Security labels

A security label enables an installation to classify subjects and objects according to a data classification policy, identify objects to audit based on their classification, and protect objects such that only appropriately-classified subjects can access them. Objects in a multilevel-secure system have a security label that indicates the sensitivity of the object's data. Subjects in a multilevel-secure system also have a security label. This label determines whether the subject is allowed to access a particular object.

A security label is used as the basis for mandatory access control decisions. By assigning security labels, the security administrator can ensure that data of a certain classification is protected from access by a user of a lesser security classification. In addition, through the use of discretionary access control, the security administrator can further ensure that the data is protected from access by unauthorized users.

Security labels provide the capability to maintain multiple levels of security within a system. By assigning a security label to a resource, the security administrator can prevent the movement of data from one level of security to another.

Security labels can also identify the security of hardcopy output. The security label is associated with the security notation that is printed on the hardcopy output from the system. The security administrator associates the name of a security overlay with each security label in a multilevel-secure system. Print Services Facility (PSF) uses this association to print the proper label on the secure output.

Security labels for users, MVS™ data sets, and general resources are stored in the RACF® database, in the profiles for the users and resources to which they apply. Security labels for zFS files and directories are stored in the file security packets (FSPs) for the files and directories to which they apply.