How does ACF2 GSO RESOVOLS/SECVOLS Provide Data Set and DASD volume Protection?

book

Article ID: 129185

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

How does ACF2 GSO RESOVOLS/SECVOLS Provide Data Set Protection?

Environment

Release:
Component: ACF2MS

Resolution

CA-ACF2 allows a site to protect data sets at either a data set level or a volume level using standard data set access rules. This document discusses the mechanisms for setting up this protection environment. CA-ACF2 controls this data set protection scheme using various Global System Options (GSO) records based on where the data set resides (DASD or tape).

Protecting Data on DASD

If a data set resides on a DASD device, the RESVOLS and SECVOLS GSO records control how to perform the data set protection.

The first check is to compare the data set's volume to the volumes or volume masks specified in the RESVOLS record. If the DASD volume is defined in RESVOLS, no further volume checking is done and the access validation will be done at the data set level. This means that each data set on that specific volume requires an access rule entry to allow access to the data set and each data set high level index must have its own access rule.

If the DASD volume does not match any of the specifications in RESVOLS, CA-ACF2 next checks the SECVOLS record. If the DASD volume is defined in SECVOLS, the data is protected at the volume level. This means that an access rule is written that controls access to all data on that volume. CA-ACF2 constructs a pseudo data set name to use in the validation process. This pseudo data set name is in the format of @volser.Volume or [email protected] based on the setting of the VOLRULE parameter in the GSO RULEOPTS record.

If the DASD device is not defined in either RESVOLS or SECVOLS, data on that device is unprotected. If CA-ACF2 detects an unprotected volume, it will call the Pseudo Data Set Name Generator exit (DSNGEN) if one is defined. The exit can specify how to validate access to the unprotected data set. If there is no exit, CA-ACF2 allows complete access to the data on the unprotected volume without checking any access rules.

Note: The default setting for RESVOLS is a single volume mask of all asterisks. If this setting is not altered, then all data on DASD devices is protected at the data set level. This is the suggested setting and the most secure control for data on DASD devices.

Protecting Data on Tape

If a data set resides on a tape device, the SECVOLS GSO record and the TAPEDSN parameter of the OPTS record control how to perform the data set protection.

The first check is to compare the data set's volume to the volumes or volume masks specified in the SECVOLS record. If the tape volume is defined in SECVOLS, no further checking is done and the data is protected at the volume level. This means that an access rule is written that controls access to all data on that volume. CA-ACF2 constructs a pseudo data set name as described above.

If the tape device is not defined in SECVOLS, CA-ACF2 will call the Pseudo Data Set Name Generator exit (DSNGEN) if one is defined. If the exit exists, it will specify how to validate access to the data set and the TAPEDSN setting is never checked.

If the tape data set's volume does not match any of the specifications in SECVOLS and no DSNGEN exit exists, CA-ACF2 next checks the OPTS record TAPEDSN parameter. If TAPEDSN is set on, access is controlled at the data set level. This means that each data set on that specific volume requires an access rule entry to allow access to the data set and each data set high level index must have its own access rule. If TAPEDSN is set off, the tape volume is unprotected and CA-ACF2 will allow access to the data without further validation.

Note: The default setting for SECVOLS is null, there is no DSNGEN exit, and TAPEDSN is set off. This means that tape devices are unprotected. It is suggested that TAPEDSN be set on while leaving the other options set to the defaults to protect all tape data sets at the data set level.