ACF2 Security for OMVS - Access to Data

In OMVS, an HFS or Heierarchical File System is a special kind of SMS-managed dataset. The OMVS file system consists of one or more linked HFS's. Any access to data in the OMVS file system normally occurs through the OMVS kernel started task. Permission bits plus userid and group ownership information attached to each file are used to determine access to OMVS data files. ACF2 dataset access rules do not apply inside an HFS.

Anybody who needs to access data inside an HFS, including started tasks like DFHSM and the OMVS kernel himself, must have an OMVS userid. The OMVS kernel needs to be defined as an OMVS "Super-User" and also needs ACF2 access to all the MVS datasets which contain the HFS's.

If you don't want to give OMVS NON-CNCL privileges, you should give it the NOMAXVIO privilege. This means that all dataset accesses will be validated, but the OMVS kernel will not be cancelled if it exceeds the maximum violation count.

OMVS applications can access MVS datasets, but then ACF2 rules come into play. IBM recommends that, where possible, userids with special MVS security privileges should not be given OMVS user profiles.

HFS files and directories have two kinds of audit flags - auditor and user. These flags specify what types of accesses should be recorded. For example, one could choose to monitor successful writes to certain datasets. The user flags can be set by the file owner or a "Super-User". To be able to set auditor flags on an HFS file or directory, you must have the ACF2 AUDIT privilege and be defined as an OMVS user; OMVS does not check the ownership of the file when setting auditor flags. Audited events are captured in ACF2 SMF records along with other OMVS events.

ACF2 provides an option to control access to the HFS using the same dataset access rule mechanism as for standard MVS datasets.

See The OMVS File System for more information about the Unix System Services file system.