I am defining the security environment for a product that issues a RACROUTE AUTH call with RESOURCE CLASS=TAPEVOL.. I would like to know if the GSO SECVOL option is part of this SAF validation call?

Document ID : KB000056624
Last Modified Date : 14/02/2018
Show Technical Document Details

When CA ACF2 for z/OS validates a SAF RACROUTE AUTH call for RESOURCE=TAPEVOL, it uses the following logic to determine access:

  1. It verifies that a SAFDEF GSO record does exist for the RACROUTE REQUEST=AUTH, CLASS=TAPEVOL calls. This SAFDEF record must specify MODE=GLOBAL. If the SAFDEF record is in place then it uses the following logic to process the call, otherwise, the access is allowed with no CA ACF2 for z/OS validation. In this case a SAF return code of 4, reason code of 4 and function return code of 0 is returned to the caller.

  2. If the SAFDEF GSO record does exist and it specifies MODE=GLOBAL then CA ACF2 for z/OS verifies that the volume is included in the GSO SECVOL list. If the volume is included in the secured volume list, then the volser is put in the format of @volser.VOLUME or VOLUME.@volser, depending on the setting of the VOLRULE option of the GSO RULEOPTS record. Once it has determined the format then it uses access rules to determine if the user is allowed access. If the volume is not defined on the SECVOL list, then CA ACF2 for z/OS allows the access and no validation occurs. In this case as in item #1, CA ACF2 for z/OS issues a SAF return code of 4, reason code of 4 and function return code of 0.