z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Security labels

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Security label authorization checking is dependent on the concept of controlling user access to resources on the basis of three factors:
  1. The sensitivity of the data that the resource contains
  2. The user's authorization to access information at that level of sensitivity
  3. The purpose for which the user is attempting to access the resource

The security administrator indicates the sensitivity of the data in the resource as well as the authorization of the user by assigning appropriate security labels in the resource or user profile.

Security label authorization checking involves comparing the user's security label with the security label of the resource. A user who lacks sufficient authorization is prevented from accessing information in the resource.

Three requested access levels are supported for security label authorization checking:
Read-only
A user is attempting to read information from a resource.
Examples:
  • TSO LISTBC command
  • OPEN macro for READ
Write-only
A user is attempting to write information to a resource (with no reading).
Examples:
  • TSO SEND command (when the recipient of the message has a lower security classification than the sender)
  • Writing a new entry in a z/OS UNIX directory
Read-write
A user is attempting to access a resource for the purpose of both reading and writing.
Example:
  • OPEN macro for WRITE
For detailed information, see Security label authorization checking.
Parent topic: Effect on RACF authorization checking

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014