMIN.ARC.LIST 2
Exception: STGADMIN.ARC.LC.cpname, when COPYPOOL(cpname) keyword is specified. |
LOG | STGADMIN.ARC.LOG |
MIGRATE | STGADMIN.ARC.MIGRATE |
PATCH | STGADMIN.ARC.PATCH |
QUERY | STGADMIN.ARC.QUERY |
RECALL | STGADMIN.ARC.RECALL |
RECOVER | STGADMIN.ARC.RECOVER STGADMIN.ARC.RECOVER.NEWNAME |
RECYCLE | STGADMIN.ARC.RECYCLE |
RELEASE | STGADMIN.ARC.RELEASE |
REPORT | STGADMIN.ARC.REPORT |
SETMIG | STGADMIN.ARC.SETMIG |
SETSYS | STGADMIN.ARC.SETSYS |
STOP | STGADMIN.ARC.STOP |
SWAPLOG | STGADMIN.ARC.SWAPLOG |
TAPECOPY | STGADMIN.ARC.TAPECOPY |
TAPEREPL | STGADMIN.ARC.TAPEREPL |
TRAP | STGADMIN.ARC.TRAP |
UPDATEC | STGADMIN.ARC.UPDATEC |
UPDTCDS | STGADMIN.ARC.UPDTCDS |
Note:
- If a storage administrator has access to the AUTH command, their use of it creates, alters, or deletes MCU records. DFSMShsm does not use these MCU records for authorization checking while the FACILITY class is active.
- The FACILITY class resource name used to protect the LIST COPYPOOL command depends on whether a specific copy pool name is specified in the command. When a copy pool name is not specified, LIST COPYPOOL is protected by the STGADMIN.ARC.LIST resource. When a specific copy pool name is specified, LIST COPYPOOL(cpname) is protected by the resource STGADMIN.ARC.LC.cpname.