Control-M/Tape Security

This chapter describes the procedure used to implement the Control‑M/Tape security interface. It is recommended that you first review the explanations below on the elements that are protected in Control‑M/Tape and then proceed to the step-by-step instructions.

Protecting Control-M/Tape Elements

The Control‑M/Tape security interface protects the following Control‑M/Tape elements:

  • Invocation of the ControlM/Tape initialization.

  • Use of JCL parameter BLP and setting of JCL parameter EXPDT to 98000.

  • Update of Media Database from the online environment, the real-time environment, or ControlM/Tape utilities.

  • Authority to dynamically define tape volumes and datasets in the real-time environment.

  • Authority to create and print tape labels in batch and online environments.

Invocation of the Control-M/Tape Initialization Process

Whenever a user attempts to invoke the Control‑M/Tape initialization process, the Control‑M/Tape initialization procedure invokes the CTTSE01 Control‑M/Tape security module to determine if the current user is allowed to activate Control‑M/Tape initialization.

This module is also activated for each rule that is loaded to the real-time environment.

Use of JCL Parameter BLP and Setting of JCL Parameter EXPDT to 98000

Whenever a user attempts to use JCL parameter BLP or to set JCL parameter EXPDT to 98000, the Control‑M/Tape SVC invokes the CTTSE03 Control‑M/Tape security module to determine if the current user is allowed to use/set these parameters in this way.

Media Database Updates

Whenever a user attempts to update the Media Database from the online environment (Inquire, Update, Check in), from the real-time environment (using Control‑M/Tape SVC), or from Control‑M/Tape utilities (for example, CTTVTM, CTTRTM), the CTTSE06 Control‑M/Tape security module is invoked to determine if the current user is allowed to perform the action.

Authority to Dynamically Define Tape Volumes and Datasets

Whenever a batch job requests that a tape volume or dataset be dynamically defined, Control‑M/Tape invokes the CTTSE04 Control‑M/Tape security module to determine if the user is allowed to perform the action requested. (For more information, see parameters DYNVOL and DYNBS in member CTTPARM.)

Authority to Create and Print Tape Labels

Whenever a user or batch job requests that a tape label be created and or printed, Control‑M/Tape invokes the CTTSE09 Control‑M/Tape security module to determine if the user is allowed to perform the requested action.

Unauthorized access to the CTTTPI utility

The CTTTPI utility provides extensive facilities for protecting against the destruction of active volumes and for recovering information from files that have been partially overwritten.

The utility, which can be accessed only by authorized users, provides the following major functions:

  • Nondestructive Initialization (INITT)

  • Nondestructive Erasure (TAPERAS)

  • Media Information Mapping (TAPEMAP)

The utility can be used by authorized users only.

You can restrict usage of the CTTTPI utility to a specific started task or user ID. You can also restrict usage of specific CTTTPI utility functions to a specific user ID, using the following command:

Copy 
$IOAUTL.qname.CTTTPI.function resource

In the preceding example, function can be INITT, TAPEMAP, or TAPERAS.

Control-M/Tape Security Calls

Control-M/Tape Basic Definition Security Calls and Control-M/Tape Extended Definition Security Calls define the security calls of the Control-M/Tape definition modes.

Control-M/Tape Basic Definition Security Calls

Table 73 Control‑M/Tape Basic Definition Security Calls

Protected Element

Class Entity Name

Explanation

Security Module

Controlling Media Database Updates from the Real-time Environment

Controlling Control‑M/Tape Initialization

FACILITY
$$CTTINI.qname

qname is the name used to assign different authorizations to various Control‑M/Tape environments (such as Test and Production).

CTTSE01

BLP parameter is specified

FACILITY
$$CTTBLP.qname.volser

This entity is not checked for Basic Definition mode unless TBLPCHK is set to YES.

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE03

EXPDT parameter is set to 98000

FACILITY
$$CTTBYPASS.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE03

Controlling access to dynamically define a dataset on a tape volume

FACILITY
$$CTTMDBDEF.qname

 

CTTSE04

Controlling Media Database Updates from the Online Environment, the Real-time Environment, or Control‑M/Tape Utilities

Requesting initialization in batch

FACILITY
$$CTTVOL.qname

 

CTTSE06

Requesting bypass security

FACILITY
$$CTTBYSEC.qname

 

CTTSE06

Performing volume checkout

FACILITY
$$CTTVOL.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Returning a volume that was checked out

FACILITY
$$CTTVOL.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Deleting a volume

FACILITY
$$CTTVOL.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Unscratching a volume

FACILITY
$$CTTVOL.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

 

Selecting a volume

FACILITY
$$CTTVOL.qname.extension

extension is the volume serial number or the dataset name, depending on the current request.

 

Cleaning a volume

FACILITY
$$CTTVOL.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Inserting a dataset record

 

Inserting a volume record

DATASET
dsname

FACILITY
$$CTTVOL.qname.volser

dsname is the requested dataset name on the tape volume.

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Updating a dataset record

 

Updating a volume record

DATASET
dsname

 

FACILITY
$$CTTVOL.qname.volser

dsname is the requested dataset name on the tape volume.

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Deleting a dataset record

 

Deleting a volume record

DATASET
dsname

 

FACILITY
$$CTTVOL.qname.volser

dsname is the requested dataset name on the tape volume.

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Selecting a dataset

 

Selecting a volume dataset

DATASET
dsname

FACILITY
$$CTTVOL.qname.volser

dsname is the requested dataset name on the tape volume.

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Causing a dataset to expire

DATASET
dsname

dsname is the requested dataset name on the tape volume.

CTTSE06

Extending the expiration date of a dataset

DATASET
dsname

dsname is the requested dataset name on the tape volume.

CTTSE06

Sending a volume to a specified vault

FACILITY
$$CTTVOL.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Recalling a volume

FACILITY
$$CTTVOL.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Displaying related volumes in the multivolume set to which this volume belongs

FACILITY
$$CTTVOL.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Displaying Additional Dataset Information

DATASET
dsname

dsname is the requested dataset name on the tape volume.

CTTSE06

Displaying Additional Volume Information

FACILITY
$$CTTADDINF.qname.extension

extension is the volume serial number or the dataset name, depending on the current request.

CTTSE06

Unscratching a Volume

FACILITY
$$CTTUNSCR.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Create and print tape label

FACILITY
$$CTTPRLAB.qname

 

CTTSE09

Control-M/Tape Extended Definition Security Calls

Table 74 Control‑M/Tape Extended Definition Security Calls

Protected Element

Class Entity Name

Explanation

Security Module

Controlling Media Database Updates from the Real-time Environment

BLP parameter is specified

FACILITY
$$CTTBLP.qname.volser

This entity can only be checked for Extended Definition mode unless TBLPCHK is set to YES.

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE03

Controlling Control‑M/Tape Initialization

FACILITY
$$CTTINI.qname

qname is the name used to assign different authorizations to various Control‑M/Tape environments (such as Test and Production).

CTTSE01

EXPDT parameter is set to 98000

FACILITY
$$CTTBYPASS.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE03

Controlling access to dynamically define a tape volume

FACILITY
$$CTTVOLDEF.qname.volser

volser is the volume serial number of the requested tape volume.

CTTSE04

Controlling access to dynamically define a tape volume

FACILITY
$$CTTVOLDEF.qname.volser.dsn

volser is the volume serial number of the requested tape volume, and dsn is the requested dataset name of the tape volume.

CTTSE04

Controlling Media Database Updates from the Online Environment, the Real-time Environment, or Control‑M/Tape Utilities

Requesting initialization in batch

FACILITY
$$CTTINIT.qname

 

CTTSE06

Requesting bypass security

FACILITY
$$CTTBYSEC.qname

 

CTTSE06

Performing volume checkout

FACILITY
$$CTTCHKOUT.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Returning a volume that was checked out

FACILITY
$$CTTBACKLB.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Deleting a volume

FACILITY
$$CTTDELVOL.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Unscratching a volume

FACILITY
$$CTTUNSCR.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Selecting a volume

FACILITY
$$CTTSELECT.qname.extension

extension is the volume serial number or the dataset name, depending on the current request.

CTTSE06

Selecting a dataset

FACILITY
$$CTTSELECT.qname.dsname

 

 

Cleaning a volume

FACILITY
$$CTTCLNVOL.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Inserting a dataset record

 

Inserting a volume record

FACILITY
$$CTTRECINS.qname.dsname

FACILITY
$$CTTRECINS.qname.volser

dsname is the requested dataset name on the tape volume.

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Updating a dataset record

 

 

Updating a volume record

FACILITY
$$CTTRECUPD.qname.dsname

 

FACILITY
$$CTTRECUPD.qname.volser

dsname is the requested dataset name on the tape volume.

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Deleting a dataset record

 

Deleting a volume record

FACILITY
$$CTTRECDEL.qname.dsname

 

FACILITY
$$CTTRECDEL.qname.volser

dsname is the requested dataset name on the tape volume.

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Selecting a dataset

 

Selecting a volume

FACILITY
$$CTTSELECT.qname.dsname

FACILITY
$$CTTSELECT.qname.volser

dsname is the requested dataset name on the tape volume.

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Causing a dataset to expire

Causing a volume to expire

FACILITY
$$CTTEXPIRE.qname.dsname

FACILITY
$$CTTEXPIRE.qname.volser

dsname is the requested dataset name on the volume.

volser is the requested volume serial number of the volume.

CTTSE06

 

CTTSE06

Extending expiration date of a dataset

Extending expiration date of a volume

FACILITY
$$CTTEXTEND.qname.dsname

FACILITY
$$CTTEXTEND.qname.volser

dsname is the requested dataset name on the volume.

volser is the requested volume serial number of the volume.

CTTSE06

 

CTTSE06

Sending a volume to a specified vault

FACILITY
$$CTTVAULT.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Recalling a volume

FACILITY
$$CTTRECALL.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Displaying related volumes in the multivolume set to which this volume belongs

FACILITY
$$CTTGROUP.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Displaying Additional Dataset Information

FACILITY
$$CTTADDINF.qname.dsname

dsname is the requested dataset name on the tape volume.

CTTSE06

Displaying Additional Volume Information

FACILITY
$$CTTADDINF.qname.extension

extension is the volume serial number or the dataset name, depending on the current request.

CTTSE06

Unscratching a volume

FACILITY
$$CTTUNSCR.qname.volser

volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

CTTSE06

Create and print tape label

FACILITY
$$CTTPRLAB.qname

 

CTTSE09

Implementing Control-M/Tape Security

This section details the steps required to implement the Control‑M/Tape security interface.

The Control-M/Tape security interface can be installed either as part of the customized installation path, or during the Customization process after installation. Both options use the INCONTROL Installation and Customization Engine (ICE) application. If you are not familiar with the ICE interface, see the INCONTROL for z/OS Installation Guide: Installing.

Do not proceed with Control‑M/Tape security implementation until IOA security is implemented.

To install the Control-M/Tape security interface

  1. Enter the main ICE screen.

  2. Select Customization.

  3. Enter CTT in the Product field.

  4. Select Security Customization.

  5. Perform all major and minor steps required to install the security product.

Step 1. Implement Control-M/Tape Security

Follow the steps below to implement Control‑M/Tape security.

Step 1.1 Grant Access Permissions

Collect the data you need to define the INCONTROL entities and user authorizations to the security product.

In ICE, run the steps "Control‑M/Tape Security Definitions (Sample)" and "Functions Security Definitions (Sample)" to create two sample jobs.

Step 1.2 Customize Security Parameters

Table 75 Control-M/Tape Security Parameters

Parameter

Description

DEFMCHKT

When choosing a definition mode as COND to any of the Control‑M/Tape security modules, use qname together with the value given to this parameter as the high level qualifier, to determine the real definition mode to be used.

DSNCSE03

This parameter determines whether to perform a dataset authorization check in the CTTSE03 security module. Valid values are:

  • YES — Perform dataset authorization check. Default

  • NO — Do not perform dataset authorization check

DSNCSE06

This parameter determines whether to perform a dataset authorization check in the CTTSE06 security module. Valid values are:

  • YES — Perform dataset authorization check. Default

  • NO — Do not perform dataset authorization check

SECTOLT

This parameter determines the action to perform if your security product is inactive or a specific resource is not defined to the security product. Valid values are:

  • YES —- Perform the action

  • NO — Do not perform the action

TBLPCHK

This parameter determines whether the BLP parameter is checked when using Basic Definition mode. Valid values are:

  • YES — Check parameter BLP in Basic Definition mode

  • NO — Do not check parameter BLP in Basic Definition mode. Default

TRULCHK

During rule loading by CTTINIT, this parameter determines whether the CTTSE01 module checks if the dataset names or masks specified in the ON DATASET statement can be used by the owner of the rule.

Valid values are:

  • YES — Perform an ON DATASET authority check during rule loading.

  • NO — Do not perform an ON DATASET authority check during rule loading. Default.
This check cannot be performed for rules with ON DATASET set to *, because it is impossible to verify if the owner of the rule is allowed to use any dataset in the site. Instead, the GRANTTB table in the CTTSE01 source member lists all the rules that can use this dataset masking.

TCHKINVL

During CHECK-IN process check VOLSER or SLNAME.

Table 76 Mode Parameters

Parameter

Description

Mode Definition

Specify one of the following values to determine the definition mode for the Control‑M/Tape security modules:

  • COND—Conditional Definition mode. Default.

  • BASIC—Basic Definition mode.

  • EXTEND—Extended Definition mode.

DFMT01

Definition mode for Control‑M/Tape security module CTTSE01.

DFMT03

Definition mode for Control‑M/Tape security module CTTSE03.

DFMT04

Definition mode for Control‑M/Tape security module CTTSE04.

DFMT06

Definition mode for Control‑M/Tape security module CTTSE06.

DFMT09

Definition mode for Control‑M/Tape security module CTTSE09.

Step 1.3 Save Security Parameters into Product

This step saves all the security parameters specified for Control‑M/Tape. When this step completes, the Status column is automatically updated to COMPLETE.

Step 2. RACF Security Definition Samples

Step 2.1 ControlM/Tape Security Definitions (optional)

Select this step to edit the CTTSRAC2 member in the IOA INSTWORK library.

Perform the following steps to define the required permissions.

  1. Associate users with Extended Definition Mode.

    1. To define the entity $$CTTEDM.qname, use the following command:

      Copy 
      RDEFINE FACILITY $$CTTEDM.qname UACC(NONE)

    2. To authorize USERA to Extended Definition mode, use the following command:

      Copy 
      PERMIT $$CTTEDM.qname ID(USERA) CLASS(FACILITY) ACCESS(READ)

    3. Submit the job for execution.

      This job must be run under an administrator user ID who has authorization to enter these commands.

    4. Scan the output of the job for information and error messages produced. All job steps must end with a condition code of 0.

  2. Define entities and user authorizations.

    For information about entities and user authorizations, see Control-M/Tape Basic Definition Security Calls andControl-M/Tape Extended Definition Security Calls.

    Example

    To authorize USERA access to a given ControlM/Tape entity, use the following command:

    Copy 
    PERMIT $$CTTnnn.qname CLASS(FACILITY) ID(USERA) ACCESS(READ)

    where CTTnnn is the name of the ControlM/Tape entity to be accessed.

    All entity names for each ControlM/Tape protected element appear in Control-M/Tape Basic Definition Security Calls for Basic Definition mode and Control-M/Tape Extended Definition Security Calls for Extended Definition mode.

Step 2.2 Functions Security Definitions (Optional)

Select this step to edit the CTTSRAC3 member in the IOA INSTWORK library. This member contains definition samples for the various Control‑M/Tape entities. Modify the definitions according to the requirements of the site and submit the job.

Step 2.3 Control Program Access to Datasets (Optional)

Select this step to edit the CTTSRAC4 member in the IOA INSTWORK library. This member contains a sample of the definitions required to define Program Pathing access authorizations to Control‑M/Tape datasets. Review the definitions and modify to meet the requirements of your site.

WARNING: BMC recommends that the security administrator first read Limiting Access to Specific Programs.

Step 3. TopSecret Security Definition Samples

Step 3.1 ControlM/Tape Security Definitions (Optional)

Select this step to edit the CTTSTSS2 member in the IOA INSTWORK library.

  1. Define entities and user authorizations to TopSecret.

    For information about how to define ControlM/Tape entities and user authorizations to TopSecret, see Control-M/Tape Basic Definition Security Calls and Control-M/Tape Extended Definition Security Calls.

    1. Add the following command to add the resources to TopSecret:

      Copy 
      TSS ADD(sec-administrator-dept) IBMFAC($$CTT)

      Set the sec-administrator-dept parameter to the appropriate value.

      All entity names for each ControlM/Tape protected element appear in Control-M/Tape Basic Definition Security Calls for Basic Definition mode and Control-M/Tape Extended Definition Security Calls for Extended Definition mode.

  2. Associate users with Extended Definition Modes.

    Authorizations to access ControlM/Tape datasets are defined during the ControlM/Tape installation process. This step must be completed before proceeding with security implementation. For details on how to grant users access to ControlM/Tape datasets, see the INCONTROL for z/OS Installation Guide: Installing.

    1. Add the following TopSecret commands to define the $$CTTEDM entity to TopSecret, and authorize users to this entity:

      Copy 
      TSS PERMIT(USERA) IBMFAC($$CTTEDM.qname) ACC(READ)

      Set the USERA parameter to the user ID of the ControlM/Tape installer.

      Do not define the $$CTTEDM entity to operate in warning mode since this causes all users to operate in Extended Definition mode.

  3. Authorize the ControlM/Tape installer to use ControlM/Tape facilities.

    1. Customize the following command to authorize USERA to ControlM/Tape facilities:

      Copy 
      TSS PERMIT(USERA) IBMFAC($$CTT) ACC(READ)

      Set the USERA parameter to the user ID of the ControlM/Tape installer.

  4. Submit the job.

    This job must be run under the ACID of the general security administrator (SCA) who is authorized to enter these TopSecret commands.

    All job steps must end with a condition code of 0.

Step 3.2 Functions Security Definitions (Optional)

Select this step to edit the CTTSTSS3 member in the IOA INSTWORK library. This member contains definition samples for the various Control‑M/Tape entities. Modify the definitions according to the requirements of the site and submit the job.

Step 3.3 Control Program Access to Datasets (Optional)

Select this step to edit the CTTSTSS4 member in the IOA INSTWORK library. This member contains a sample of the definitions required to define Program Pathing access authorizations to Control‑M/Tape datasets. Review the definitions and modify to meet the requirements of your site.

WARNING: BMC recommends that the security administrator first read Limiting Access to Specific Programs.

Step 4. ACF2 Security Definition Samples

Step 4.1 ControlM/Tape Security Definitions (Optional)

Select this step to edit the CTTSSAF2 member in the IOA INSTWORK library.

Perform the following steps to define the required permissions.

  1. Associate users with Extended Definition Mode.

    1. Edit the CTTSSAF2 member in the IOA INSTWORK library.

    2. Define and authorize entity $$CTDEDM.qname to ACF2/SAF and authorize users to use this entity using the following commands:

      Copy 
      SET RESOURCE(CMF)
      COMP
      $KEY($$CTTEDM.qname) TYPE(CMF)
      UID(USERA) ALLOW

  2. Define entities and user authorizations to CA-ACF2/SAF.

    For information about entities and user authorizations, see Control-M/Tape Basic Definition Security Calls, and Control-M/Tape Extended Definition Security Calls.

    Example

    To authorize USERA (the user ID of the ControlM/Tape installer) to access a given ControlM/Tape entity, use the following command:

    Copy 
    SET RESOURCE(CMF)
    COMP
    $KEY($$CTTnnn.qname) TYPE(CMF)
    UID(USERA) ALLOW

    where qname is the name used to assign different authorizations to various ControlM/Tape environments (such as Test and Production). This parameter is specified during IOA installation.

    Set the USERA parameter to the UID string of the ControlM/Tape installer.

    All entity names for each ControlM/Tape protected element appear in Control-M/Tape Basic Definition Security Calls for Basic Definition mode and in Control-M/Tape Extended Definition Security Calls for Extended Definition mode.

  3. Submit Job for Execution

    This job must be run under the user ID of an ACF2 administrator who has authorization to enter these ACF2 commands.

    Scan the output of the job for information and error messages produced by ACF2/SAF. All job steps must end with a condition code of 0.

Step 4.2 Functions Security Definitions (Optional)

Select this step to edit the CTTSSAF3 member in the IOA INSTWORK library. This member contains definition samples for the various Control‑M/Tape entities. Modify the definitions according to the requirements of the site and submit the job.

Step 4.3 Control Program Access to Datasets (Optional)

Select this step to edit the CTTSSAF4 member in the IOA INSTWORK library. This member contains a sample of the definitions required to define Program Pathing access authorizations to Control‑M/Tape datasets. Review the definitions and modify to meet the requirements of your site.

WARNING: BMC recommends that the security administrator first read Limiting Access to Specific Programs.

Control-M/Tape Security Interface Modules

This section describes the Control‑M/Tape security interface modules.

Module CTTSE01

The CTTSE01 module is the security module of Control‑M/Tape Exit CTTX001. This module verifies that the user is authorized to activate the Control‑M/Tape initialization process.

The CLASS checked is FACILITY unless otherwise specified.

RACF Security

The entity used to check authorization is $$CTTINI.qname. The access level used to check this authorization is READ.

The following commands authorize USERA to activate the Control‑M/Tape initialization process:

Copy 
RDEFINE FACILITY $$CTTINI.qname UACC(NONE)
PERMIT $$CTTINI.qname ID(USERA) CLASS(FACILITY) ACCESS(READ)

TopSecret Security

The entity used to check authorization is: $$CTTINI.qname.

The access level used to check this authorization is READ.

The following sample commands authorize USERA to activate the Control‑M/Tape initialization process:

Copy 
TSS ADD(sec-administrator-dept) IBMFAC($$CTTINI.qname)
TSS PERMIT(USERA) IBMFAC($$CTTINI.qname) ACC(READ)

ACF2/SAF Security

The entity used to check authorization is $$CTTINI.qname. The access level used to check this authorization is READ.

The following sample ACF2 commands authorize USERA to activate the Control‑M/Tape initialization process:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($$CTTINI.qname) TYPE(CMF)
 UID(USERA) ALLOW

Module CTTSE03

The CTTSE03 module is the security module of Control‑M/Tape Exit CTTX003. This module verifies that the user is authorized to use JCL parameter BLP and to set JCL parameter EXPDT to 98000.

Basic Definition Mode

The entity used to check authorization depends on the value of parameter TBLPCHK in the security interface program. The following flag values are used:

  • NO—Do not check parameter BLP in Basic Definition mode. Default.

  • YES—Check parameter BLP in Basic Definition mode.

The CLASS checked is FACILITY. The entity used to check authorization is:

Table 77 CTTSE03 Basic Definition Authorization Entities

Entity

Use

$$CTTBLP.qname.volser

For parameter BLP (when TBLPCHK is set YES).

$$CTTBYPASS.qname.volser

For parameter EXPDT when set to 98000.

where volser is the volume serial number of the requested tape volume of a single volume file or the first volume of a multivolume file.

MVS/SAF always checks the usage of the BLP parameter using a class of FACILITY and an entity of ICHBLP.

Extended Definition Mode

The CLASS checked is FACILITY. The entity used to check authorization is:

Table 78 CTTSE03 Extended Definition Authorization Entities

Entity

Use

$$CTTBLP.qname.volser

For parameter BLP.

$$CTTBYPASS.qname.volser

For parameter EXPDT when set to 98000.

where:

volser: Volume serial number of the requested tape volume of a single volume file or the first volume of a multivolume file.

The commands listed below permit USERA to use JCL parameter BLP and to set JCL parameter EXPDT to 98000 for any tape volume.

For RACF:

Copy 
RDEFINE FACILITY $$CTTBLP.qname.* UACC(NONE)
RDEFINE FACILITY $$CTTBYPASS.qname.* UACC(NONE)
PERMIT $$CTTBLP.qname.* ID(USERA) ACCESS(READ)
PERMIT $$CTTBYPASS.qname.* ID(USERA) ACCESS(READ)

For TopSecret:

Copy 
TSS ADD(sec-administrator-dept) IBMFAC($$CTTBLP.qname)
TSS ADD(sec-administrator-dept) IBMFAC($$CTTBBYPASS.qname)
TSS PERMIT(USERA) IBMFAC($$CTTBLP.qname) ACC(READ)
TSS PERMIT(USERA) IBMFAC($$CTTBYPASS.qname) ACC(READ)

For ACF2/SAF:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($$CTTBLP.qname.************************) TYPE(CMF)
 UID(USERA) ALLOW
$KEY($$CTTBYPASS.qname.*********************) TYPE(CMF)
 UID(USERA) ALLOW

Module CTTSE04

The CTTSE04 module is the security module of Control‑M/Tape Exit CTTX004. This module verifies that the user is authorized to dynamically define tape volumes and datasets in the Control‑M/Tape Media database.

Basic Definition Mode

The CLASS checked is FACILITY. The entity is $$CTTMDBDEF.qname

The following commands authorize USERA to dynamically define tape volumes and datasets in the Control‑M/Tape Media database:

For RACF:

Copy 
RDEFINE FACILITY $$CTTMDBDEF.qname UACC(NONE)
PERMIT $$CTTMDBDEF.qname ID(USERA) CLASS(FACILITY) ACCESS(READ)

For TopSecret:

Copy 
TSS ADD(sec-administrator-dept) IBMFAC($$CTTMDBDEF.qname)
TSS PERMIT(USERA) IBMFAC($$CTTMDBDEF.qname) ACC(READ)

For ACF2/SAF:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($$CTTMDBDF.qname) TYPE(CMF)
 UID(USERA) ALLOW

Extended Definition Mode

The CLASS checked is FACILITY. The entity used to check authorization depends on the user’s request.

For volume definition: $$CTTVOLDEF.qname.volser

For dataset definition: $$CTTVOLDEF.qname.volser.dataset‑name

where volser is the volume serial number of the requested tape volume, and dataset is the requested dataset name on the tape volume.

The following sample commands authorize USERA to dynamically define datasets on the TAPE01 tape volume in the Control‑M/Tape database:

For RACF:

Copy 
RDEFINE FACILITY $$CTTVOLDEF.qname.TAPE01.* UACC(NONE)
PERMIT $$CTTINITDEF.qname.TAPE01.* ID(USERA) CLASS(FACILITY) ACCESS(READ)

For TopSecret:

Copy 
TSS ADD(sec-administrator-dept) IBMFAC($$CTTVOLDEF.qname.TAPE01)
TSS PERMIT(USERA) IBMFAC($$CTTVOLDEF.qname.TAPE01) ACC(READ)

For ACF2/SAF:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($$CTTVOLDEF.qname.TAPE01***************) TYPE(CMF)
 UID(USERA) ALLOW

Module CTTSE06

The CTTSE06 module is the security module of Control‑M/Tape Exit CTTX006. This module verifies that the user is authorized to update the Media Database from the online environment (Inquire, Update, Check In), from the real-time environment (using Control‑M/Tape SVC), or from Control‑M/Tape utilities (for example, CTTVTM, CTTRTM).

When this module is invoked, a preliminary check is performed using a function called MDBOPEN. This function checks the user’s access to Control‑M/Tape Media Database data component, index component, and trace component files.

If the user is authorized to update these datasets, the Media Database components are opened and the user is allowed to perform actions on them. If update authority is denied, the datasets are opened for READ only access by the user.

Basic Definition Mode

The entity used to check authorization depends on the user’s request.

For dataset operations:

CLASS checked is DATASET. The entity is dataset name of requested tape file.

For volume operations:

CLASS checked is FACILITY. The entity is $$CTTVOL.qname.volser

where volser is the volume serial number of the requested tape volume of a single volume operation, or the first volume of a multivolume operation.

The following commands permit USERA to perform any volume operation from the Inquire or Update screen in Basic Definition mode:

For RACF:

Copy 
RDEFINE FACILITY $$CTTVOL.qname UACC(NONE)
PERMIT $$CTTVOL.qname ID(USERA) ACCESS(READ)

For TopSecret:

Copy 
TSS ADD(sec-administrator-dept) IBMFAC($$CTTVOL.qname)
TSS PERMIT(USERA) IBMFAC($$CTTVOL.qname) ACC(READ)

For ACF2/SAF:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($$CTTVOL.qname) TYPE(CMF)
 UID(USERA) ALLOW

In Basic Definition mode, security checks are bypassed for Control‑M/Tape utilities CTTVTM and CTTRTM.

Extended Definition Mode

Online Environment

The CLASS checked is FACILITY. The entity used to check authorization depends on the type of request:

Table 79 CTTSE06 Extended Definition Authorization Entity

Request

Entity

INIT Control‑M/Tape BATCH

$$CTTINIT.qname

CHECKIN

$$CTTRECINS.qname.extension

UPDATE RECORD

$$CTTRECUPD.qname.extension

DELETE RECORD

$$CTTRECDEL.qname.extension

CHECKOUT

$$CTTCHKOUT.qname.volser

BACK‑IN‑LIBRARY

$$CTTBACKLB.qname.volser

CLEAN

$$CTTCLNVOL.qname.volser

DELETE

$$CTTDELVOL.qname.volser

EXPIRE

$$CTTEXPIRE.qname.dataset

EXTEND

$$CTTEXTEND.qname.dataset

VAULT

$$CTTVAULT.qname.volser

RECALL

$$CTTRECALL.qname.volser

SELECT

$$CTTSELECT.qname.extension

GROUP

$$CTTGROUP.qname.volser

ADDINFO

$$CTTADDINF.qname.extension

UNSCRATCH

$$CTTUNSCR.qname.volser

where extension is the volume serial number or dataset name, depending on the current request.

Real-time Environment

When a user tries to process a dataset, the Control‑M/Tape SVC calls the CTTSE06 security module. The CLASS checked is FACILITY. The entity used to check authorization depends upon the user’s request.

Table 80 Real-time Authorization Entities

Entity

Use

$$CTTRECINS.qname.volser

For dynamic definition of a volume

$$CTTRECINS.qname.dataset

For creation of a new dataset

$$CTTRECUPD.qname.volser

For any access to a volume

$$CTTRECUPD.qname.dataset

For any access to a dataset

Security checks are bypassed when called from the Control‑M/Tape SVC environment.

Special Utility Processing

When called under the batch environment from a Control‑M/Tape utility, the CTTSE06 module performs one additional security check for the INIT request.

The CLASS checked is FACILITY. The entity checked is $$CTTBYSEC.qname.

If the user is granted access to this entity, the user is permitted to work in a special mode and all further security checks are bypassed for improved batch utility performance.

This check is performed only after user authority to make INIT Control‑M/Tape BATCH requests has been verified.

Module CTTSE09

The CTTSE09 module is the security module of Control‑M/Tape Exit CTTX009. This module verifies that the user is authorized to create and print a tape label.

The CLASS checked is FACILITY. The entity used to check authorization is $$CTTPRLAB.qname.

The access level used to check this authorization is READ.

The following commands enable the user to create and print a tape label:

For RACF:

Copy 
RDEFINE FACILITY $$CTTPRLAB.qname UACC(NONE)
PERMIT $$CTTPRLAB.qname ID(USERA) CLASS(FACILITY) ACCESS(READ)

For TopSecret:

Copy 
TSS ADD(sec-administrator-dept) IBMFAC($$CTTPRLAB.qname)
TSS PERMIT(USERA) IBMFAC($$CTTPRLAB.qname) ACC(READ)

For ACF2/SAF:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($$CTTPRLAB.qname) TYPE(CMF)
 UID(USERA) ALLOW