Security options (panel A.I.4.1)
DRPAS and FDRERASE, as a default, do not invoke any type of security on individual volumes or data sets. Since they do not open individual data sets, security checks are bypassed for operations unless you enable the ALLCALL security option documented below. By default, ALLCALL is disabled; however, FACILITY class security checks are always done.
Panel A.I.4.1 – Set FDR Global Security Options
By default, every data set moved by FDRMOVE invokes security checks from the z/OS system allocation and catalog functions. The user id that FDRMOVE is running must be authorized to create and update all selected data sets. The security system overhead may be significant if many data sets are involved. For this reason, the default security is not recommended and the use of the security STGADMIN profile for FDRMOVE is recommended (see below).
Set FDR Global Security Options – Panel A.I.4.1
ALLCALL
If set to YES, FDRPAS does SAF-compatible security checks for volumes to be swapped. ALLCALL is set to NO (disabled) by default.
ALLCALL causes an SAF call in the form of RACROUTE REQUEST=AUTH to be used for volume-level protection. For FDRPAS, the user must have authority in class DASDVOL to the volume serial number of the online volume being swapped. For a SWAP or SWAPBULIDIX operation, ALTER authority is required, while a SWAPDUMP operation requires READ authority. If the user does not have the appropriate authority, the operation is terminated.
If the DASDVOL profile is not defined for the volume, then FDRPAS checks for the appropriate authority to every data set on the volume, in the DATASET class. This can be time-consuming and may cause swap failures if the user does not have sufficient authority, so the ALLCALL option is not recommended unless the volumes to be swapped are protected by DASDVOL profiles.
FDRERASE does not issue any DASDVOL or DATASET security calls, since the volumes it is erasing are offline and may not have valid volume serials.
FDRPAS also issues SAF calls to verify that the user has at least READ authority to a resource in the FACILITY class. The resource names are:
FACILITY class “resource” | Usage |
|---|---|
FDRPAS.SWAP | All SWAP operations |
FDRPAS.SWAPDUMP | All SWAPDUMP operations |
FDRPAS.SWAPBUILDIX | All SWAPBUILDIX operations |
FDRERASE also issues SAF calls to verify that the user has at least READ authority to a resource in the FACILITY class. The resource names are:
FACILITY class “resource” | Usage |
|---|---|
FDRERASE.ERASE | All FDRERASE operations except SIMERASE |
FDRERASE.ERASEALL | If CHECKTARGET=NO is specified |
FDRERASE.ONLINE.VARYOFF | If ONLINE=VARYOFF is specified |
These FACILITY class resources allow your installation to restrict any or all FDRPAS or FDRERASE operations to certain users. These FACILITY checks are always done, even if ALLCALL is not enabled.
If your installation has not protected the appropriate resource name, the operation continues and any user can execute these functions. If you do not have an active security system, SAF indicates that the resource is not protected. However, if you protect all resources by default (such as the RACF PROTECTALL option), then you need to define these resources and authorize the appropriate users for READ access.
To reduce overhead for FDRPAS when ALLCALL is enabled, FDRPAS supports a security STGADMIN profile that allows FDRPAS to bypass security while moving DASD volumes. To invoke this support:
- Specify the STGADMIN operand on the SIMSWAP, SIMSWAPMON, SWAP, or SWAPDUMP statement, for example,
SWAP TYPE=DSF,STGADMIN, other operands.
- Authorize the user id under which FDRPAS runs to profile STGADMIN.ADR.STGADMIN.DUMP in class FACILITY (any authority, including READ is adequate). All known security systems support such profiles.
- If the user id is authorized to that profile, all security checks from all system components invoked by the FDRPAS job are bypassed. It does not affect any other jobs.
The advantages of STGADMIN are:
- Security overhead is reduced. The user id under which FDRPAS runs is authorized to move any data set, but has no authority to those data sets outside of FDRPAS. This may be a significant advantage if a third party contractor is running FDRPAS at your installation.
We recommend to use of the STGADMIN.ADR.STGADMIN.DUMP profile for all FDRPAS operations when ALLCALL is enabled.
To reduce overhead and better control security, FDRMOVE supports a security STGADMIN profile that allows FDRMOVE to bypass security while moving data sets. To invoke this support:
- Specify the STGADMIN operand on the MOVE or FASTMOVE statement, for example,
FASTMOVE TYPE=DSF,STGADMIN, other operands
- Authorize the user id under which FDRMOVE runs to profile STGADMIN.ADR.STGADMIN.MOVE in class FACILITY (any authority, including READ, is adequate). All known security systems support such profiles.
- If the user id is authorized to that profile, all security checks from all system components invoked by the FDRMOVE job are bypassed. It does not affect any other jobs.
The advantages of STGADMIN are:
- Security overhead is reduced. The user id under which FDRMOVE runs is authorized to move any data set, but has no authority to those data sets outside of FDRMOVE. This may be a significant advantage if a third party contractor is running FDRMOVE at your installation.
We recommend specifying the STGADMIN operand in FDRMOVE jobs to use the STGADMIN.ADR.STGADMIN.MOVE profile for all FDRMOVE operations.
NOABSTRK
NONEW
Not used with FDRPAS, FDRMOVE, and FDRERASE.