You can add another layer of control for your resources through security labels (through the RACF® SECLABEL class). Security labels allow an installation to restrict personnel who can view data from copying that data to a less secure device or data set. Also, users with the authority to view a group of data could be restricted from viewing more vital pieces within that group through the use of security labels and profiles.

When the SECLABEL class is active, each user must specify the security label for a session or job (or use the default SECLABEL established in the USER profile) to be able to access data that has a security label. (A user can have more than one security label associated with a userid but can only specify one for a session or job.) RACF determines whether the user's security label for the session is equal to or greater than the security label of the data the user is accessing before verifying if the user has authority to view the data. The highest security label in the system is SYSHIGH, the lowest is SYSLOW. Your installation should define as many levels of security labels between SYSHIGH and SYSLOW as needed to implement your installation's security policy.

If you receive SYSOUT data sets that contain an unknown or blank security label band your node has an active SECLABEL class, JES2 assigns this SYSOUT the SECLABEL RACSLUNK (SECLABEL unknown). Because your installation has not predefined this security label, no one can access the SYSOUT.

Your installation's security policy could require security labels for all users and resources. Your security administrator enforces this policy by activating various RACF classes and options. For more information on security labels, see z/OS Security Server RACF Security Administrator's Guide.