Multilevel security is an enhanced security environment that can be configured on a z/OS® system. In this environment, the security server and trusted resource managers enforce mandatory access control policies in addition to the usual discretionary access control policies. To participate in a multilevel secure environment, the user IDs associated with z/OS CS tasks and the resource profiles in the SERVAUTH class need to have security labels defined. For more information on the multilevel secure environment and configuring z/OS CS in that environment, see Preparing for IP networking in a multilevel secure environment.
You can also use SAF resources in the SERVAUTH class to control which users can create dynamic VIPAs that are specified by VIPARANGE statements, and to restrict access to a specific dynamic VIPA or a specific range of dynamic VIPAs in a VIPARANGE statement. For more information about the VIPARANGE statement, see z/OS Communications Server: IP Configuration Reference. For information about VIPARANGE access control, see Defining a security profile for SIOCSVIPA, SIOCSVIPA6, and MODDVIPA and Defining a security profile for binding to DVIPAs in the VIPARANGE statement.
Restricting the ability of the users to run applications that access specific TCP and UDP ports is also provided by resources in the SERVAUTH class. z/OS Communications Server provides a one-to-one mapping between port numbers and SAF resource names. See the PORTACCESS statement in the z/OS Communications Server: IP Configuration Reference or Setting up the System Authorization Facility server access authorization class (optional) for more information.
Similar to the function provided by the PORTACCESS statement, z/OS Communications Server ensures that a user attempting to connect to a TN3270E Telnet server secure port is allowed access to the port. This support is used in conjunction with Telnet client authentication support. See the CLIENTAUTH statement in the z/OS Communications Server: IP Configuration Reference or Setting up the System Authorization Facility server access authorization class (optional) for more information.
Restricting access to the TCPIP stack is also controlled under z/OS CS by defining a resource in the SERVAUTH class. See Setting up the System Authorization Facility server access authorization class (optional) for more information.
For more information about protecting these resources and other TCP/IP resources from unauthorized access, see TCP/IP resource protection.