Rules Facility Guide › Rules Reference › VMTAPE MOUNT Rule › Description

Description

With the VMTAPE MOUNT rule, you can control access based upon volume serial number or data set name. Scratch and foreign tape mounts can also be controlled. Rules for FOREIGN and SCRATCH are meaningful only when created at the system level or at the CA VM:Tape user level.

Without the CA VM:Secure interface, the CA VM:Tape MOUNT command can be issued by users only for tapes that they own, by users who know the data set name of your tape and any applicable password, and by users with ANYTAPE authorization.

Note: Users with ANYTAPE authorization in the VMTAPE CONFIG file can continue to mount tapes regardless of rules.

With the CA VM:Secure interface, users granted access by a VMTAPE MOUNT rule can mount other users’ tapes if they know the data set name and applicable password for the tape. If the rule allowing the CA VM:Tape MOUNT command specifies the LOGPASS option, the requesting user IDs must give their logon passwords when mounting tapes, and the requirement for the data set name and tape password is bypassed. If the rule allowing the MOUNT command specifies the NOPASS option, the requesting user IDs do not have to give a password or the data set name when mounting tapes.

MOUNT requests default to normal processing if no rules are defined to govern MOUNT attempts. The NORULE record in the SECURITY CONFIG file does not apply to CA VM:Tape requests.

Examples

• User ID ALFIE has a user rule allowing DAGMAR to mount his tape ALF001 in read mode. ALFIE told DAGMAR the read password and the data set name of the tape. The rule that ALFIE created looks like this:

  ACCEPT DAGMAR VMTAPE MOUNT VOLUME ALF001 READ
  

  The command that DAGMAR issues to mount the tape is as follows:

  vmtape mount alf001 dsn biscuit (read pass bones
  

• CAGNEY has a trusted peer at work who has a user ID of LACEY. CAGNEY allows LACEY to mount her tapes in read/write mode without giving the data set name or the tape password. The rule she created to allow LACEY access to mount her tapes is:

  ACCEPT LACEY VMTAPE MOUNT VOLUME * * (NOPASS
  

  CAGNEY has another peer at work who is not as well–trusted as LACEY and who tends to leave her terminal unattended. The user ID of this peer is CASSIE. CAGNEY wrote a rule to allow CASSIE mount access to her tapes but still require CASSIE’s logon password when she issues the MOUNT command. The rule is:

  ACCEPT CASSIE VMTAPE MOUNT VOLUME * * (LOGPASS
  

  When LACEY issues the MOUNT command for CAGNEY’s tapes, she does not have to give a data set name or any passwords. However, when CASSIE issues the MOUNT command for CAGNEY’s tapes, CASSIE has to give her logon password.

• To control scratch tape mounts at your site, create the following system rules (or user ID VMTAPE user rules):

  ACCEPT RESEARCH VMTAPE MOUNT VOLUME SCRATCH * (GROUP
  REJECT * VMTAPE MOUNT VOLUME SCRATCH *
  

  Now members of the security group RESEARCH are the only user IDs allowed to mount scratch tapes.