Enhanced security for tape data sets

DFSMS provides additional security functions for tape data sets through the DEVSUPxx parmlib options. DFSMSdfp can now issue RACROUTE in the DATASET class to enable tape data sets to be authorized in the same way that DASD data sets are authorized, regardless of the RACF® SETROPTS in use on the system and regardless of the label types used. To enable all data sets on a tape volume or tape volume set to have the same or similar levels of authorization, DFSMSdfp provides a DEVSUPxx option to request that the users' authorization to a single data set on the volume can also extend to the entire volume. When you open a tape data set, DFSMSdfp can also check your authorization to the first file on the volume. The additional RACROUTE issued by DFSMSdfp depends on the DEVSUPxx keywords and the SETROPTS in use. When you select TAPEAUTHDSN=YES and TAPEAUTHF1=YES, the additional RACROUTE matches that issued for the TAPEAUTHDSN option. When you select TAPEAUTHDSN=NO, SETROPTS TAPEDSN, and TAPEAUTHF1=YES, the additional RACROUTE matches that issued for the SETROPTS TAPEDSN option. When all the data sets on a tape volume have a common or similar authorization requirement, an application program has less chance to gain access to unauthorized data by repositioning the tape to another data set.

The function in DFSMSdfp does not replace all the functional capabilities that the RACF TAPEDSN option, TAPEVOL class, and TVTOC provide. However, together with the functions that DFSMSrmm provides, you do have equivalent capability. The enhanced DFSMSdfp function addresses the authorization requirements for tape data sets and relies on your use of a tape management system such as DFSMSrmm to perform the following operations:
  • Verify full 44 character data set names.
  • Control the overwriting of existing tape files.
  • Handle tape data set retention.
  • Control the creation and destruction of tape labels.

When you overwrite an existing tape data set and use a different name, DFSMSdfp does not perform any authorization checking for the overwritten data set. However, when you set the TAPEAUTHF1=YES option, your tape management system can provide the data set name for any of the tape data sets causing additional RACROUTE authorization checks. DFSMSrmm exploits this capability to ensure that when the first file is overwritten, there is an additional RACROUTE issued for the overwritten data set. The tape management system controls how you can overwrite the existing tape data sets. See the DFSMSrmm MASTEROVERWRITE parmlib options for more information. Through your tape management system, you can ensure that DFSMSdfp checks the authorization of any overwritten data sets when the TAPEAUTHF1=YES DEVSUPxx parmlib option is in use.

To help you implement the new tape data set security function of DFSMSdfp, additional options allow access to tape data sets that either RACF does not protect or you are not authorized to access. The TAPEAUTHRC4 and TAPEAUTHRC8 options allow you this control. At CLOSE time, OPEN/EOV tracks the use of these options to change the results of RACF processing through SMF records 14 and 15.

You can now implement tape data set authorization checking whether the data set is on tape or DASD, regardless of tape volume profiles. You can use the following options for tape data set authorization:
  • TAPEAUTHDSN keyword to cause RACROUTE to be issued in the DATASET class as if for a DASD data set. TAPEAUTHF1 optionally allows authorization checking for the first data set.
  • SETROPTS TAPEDSN to cause RACROUTE to be issued in the DATASET class with DSTYPE=T. This optionally allows the use of TAPEVOL profiles with or without TVTOC, and optionally allows authorization check for the first data set using TAPEAUTHF1.
  • Tape volume authorization only through TAPEVOL profiles.

For a complete list of the existing options, see z/OS Security Server RACF Security Administrator's Guide.