IBM Health Checker for z/OS User's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Create multilevel security definitions

IBM Health Checker for z/OS User's Guide
SC23-6843-02

If your system is a multilevel system environment and you are using multilevel security labels to control access to resources, you must assign SECLABELs to the IBM Health Checker for z/OS superuser User ID ( hcsuperid), to each profile protecting a check, and to the IBM Health Checker for z/OS log stream RACF® profile. For complete information on multilevel security, see z/OS Planning for Multilevel Security and the Common Criteria and z/OS Security Server RACF Security Administrator's Guide.

Do the following:
  • Assign a multilevel security label to the IBM® Health Checker for z/OS® superuser User ID, hcsuperid, which you defined inSetting up security for the IBM Health Checker for z/OS started task. Use the following to decide on a SECLABEL setting for the log stream:
    • If all your checks are assigned a SECLABEL of SYSLOW, assign a SECLABEL of SYSLOW to the IBM Health Checker for z/OS superuser User ID, hcsuperid. Assigning a SECLABEL of SYSLOW to the hcsuperid means that any data object that the check touches must have a SECLABEL that would pass the mandatory access check for the type of operation that is being performed.
    • If all the checks are above SYSLOW, you must assign a SECLABEL that will dominate all the check SECLABELs to the hcsuperid.
    • You can also assign a SECLABEL of SYSHIGH to the hcsuperid, which will dominate all the check SECLABELs.
    The following example enables the SECLABEL class and assigns a multilevel security label of SYSLOW: 
    SETROPTS CLASSACT(SECLABEL) RACLIST(SECLABEL)
ALTUSER hcsuperid SECLABEL(SYSLOW)
  • Assign a SECLABEL to each profile that protects a check. See IBM Health Checker for z/OS checks for the SECLABEL recommended for each check. You'll need to define access to one of the following set of resources:

    • HZS.sysname.check_owner.QUERY
      HZS.sysname.check_owner.MESSAGES

      or

    • HZS.sysname.check_owner.check_name.QUERY
      HZS.sysname.check_owner.check_name.MESSAGES

    For example, you might define the following:
    RALTER XFACILIT HZS.SYS1.IBMRACF.RACF_GRS_RNL.QUERY UACC(NONE) SECLABEL(SYSLOW)
RALTER XFACILIT HZS.SYS1.IBMRACF.RACF_GRS_RNL.MESSAGES UACC(NONE) SECLABEL(SYSLOW)
  • Assign a SECLABEL to the IBM Health Checker for z/OS log stream RACF profile. Use the following to decide on a SECLABEL setting for the log stream:
    • If all your checks writing to the log stream are SYSLOW, assign a SECLABEL of SYSLOW to the log stream RACF profile.
    • If all the checks are above SYSLOW, you must assign a SECLABEL that will dominate all the check SECLABELs to the log stream RACF profile.
    • You can also assign a SECLABEL of SYSHIGH to the log stream RACF profile, a SECLABEL which will dominate all the check SECLABELs.
    For example, you might define the following:
    RALTER FACILITY HZS.HEALTH.CHECKER.HISTORY UACC(NONE) SECLABEL(SYSLOW)
Parent topic: Setting up IBM Health Checker for z/OS

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014