Your installation can define its own security classifications. These classifications are security levels, security categories, and security labels. A security level is a name for a numeric security classification indicator. For example, a security level could be SECRET. A security category is a name corresponding to a department or area within an organization with similar security requirements. For example, an employee in the payroll department can be in the security category PAYROLL.

A security label is used to represent the association between a particular security level and a set of zero or more security categories. For example, the security categories PAYROLL and PERSONNEL can both be associated with the security level SECRET by the security label PPSECR.

If your installation uses security classifications, RACF® stores the security classifications for each user and each data set in user and data set profiles. When you request access to a data set, RACF checks your user profile and the data set profile to see if your security label is equal to or greater than the security label of the data set. RACF denies you access if you do not have the appropriate level.

Your security administrator defines a default security label for you. However you might be able to log on with a different security label if you have been authorized. This alternate security label allows you access to resources that have the same security label.

1. Determine what security labels you have authority to use.

   You must first have authority to a security label before you can log on with it. If you know what security label you need, proceed with Step 2.

   If you do not know whether you can use a particular security label, RACF can give you a list of all the profiles in the SECLABEL class you are authorized to use.

   To see this list, log on with your default security label and enter the following command:

   SEARCH CLASS(SECLABEL)

   The profile names listed are the security labels you are authorized to use.

   LOGOFF

2. Log on using a security label other than your default security label.
   Enter the security label you want to log on with in the SECLABEL field of the logon panel. Figure 1 shows a user logging on with security label SECRET.

   Figure 1. Logging on with another security label

   ------------------------------ TSO/E LOGON -----------------------------
   
   
     Enter LOGON parameters below:                   RACF LOGON parameters:
   
     Userid    ===> CLAIRE                           SECLABEL     ===> SECRET
   
     Password  ===> _                                New Password ===>
   
     Procedure ===> PROC01                           Group Ident  ===>
   
     Acct Nmbr ===> 123199
   
     Size      ===>
   
     Perform   ===>
   
     Command   ===>
   
     Enter an 'S' before each option desired below:
               -Nomail         -Nonotice        -Reconnect        -OIDcard
   
   PF1/PF13 ==> Help    PF3/PF15 ==> Logoff    PA1 ==> Attention    PA2 ==> Reshow
   You may request specific help information by entering a '?' in any entry field

   Once you log on with a different security label, that new security label is associated with your user ID until you change it. The new security label appears in the SECLABEL field of the logon panel the next time you log on. If you blank out this field, and if the TERMINAL class is active and the profile covering your terminal has a security label, the system assigns the terminal's security label to your TSO session. If the terminal does not have a security label, the system assigns your default security label to your TSO session. In both of these cases, the SECLABEL field on the logon panel remains blank.