With the CA 1 11.5 PTFs RO10161, RO10164 and Common Tape System PTF RO10637, CATSEC has been eliminated. We currently have CATSEC=NO. How will this affect my environment after I apply the PTFs?
With the CA 1 11.5 PTFs RO10161, RO10164 and Common Tape System PTF RO10637 and higher, the CATSEC option has been removed and will process based on the OCEOV and FORNDSN settings. If OCEOV is NO, then CATSEC will process as if set to NO. If OCEOV is YES and FORNDSN is NONE, then CATSEC will process as if set to BYP. If OCEOV is YES or FORNDSN is not NONE, then CATSEC will process as if set to YES.
What the CATSEC option did was indicate if CA 1 should perform an external security calls whenever a tape file is being cataloged or uncataloged from the OS Catalog. This security check is similar to the one done by your external security system, but will be done even if the external security system is not active for tape data sets.
If you want to rely strictly on CA 1 to drive the external security calls, use CATSEC to cause CA 1 to issue security calls similar to those of an external security system. The difference (much like the difference with the CA 1 OCEOV option and standard external security checks) is in the processing of foreign volumes and non-existent tape files.
So if OCEOV=YES and FORNDSN=not NONE, then an external security call will be done whenever a tape file is being cataloged. Likewise, a security call will be made when a tape file is being uncataloged. However, if OCEOV=YES and FORNDSN=NONE, then the security call will be bypassed if the volume it is currently cataloged to is not defined in the TMC or if the volume is in scratch status. This way old catalog entries will be allowed to be removed without having to give the person special access to the user catalogs or define rules for data sets that no longer exist.
This change to remove CATSEC adds more protection because by having OCEOV=YES and FORNDSN=not NONE a check is made to verify if a person is allowed to create the tape but also to verify a person is authorized to catalog or uncatalog the dataset.