Protecting DFSMShsm data sets

You must protect DFSMShsm resources, such as the control data sets (CDSs), journals, logs, and backed up data sets from unauthorized access. In member STARTER of data set HSM.SAMPLE.CNTL, you specify a high-level qualifier (HLQ) (parameter UID) for the journal, control, and log data sets. You can define a generic RACF data set profile to protect the DFSMShsm data sets. In our system, we chose an HLQ of hierarchical storage management (HSM). The following RACF command defines a generic data set profile with a universal access of NONE:

ADDSD 'HSM.**' UACC(NONE)

After you create the RACF generic profile for protecting the DFSMShsm data sets, you must permit users or groups access to the RACF profile based on their requirements. For example, your storage administrator needs RACF ALTER access to the CDSs to move them to another volume or to increase their space allocations.

You can give user ID HSMSTOR ALTER access to the DFSMShsm CDSs. You can use a different qualifier for CDSs, such as HSMCDS, so that you can provide access to only those data sets with the following command:

PERMIT 'HSMCDS.**' ID(HSMSTOR) ACC(ALTER)

Listing the generic data set profile

To verify the DFSMShsm generic data set profile, use the LISTDSD command:

LISTDSD DA('hsm.**') GENERIC

Figure 5-4 shows the output of the command.

Figure 5-4 LISTDSD command output

Protecting DFSMShsm activity logs

DFSMShsm writes its activity logs to direct access storage device (DASD) if you specify SETSYS ACTLOGTYPE(DASD) in the ARCCMDxx member of PARMLIB. DFSMShsm allocates the activity logs with an HLQ of HSMACT. The following RACF command defines a generic data set profile to protect the activity logs with a universal access of NONE:

ADDSD 'HSMACT.**' UACC(NONE) READY

INFORMATION FOR DATASET HSM.** (G)

LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE --- --- --- --- --- 00 SYS1 NONE NO NO AUDITING --- FAILURES(READ) NOTIFY --- NO USER TO BE NOTIFIED

YOUR ACCESS CREATION GROUP DATASET TYPE --- --- --- ALTER SYS1 NON-VSAM

Chapter 5. Implementing DFSMShsm security 85

After you create the RACF generic profile for protecting the DFSMShsm activity logs, you must permit users or groups access to the RACF profile based on their requirements. Consider that someone might use a batch job to access data in the activity logs.

The following RACF command can be used to give user ID HSMUSR1 READ access to the activity logs:

PERMIT 'HSMACT.**' ID(HSMUSR1) UACC(READ)

Protecting DFSMShsm tapes

To protect DFSMShsm-managed tapes with RACF-protected data sets on them, follow these steps:

1. Install and activate RACF.

2. Define the tapes that you want to protect to RACF by defining the TAPEVOL resource class in the RACF class descriptor table.

3. Specify the SETSYS TAPESECURITY(RACF) command.

You define the RACF environment to DFSMShsm when you specify the SETSYS

TAPESECURITY(RACF) command. DFSMShsm protects each backup, migration, and dump tape with RACF.

The way that you define your RACF TAPEVOL resource class is determined by the number of tapes you want to protect.

Protecting up to 10,000 tapes

If you are protecting up to a maximum of 10,000 tapes, you define two RACF resource names in the TAPEVOL resource class:

 HSMABR is the name for aggregate backup and recovery tapes.

 HSMHSM is the name for all other DFSMShsm tapes. Issue the following RACF commands:

 RDEFINE TAPEVOL HSMABR  RDEFINE TAPEVOL HSMHSM

You can add tapes to RACF before DFSMShsm uses them. If you choose this approach, you must use the appropriate TAPEVOL resource class. Use the following command:

RALTER TAPEVOL HSMHSM ADDVOL(volser)

IBM suggests that clients

not add tapes to RACF before DFSMShsm uses them

. Instead, let DFSMShsm add to the TAPEVOL for you automatically as tapes are encountered.

Protecting more than 10,000 tapes

To RACF-protect more than 10,000 tapes, you define multiple RACF resource names for DFSMShsm tape volume sets in the TAPEVOL resource class. Use the following resource names:

 HSMHSM (must be defined)

 HSMABR for ABARS tapes

 DFHSMx

In DFHSMx, x is a non-blank character (alphanumeric, national, or the hyphen) that corresponds to the last non-blank character of the tape volume serial number. You need to define a DFHSMx resource name for each x value that exists, based on your installation naming standards.

The following RACF commands add resource names to the TAPEVOL class for HSMHSM (required), HSMABR (for aggregate backup and recovery tapes), and DFHSMA (for all tapes with a volume serial number that ends with the letter A):

 RDEFINE TAPEVOL HSMHSM  RDEFINE TAPEVOL HSMABR  RDEFINE TAPEVOL DFHSMA

To activate the RACF protection of tape volumes by using the DFHSMx resource names that are defined, you must issue the following RACF command on each system in the sysplex:

RALTER TAPEVOL HSMHSM ADDVOL(DFHSM)

You can add RACF protection to the DFSMShsm tape volumes before DFSMShsm uses them, except for the HSMABR tapes. You must add the tape volume serial number to the appropriate DFHSMx tape volume set, which is based on the last non-blank character of the tape volume serial number. To protect a tape with a volume serial of POK33H, you use the following RACF command:

RALTER TAPEVOL DFHSMH ADDVOL(POK33H)

Tapes that are already protected in the tape volume set of HSMHSM continue to be protected.

In document IBM z/os DFSMShsm Primer (Page 106-108)