DASDVOL Resource and @VOLSER.VOLUME/VOLUME.@VOLSER pseudo dataset names
search cancel

DASDVOL Resource and @VOLSER.VOLUME/VOLUME.@VOLSER pseudo dataset names


Article ID: 259171


Updated On:


ACF2 - z/OS


DASDVOL implemented for volume security. How is the resource class DASDVOL used versus ACF2 RESVOLS/SECVOLS dataset level versus volume level security?


Release : 16.0


Resource class DASDVOL is controlled by a RACROUTE REQUEST=AUTH CLASS=DASDVOL. Note that the resource class of DASDVOL is actually validated as a pseudo dataset(dataset access rules) so the TYPE code(resource rule) does not matter. So any resoource volume rules for TYPE(SAF) or TYPE(DSD) would not be used. If your site is validating the RACROUTE REQUEST=AUTH CLASS=DASDVOL calls, based on your RULEOPTS NOVOLRULE setting(VOLUME PSEUDO DSN= @VOLSER.VOLUME) the volumes would be validated by data set access rules in the format of @VOLSER.VOLUME. By default ACF2 ignores this call:

DASDVOLA JOBNAME=********   USERID=********   PROGRAM=********   RB=********
         FUNCRET=4          FUNCRSN=0                                       
         RACROUTE REQUEST=AUTH,CLASS='DASDVOL'                              

You can issue the ACF, SHOW SAFDEF to display the active SAFDEFs on your system and to verify how the RACROUTE REQUEST=AUTH CLASS=DASDVOL is processed. Sample JCL to issue the SHOW SAFDEF follows. The output can be reviewed, do a find for DASDVOL and check the SAFDEF MODE, MODE(IGNORE) indicates that the calls are ignored and there is no DASDVOL validations being done, MODE(GLOBAL) indicates that the calls are being validated so DASDVOL validations are being done.

//SYSOUT   DD SYSOUT=*      
//SYSIN  DD *               
SHOW SAFDEF                 

Note: The DASDVOL  RACROUTE call with CLASS='DASDVOL' validations are typically only issued by specific events that require access to the volume at a volume level.  This includes utilities like AMASPZAP/IMASPZAP, FDR, ICKDSF, etc., that can do things using absolute track addressing and access that space regardless of dataset name, or when accessing the VTOC or VTOCINDEX directly. 


  1. The GSO SECVOLS record defines the DASD and tape volumes that ACF2 provides volume-level protection. Volume-level security checking provides protection to your DASD, mass storage, and tape volumes. By default, the RESVOLS parameter is set to '********', indicating security at the data set level. If you alter the default setting, you must specify each DASD volume to ensure that the data is secure.
  2. The GSO RESVOLS record defines DASD and mass storage volumes to provide protection at the data set name level.
    Volume access to data sets residing on a given volume presents an exposure. All DASD volumes are protected by default. 
  3. If you alter this RESVOLS default setting VOLMASK(-), you must specify each DASD volume in either RESVOLS or SECVOLS to ensure that the data is secured by either the dataset name level or the volume level.
  4. If you specify a DASD volume in both RESVOLS and SECVOLS, ACF2 ignores the SECVOLS entry.