Volume Protection

Protecting Resources › Volume Protection

Volume Protection

When a volume is protected, an access request to the volume or to any data set on the volume needs access to the volume. You can bypass volume level security checking entirely and depend upon data set level security checking.

Both DASD and tape volumes must be owned before being authorized.

To establish ownership of a volume, enter the command:

TSS CREATE|ADDTO(acid) VOLUME(name)

Example: add ownership

This example protects the volume whose VOL=SER is T64803 by assigning ownership of the volume to DEPT01:

TSS ADDTO(DEPT01) VOLUME(T64803)

Volume Access Levels

The access levels that can be specified for volumes are:

ALL: All data residing on a volume can be accessed in any way.
BLP: Tape volume can be used with Bypass Label Processing.
CONTROL: If included with CREATE access, the user can create any data set residing on a volume-regardless of applicable data set access authorization.
CREATE: Data sets can be created on this volume if the data set access level permits it.
NOCREATE: All data sets residing on a volume can be accessed according to their data set access level. However, no new data sets can be created on this volume, regardless of the user's data set authority.
NONE: Data residing on a volume cannot be used in any way.
READ: (Default) All data sets residing on a volume can be read (opened for input). This access level is needed to perform a backup of the volume.
SCRATCH: Any data sets residing on a volume can be scratched.
UPDATE: All data sets residing on a volume can be simultaneously opened for both read and write access; implies READ volume authorization. This access level is needed to perform a restore of the volume.
WRITE: Volume can only be opened for output.

Volumes should rarely be permitted for more than CREATE access to individual users, since the volume authorization generally overrides the data set authorization. The more powerful access levels should be reserved for DASD management functions.

Example: assign access level

This example authorizes USER01 to update any data set on any volume whose VOLSER begins with T64:

TSS PERMIT(USER01) VOLUME(T64(G))
                   ACCESS(UPDATE)

If a user possesses no specific volume authorization, he cannot create data sets on that volume regardless of his data set authorization.

Default Volume Protection

Default protection extends security protection to a volume even if the volume is not defined to CA Top Secret. A security violation occurs if a request is made to access any unowned volume. If this type of request occurs in FAIL mode, the request is denied.

To extend default protection for volumes, enter the command:

TSS REPLACE(RDT) RESCLASS(VOLUME)
                 ATTR(DEFPROT)

Generic Prefixing

The VOLUME resource is installed with the NONGENERIC attribute. Volume ownership can be designated with generic prefixes. Once a prefix is owned, any volume beginning with that prefix is protected and must be permitted to other ACIDs.

The maximum length allowed for a volume resource identifier is six characters for a specific volume and five characters for a generic prefix. The minimum length allowed for the generic prefix is two characters.

When using generic prefixing, append a G to the prefix to indicate that a generic prefix is supplied.

Example: generic prefixing

This example protects all volumes with T64 as the first three characters of their VOL=SER:

TSS ADDTO(DEPT01) VOLUME(T64(G))

Access Authorization

Volume level access allows a user to access any data set on the volume, provided he has the authorized level.

Example: authorizing access

This example allows USER01 to access volume T64803 from Monday through Friday to create data sets:

TSS PERMIT(USER01) VOLUME(T64803)
                   DAYS(WEEKDAYS)
                   ACCESS(CREATE)

Program Pathing with Volumes

Program pathing restricts volume access to designated programs. Program pathing is useful for enforcing security protection when a volume management package is used. Extensive access to volumes can be allowed, but only through the appropriate volume management programs.

Example: assign an access path

This example gives the ACID VOLMGR access to all volumes at an access level of ALL, but only through the program VMGRP01 which must have been loaded from the library PROD.DLIB:

TSS PERMIT(VOLMGR) VOLUME(*ALL*)
                   ACCESS(ALL)
                   PRIVPGM(VMGRP01)

Access to all Volumes

To allow users access to all volumes:

Assign ownership of the identifier to the MSCA
Use the resource identifier *ALL*(G)

Example: access all volumes

This example allows USER01 to read any volume:

TSS ADDTO(MSCA) VOLUME(*ALL*(G))
TSS PERMIT(USER01) VOLUME(*ALL*(G))

Volume Level Security Bypass

When volume level security is bypassed, the CA Top Secret response to a request to access a data set is based solely on the applicable data set authorization.

To bypass volume level security

Enter the command:
```
TSS ADDTO(MSCA) VOLUME(*ALL*(G))
```
Ownership is assigned to the MSCA.

Enter the command:

TSS PERMIT(acid) VOLUME(*ALL*(G))
                 ACCESS(CREATE)

Permission is authorized.

Bypass Volume Level Security with NOVOLCHK

NOVOLCHK cannot be traced with TSS WHOHAS. Its use should be restricted to:

Volume management packages, that must access many volumes
Online regions which dynamically allocate data sets such as CA‑Roscoe or CA‑IDMS.

To allow unrestricted access to an entire volume, enter the command:

TSS ADDTO(SUPRACID) NOVOLCHK

Volume Only Level Security

To bypass data set level security checking attach the keyword ACTION(NODSN) to a PERMIT for a volume. When this keyword is specified, CA Top Secret considers only the pertinent volume authorizations when determining whether to grant an access request.

Example: volume level security

This example allows USER01 to scratch any data set on volume T50000:

TSS PERMIT(USER01) VOLUME(T50000)
                   ACTION(NODSN)
                   ACCESS(SCRATCH)

The ACTION parameter operates at the level of a specific access event. An access request made by a designated ACID for a designated resource.

VTOC Index Protection

Sites with DF/DSS or DFP installed can protect both the VTOC and VTOC index through CA Top Secret. Security for VTOC entities is provided automatically only at the volume level and only against UPDATE or ALTERATION volume operations.

By default, all users have READ access to a VTOC entity. To perform ALTER operations on a VTOC entity the ACID must have the appropriate access level.

This table lists the required volume ACCESS authorizations required to perform various VTOC operations.

Operation	Access
Open VTOC for output processing	UPDATE
Open for output any data set starting with “SYS1.VTOCIX.”	UPDATE
Allocate any data set starting with “SYS1.VTOCIX.”	ALL
Scratch any data set starting with “SYS1.VTOCIX.”	ALL
Rename any data set starting with “SYS1.VTOCIX.”	ALL
Rename any data set to start with “SYS1.VTOCIX.”	ALL

Volume Management Packages

The following products interface automatically with CA Top Secret:

CA‑ASM2
CA‑Dynam
ABR
DF/DSS
DMS/OS
FDR
HSM

Required Backup and Restore Access Authorizations

The following access level authorizations are generally required for the common volume utility procedures.

Procedure	Access Level
Backup	READ
Restore	UPDATE
Compact	ALL

DF/DSS

Operations performed using DF/DSS force CA Top Secret to validate access to both volumes and data sets. Volume access validation is performed before data set access validation. If the ACID is sufficiently authorized at the volume level, the request for access is granted and data set checking is not performed.

For a utility procedure that encompasses only part of a volume, data set checking is performed only for the data sets whose extents map into the affected area. z/OS catalog management checks access to VSAM data sets.

This table lists the access levels required to perform utility operations:

Operation		Volume Access	Data Set Access
RESTORE:	volume	ALL	ALL
	Tracks	ALL	ALL
	data set	UPDATE	UPDATE
COPY:	volume	from READ to ALL	N/A
	Tracks	from READ to ALL	N/A
DEFRAG:	volume	UPDATE	N/A

DSF

Operations performed using DSF are protected by CA Top Secret at both the volume and data set levels. Data set level checking is bypassed for all commands if the user has ALL access to the volume. In offline mode no other security checking (besides data set level checking) is performed unless explicitly requested by the operator.

This table indicates the data set access authorization levels required for various DSF operations. VOLUME(ALL) by itself is sufficient for any of these operations.

Operation	Data Set Access
for all commands	no checking
BUILDIX	N/A
INIT	ALL for each data set
INSPECT with NOPRESERVE	N/A
INSPECT with PRESERVE	ALL for each RACF data set that maps a track
REFORMAT	N/A

FDR

For CA Top Secret to protect FDR operations, FDR must be generated with the RACF or ALLCALL optional feature. FDR performs both volume and data set level checking. If an ACID does not have ALL access to the volume for a volume‑related operation, FDR calls CA Top Secret to check every RACF protected data set on the volume. FDR checks the format‑1 DSCB in the VTOC for the RACF option. When using the ALLCALL option, FDR always calls CA Top Secret.

This table indicates the necessary access levels for FDR operations:

Operation	Data Set Access	Volume Access
TYPE=FDR DUMP	READ	READ
TYPE=FDR RESTORE	ALL	ALL
TYPE=FDR COPY VOLUME	FROM=READ TO=ALL	FROM=READ TO=ALL
TYPE=DSF ABSOLUTE VOLUME DUMP/RESTORE	N/A	ALL
TYPE=DSF DATASET DUMP	READ	READ
TYPE=DSF DATASET RESTORE	ALL	UPDATE
TYPE=ARC DUMP‑ABR	ALL	ALL
TYPE=SCR DUMP‑ABR	ALL	ALL
FDRABRUT REMOTE Q. DUMP	READ	READ
FDRABRUT REMOVE Q. ARCHIVE	ALL	ALL
FDRABRUT REMOTE Q. RESTORE	UPDATE	UPDATE
WITH NEW NAME	UPDATE	UPDATE