Juan, I agree with your guess that "authorized system users" would indicate OAM. However, DFSMSrmm probably does not update the VOLCAT/TCDB directly; just like my own CA 1 does not update the VOLCAT/TCDB directly. Using LCS services; we instruct OAM to change the status of a volume (SCRATCH ==> PRIVATE or PRIVATE ==> SCRATCH) or to eject a tape out of the physical library. And then OAM will tell the Library Manager and update the VOLCAT/TCDB based on the instructions we have given it. And it is also OAM that is changing the VOLCAT when a tape is changed from SCRATCH to PRIVATE because it was mounted to satisfy a scratch-request. Since I doubt that anyone would want to fail the update of the VOLCAT/TCDB at that point (the Library Manager has already mounted the tape; and the VOL1/HDR1/HDR2 have probably been re-written as well) - I believe that OAM will bypass any security checking when the VOLCAT/TCDB is updated.
Russell Witt CA 1 Architect Broadcom -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Juan Mautalen Sent: Tuesday, October 5, 2021 2:22 PM To: [email protected] Subject: VOLCAT RACF protection Hi: Regarding RACF protection of VOLCAT (tape volume catalog), I found the following paragraph in IBM DFSMS documentation: <<<<< In general, tape users do not require any RACF access authority to the VOLCAT. During job processing, the updates to the VOLCAT are made by authorized system users. However, the VOLCAT still needs a data set profile and should be defined with UACC(NONE). Storage administrators using ISMF should have READ access to STGADMIN.IGG.LIBRARY and IDCAMS users should have an access level to STGADMIN.IGG.LIBRARY appropriate to the function being performed. For the required RACF access level when using IDCAMS, refer to "Required Security Authorization for VOLCAT Operations" in z/OS DFSMS Access Method Services Commands. >>>>> How do you understand “authorized system users” in this context? Is it talking about system tasks that don’t even bother to check RACF authority to the VOLCAT? What about, for instance, address spaces like OAM or DFRMM? Don’t they need any RACF authority over the DATASET profile protecting VOLCAT? PD: cross posted to the RACF list Thanks in advance for your help, Juan G. Mautalen ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
