Bob, If RMM simply issued a RACROUTE under the hsm ACEE, (and we know hsm is trusted), hsm would be authorized to release ANY volume that happened to be defined to hsm at the time. We have seen situations where hsm information and reality get out of synch..... so we have to avoid hsm releasing volumes which are now owned and used by another application.
So, honouring hsm's trusted setting while releasing volumes is not a good idea, so rmm creates an ACEE which has no special priviledges so that hsm can only release volumes which actually are known to belong to hsm. The requirement for the correct access to STGADMIN.EDG.RELEASE is documented in the DFSMSrmm I&C Guide chapter 14 'Authorizing DFSMShsm to DFSMSrmm Resources' Mike Wood RMM Development On Wed, 13 Dec 2006 12:11:30 -0500, Robert S. Hansel (RSH) <[EMAIL PROTECTED]> wrote: >(Cross-posted to IBM-MAIN and RACF-L) > >Greetings all, > >In a client environment, Started Task HSM has the RACF TRUSTED attribute. >Yet, when it is attempting to release empty tapes, it needs READ access >permission to RMM's FACILITY class resource STGADMIN.EDG.RELEASE in order to >perform this function. I find this odd because I would have expected its >TRUSTED authority to allow this access. I presume RMM is initiating the >RACROUTE access authorization call and am curious as to how it is doing so >such that HSM's TRUSTED authority is not coming into play. For instance, is >RMM using RACROUTE REQUEST=FASTAUTH or is it building a separate ACEE for >HSM rather than using the one associated with the Started Task. Your >shedding light on this matter will be greatly appreciated. > > >Regards, Bob > >Robert S. Hansel >RACF Specialist >RSH Consulting, Inc. >www.rshconsulting.com >617-969-8211 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
