Administration steps include creating security labels, extracting security label values from a RACF® profile, and updating ACS routines with the &SECLABL variable. First, you set the seclabel value from either the user's RACF profile or from the RACF data set profile as input to the ACS routines. The seclabel value is set to null if the RACF SECLABEL class is not active. If you specify the DD SECMODEL or PROTECT=YES parameter in the JCL or dynamic allocation, the SECLABEL is extracted from the RACF data set profile. Your installation's ACS routines can assign storage groups depending on the &SECLABL value along with other read-only ACS variables.

Tip: If overflow storage groups or extended storage groups are also defined, ensure that the security levels do not conflict.

Restriction: For z/OS® V1R6 DFSMS, customers cannot use &SECLABL in ACS routines if they are using automatic data set protection (ADSP).