Not to speak for Mike, but as Mike said in his previous email the ability to have generic rules protect individual datasets in place of discrete rules is fine as long as you have a tape management system (any tape management system). To take that one step further however, I would also say as long as you have a tape management system AND have rules in place to prevent un-authorized bypassing of the tape management system you are nearly as safe with generic rules as with discrete profiles. And all tape management systems (CA's, IBM's, BMC's and ASG's) have some ability to protect who can use EXPDT=98000 to bypass the tape management system (that is one thing we all do agree on). So, if you are controlling who can or cannot bypass the tape management system; then unless you have given that user the ability to bypass the tape management system the trick of changing the HLQ will not work (the tape management system would reject the tape since the DSN in the JCL does not match its full-44-character dsname).
Russell Witt CA-1 Level-2 Support Manager -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] Behalf Of Robert S. Hansel (RSH) Sent: Saturday, March 11, 2006 2:57 PM To: [email protected] Subject: Re: discrete profiles for tape protection. Mike, Your comments about running without TAPEVOL and/or TVTOC raises the following issue. It is my understanding that with RMM the only way to protect against unauthorized access to a tape dataset by taking inappropriate advantage of tape label containing just the last 17 characters of the dsname (e.g., opening PAY.PROD.MASTER.FILE by calling it MYID.PROD.MASTER.FILE) is by implementing RACF TAPEVOL profiles with TVTOC and setting RMM option TPRACF to either (P) or (A). This causes RACF to keep track of the full dsnames on a given tape and guard against someone falsifying the name. Does RMM have other features or functionality that prevents misnaming tape datasets without involving TAPEVOL TVTOCs? Is yes, can you help me find the reference where it is described? Thanks, Bob ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
