2 About Volume Security Operations
Overview of Volume Security Functions
The Volume Security feature protects data in your storage system from I/O operations performed at mainframe hosts. Volume Security enables you to apply security to volumes so that the specified mainframe hosts will be unable to read from and write to the specified volumes. Volume Security also enables you to prevent data on volumes from being overwritten by erroneous copy operations.
Volume Security can be used in conjunction with an optional program Volume Security Port Option. This optional program can be used to specify storage system ports via which hosts can access volumes.
In the storage system documentation, volumes are sometimes referred to as logical devices (or LDEVs). Also, the storage system documentation sometimes uses the term LDEV security to refer to security policy that Volume Security enables you to apply to volumes.
Protecting Volumes from I/O Operations at Mainframe Hosts
Volume Security enables you to protect volumes from unauthorized accesses by mainframe hosts. To protect volumes from unauthorized accesses, you must create security groups and then register mainframe hosts and/or volumes in security groups. Security groups are classified into access groups or pool groups. To allow some (but not all) mainframe hosts to access volumes, you must classify the security group as an access group. To prohibit all mainframe hosts from access volumes, you must classify the security group as a pool group.
Enabling Only the Specified Hosts to Access Volumes
To allow only some mainframe hosts in your network to access volumes, you must register the mainframe hosts and the volumes in an access group. For example, if you register two hosts (host_A and host_B) and two volumes (vol_C and vol_D) in an access group, only the two hosts will be able to access vol_C and vol_D. No other hosts will able to access vol_C and vol_D.
If mainframe hosts are registered in an access group, the hosts will be able to access volumes in the same access group, but will be unable to access other volumes. For example, if you register two hosts (host_A and host_B) and two volumes (vol_C and vol_D) in an access group, the two hosts can access vol_C and vol_D and cannot access other volumes.
To register hosts in an access group, you must create a host group, register the hosts in the host group, and then register the host group in the desired access group. To register volumes in an access group, you must create an LDEV group, register the volumes in the LDEV group, and then register the LDEV group in the desired access group. Any access group can only contain one host group and one LDEV group.
In Figure 1, six mainframe hosts are attached to a storage system and two access groups are created. Here, the following security settings are applied:
•The volumes ldev1 and ldev2 are accessible only from host1, host2, and host3 because the two volumes and the three hosts are registered in the same access group.
XP24000/XP20000 Volume Security User's Guide | 9 |