Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Workspace z/OS
Created by Guest
Created on Dec 6, 2022

RACF control to allow or disallow copying of data from an encrypted dataset to an unencrypted dataset

Today if a person has access to a key label there are no controls in place to limit their ability to copy an encrypted dataset to a dataset with no DFP segment in it's RACF dataset profile. When this is the case the dataset is unencrypted when writing to the target dataset. For example a bad actor with access to production datasets uses an IBM utility to copy the datasets contents to a non-prod / non-encrypted dataset.

To help avoid the potential of a data breach i would like to suggest a RACF feature which would allow customers a degree of control over this capability. Here are 2 rough options I'd like to have IBM consider.

At a system level - create a RACF FACILITY class profile that when defined would eliminate the ability to read data from an encrypted dataset and write to an unencrypted dataset (with some exclusions such as temp datasets). Only users who have read access to the profile would have the access to perform such an operation.

At a more granular level - create a new field within the dataset profile DFP segment that is mutually exclusive with the KeyLabel (so for datasets that are not encrypted). Any datasets within this profile that have this flag turned on cannot be a target when the source is an encrypted dataset. At least this way the customer can control which datasets are authorized for this purpose and not 'user' type datasets, e.g. &SYSUID.MY.DATASET. Another suggestion was a “NODFP” setting that would disable decryption for utilities including those that transmit files (XMIT, FTP). These would have default settings and require special permissions to override (kind of like tape BLP).

I haven't given this alot of thought there may be other ways to do this, for example within the PROGRAM level, e.g. IEBCOPY, IDCAMS, SORT, etc but that may create new 'opportunities' for a bad actor.

Idea priority High