DASDVOL Resource and @VOLSER.VOLUME/VOLUME.@VOLSER pseudo dataset names
search cancel

DASDVOL Resource and @VOLSER.VOLUME/VOLUME.@VOLSER pseudo dataset names

book

Article ID: 259171

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

DASDVOL implemented for volume security. How is the resource class DASDVOL used versus ACF2 RESVOLS/SECVOLS dataset level versus volume level security?

Environment

Release : 16.0

Resolution

Resource class DASDVOL is controlled by a RACROUTE REQUEST=AUTH CLASS=DASDVOL. Note that the resource class of DASDVOL is actually validated as a pseudo dataset(dataset access rules) so the TYPE code(resource rule) does not matter. So any resoource volume rules for TYPE(SAF) or TYPE(DSD) would not be used. If your site is validating the RACROUTE REQUEST=AUTH CLASS=DASDVOL calls, based on your RULEOPTS NOVOLRULE setting(VOLUME PSEUDO DSN= @VOLSER.VOLUME) the volumes would be validated by data set access rules in the format of @VOLSER.VOLUME. By default ACF2 ignores this call:

DASDVOLA JOBNAME=********   USERID=********   PROGRAM=********   RB=********
         RETCODE=4          SAFDEF=INTERNAL   MODE=IGNORE        SUBSYS=ACF2
         FUNCRET=4          FUNCRSN=0                                       
                                                                            
         RACROUTE REQUEST=AUTH,CLASS='DASDVOL'                              

You can issue the ACF, SHOW SAFDEF to display the active SAFDEFs on your system and to verify how the RACROUTE REQUEST=AUTH CLASS=DASDVOL is processed. Sample JCL to issue the SHOW SAFDEF follows. The output can be reviewed, do a find for DASDVOL and check the SAFDEF MODE, MODE(IGNORE) indicates that the calls are ignored and there is no DASDVOL validations being done, MODE(GLOBAL) indicates that the calls are being validated so DASDVOL validations are being done.

//ACFBATCH EXEC PGM=ACFBATCH
//SYSOUT   DD SYSOUT=*      
//SYSPRINT DD SYSOUT=*      
//SYSIN  DD *               
SHOW SAFDEF                 
/*                          

Note: The DASDVOL  RACROUTE call with CLASS='DASDVOL' validations are typically only issued by specific events that require access to the volume at a volume level.  This includes utilities like AMASPZAP/IMASPZAP, FDR, ICKDSF, etc., that can do things using absolute track addressing and access that space regardless of dataset name, or when accessing the VTOC or VTOCINDEX directly. 

RESVOLS/SECVOLS notes

  1. The GSO SECVOLS record defines the DASD and tape volumes that ACF2 provides volume-level protection. Volume-level security checking provides protection to your DASD, mass storage, and tape volumes. By default, the RESVOLS parameter is set to '********', indicating security at the data set level. If you alter the default setting, you must specify each DASD volume to ensure that the data is secure.
  2. The GSO RESVOLS record defines DASD and mass storage volumes to provide protection at the data set name level.
    Volume access to data sets residing on a given volume presents an exposure. All DASD volumes are protected by default. 
  3. If you alter this RESVOLS default setting VOLMASK(-), you must specify each DASD volume in either RESVOLS or SECVOLS to ensure that the data is secured by either the dataset name level or the volume level.
  4. If you specify a DASD volume in both RESVOLS and SECVOLS, ACF2 ignores the SECVOLS entry.

 

Powered by Wolken Software