If your system is a multilevel system environment and you are using
multilevel security labels to control access to resources, you must
assign SECLABELs to the IBM Health Checker for z/OS superuser
User ID ( hcsuperid), to each profile protecting
a check, and to the IBM Health Checker for z/OS log stream RACF® profile. For complete information
on multilevel security, see z/OS Planning for Multilevel Security and the Common Criteria and z/OS Security Server RACF Security Administrator's Guide.
Do the following:
- Assign a multilevel security label to the IBM® Health Checker for z/OS® superuser User ID, hcsuperid,
which you defined inSetting up security for the IBM Health Checker for z/OS started task. Use the following
to decide on a SECLABEL setting for the log stream:
- If all your checks are assigned a SECLABEL of SYSLOW, assign a
SECLABEL of SYSLOW to the IBM Health
Checker for z/OS superuser
User ID, hcsuperid. Assigning a SECLABEL of SYSLOW
to the hcsuperid means that any data object that
the check touches must have a SECLABEL that would pass the mandatory
access check for the type of operation that is being performed.
- If all the checks are above SYSLOW, you must assign a SECLABEL
that will dominate all the check SECLABELs to the hcsuperid.
- You can also assign a SECLABEL of SYSHIGH to the hcsuperid,
which will dominate all the check SECLABELs.
The following example enables the SECLABEL class and assigns
a multilevel security label of SYSLOW: SETROPTS CLASSACT(SECLABEL) RACLIST(SECLABEL)
ALTUSER hcsuperid SECLABEL(SYSLOW)
- Assign a SECLABEL to each profile that protects a check. See IBM Health Checker for z/OS checks for the SECLABEL recommended for each check.
You'll need to define access to one of the following set of resources:
For example, you might define the following:
RALTER XFACILIT HZS.SYS1.IBMRACF.RACF_GRS_RNL.QUERY UACC(NONE) SECLABEL(SYSLOW)
RALTER XFACILIT HZS.SYS1.IBMRACF.RACF_GRS_RNL.MESSAGES UACC(NONE) SECLABEL(SYSLOW)
- Assign a SECLABEL to the IBM Health Checker for z/OS log stream RACF profile. Use the following
to decide on a SECLABEL setting for the log stream:
- If all your checks writing to the log stream are SYSLOW, assign
a SECLABEL of SYSLOW to the log stream RACF profile.
- If all the checks are above SYSLOW, you must assign a SECLABEL
that will dominate all the check SECLABELs to the log stream RACF profile.
- You can also assign a SECLABEL of SYSHIGH to the log stream RACF profile, a SECLABEL which
will dominate all the check SECLABELs.
For example, you might define the following:RALTER FACILITY HZS.HEALTH.CHECKER.HISTORY UACC(NONE) SECLABEL(SYSLOW)