How can I restrict the use of BLP processing for tapes?

There are many ways to control the use of BLP. The first and oldest is with JES itself. Here, the option of allowing BLP can be controlled based on the job-class (for batch jobs) as well as yes/no for started tasks or TSO sessions. Here, there is no differentiation between which user or if the access is for input or output. If BLP is allowed for started tasks; then all started tasks can use BLP. If BLP is allowed for job-class "A"; then any job running in class "A" is allowed to use BLP.

With ACF2, Top Secret, and RACF; they all have another layer of BLP protection. Using these controls, you are able to limit which individual user may use BLP and you can control if the access is limited to READ or WRITE. The ACF2 interface can go a step further and control based on specific programs. Top Secret can have rules created based on volume serial numbers with masking allowed. With RACF, you are limited to either YES or NO for either READ or WRITE access. So, if a user needs READ access to BLP; they get READ access to ALL volumes with BLP.

With CA-1 external security interface there is another option. CA-1 offers a better way to control BLP processing. Instead of an all-or-nothing approach, CA-1 allows for two sets of controls. One set control's who may request BLP access (and what level of access) for in-house or resident tapes. The other set control's who may request BLP access (and what level of access) for foreign or non-resident tapes. This way, you can have a fairly open policy regarding the use of BLP for foreign tapes (so that anyone can read a tape from another vendor or software provider) and still have a very tight set of rules to control who may use BLP on your in-hours (resident tapes).

So with CA-1 you can control who has BLP read-authority for in-house tapes and who has BLP write-authority for in-hose tapes SEPARATELY, from who has BLP read or write-authority for foreign tapes. This allows you to give system-programmers the authority to use BLP on foreign tapes as part of their normal job functions WITHOUT having to give them BLP access to in-house tapes or "special" authority that allows them to bypass all normal checking.

This is accomplished by the setting of the CA-1 option "FUNC" to YES in the TMOOPT00 member in your CTAPOPTN data set. More information on this option and the related security rules can be found in the PROGRAMMING GUIDE.