HP XP P9500 Storage User Manual

Protecting Volumes from I/O Operations at Mainframe Hosts

Volume Security for Mainframe enables you to protect volumes from unauthorized access by
mainframe hosts. To protect volumes from unauthorized access, you must create security groups
and register mainframe hosts and volumes in security groups. Security groups are classified in
access groups or pool groups. If you want to allow some but not all mainframe hosts to access
volumes, you must classify the security group as an access group. If you want to exclude all
mainframe hosts from access volumes, you must classify the security group as a pool group.

Enabling Only the Specified Hosts to Access Volumes

If you want to allow some but not all mainframe hosts in your network to access volumes, you must
register the mainframe hosts and the volumes in an access group. For example, if you register two
hosts (host_A and host_B) and two volumes (vol_C and vol_D) in an access group, only the two
hosts will be able to access vol_C and vol_D. No other hosts will able to access vol_C and vol_D.

If mainframe hosts are registered in an access group, the hosts will be able to access volumes in
the same access group, but will be unable to access other volumes. For example, if you register
two hosts (host_A and host_B) and two volumes (vol_C and vol_D) in an access group, the two
hosts can access vol_C and vol_D, but no other volumes.

To register hosts in an access group, you must create a host group, register the hosts in the host
group, and then register the host group in the desired access group. To register volumes in an
access group, you must create an LDEV group, register the volumes in the LDEV group, and then
register the LDEV group in the desired access group. Any access group may contain only one host
group and one LDEV group.

In security example shown in the next figure, six mainframe hosts are attached to a storage system.
Two access groups are created and the following security settings are applied:

•

The ldev1 and ldev2 volumes are accessible from only host1, host2, and host3 because the
two volumes and the three hosts are registered to the same access group.

•

The ldev4 volume is accessible from only host4 because ldev4 and host4 are registered to
the same access group.

•

The ldev5 volume does not belong to any access group. For this reason, hosts that belong to
access groups cannot access ldev5. The ldev5 volume is accessible from only host5 and host6,
which are not registered to access groups.

140 Protecting volumes from I/O operations