Arye, In general, if you value the data that hsm has placed on tape, you should ensure that the data is protected. This means there has to be some RACF profile (or equivalent) protecting the volume or the data, and the system (or some other involved party) has to make the RACROUTE call to check the person opening the data set on the tape volume is authorized to do so. I would always recommend you protect hsm tapes. Depending on your security product this might be TAPEVOL profles or DATASET profiles or even a combination. The choices for protecting hsm tapes are given in the hsm books, where it even describes when hsm will automatically protect its own tapes using TAPEVOL profiles. Some tape management products, such as CA-1, have options to control if security checks are issued - If you are not using RACF TAPEDSN option, or RACF TAPEVOL class you need to look at this. z/OS also has a DEVSUPxx option TAPEAUTHDSN which is described in the z/OS Init & Tuning guide. Remember that hsm runs with OPERATIONS and PRIVLEGED - so gains access to anyone elses data if it tries...... So you tape management system has to ensure complete 44 character dsname checking. I would also check if your tape management system issues RACROUTE checks for 'EDMs' and also does full 44 character dsname checking.
It is not straightforward, but well worth doing and getting correct. Mike Wood - rmm expert and tape management & security consultant ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
