Assigning security labels to data sets

When MLACTIVE(FAILURES) is active, if a data set is not protected by a profile, or if the profile that protects a data set does not have a security label assigned to it, every attempt to access the data set fails. Therefore, you need to ensure that every data set is protected by a profile in the DATASET class, and that every profile in the DATASET class has a security label, before you activate MLACTIVE(FAILURES).

Tip: The RACF® PROTECTALL option ensures that a user can create or access a data set only if it is RACF-protected. If you are not already running with the PROTECTALL option in FAILURES mode, activate it in WARNING mode while you are assigning security labels to your data set profiles:
SETROPTS PROTECTALL(WARNING)
RACF will issue a warning message if a user attempts to create or access a data set that is not RACF-protected. When you are sure that all of your data sets are RACF-protected, activate the PROTECTALL option in FAILURES mode:
SETROPTS PROTECTALL(FAILURES)
If a user attempts to create or access a data set that is not RACF-protected, the attempt fails.
Guidelines: To determine the security label to assign to a system data set, consider the data that the data set contains:
  • Data that has no classified content and can be read by all users can have a security label of SYSLOW (or an installation-defined security label) and a UACC of READ, or an entry in the global access checking table specifying READ access. Data sets such as SYS1.LINKLIB and SYS1.PROCLIB are in this category.
  • Data that has no classified content and needs to be accessed by only certain users can have a security label of SYSLOW (or an installation- defined security label) and a UACC of NONE. If a user requires access to the data set, the user must be permitted specifically. The access authority (for example, to READ or to UPDATE) can be set for each individual user allowed to access the data set. Examples of this type of data set are SYS1.PARMLIB and SYS1.VTAMLST.
  • Assign all catalogs a security label of SYSNONE.
  • Assign the SYSHIGH security label to data sets that contain multiple levels of data. To further protect these data sets from unauthorized access, specify a UACC of NONE and permit only certain users to access the data set.
Note: Regardless of the protection established for data sets in the LPA concatenation, any user can read most of the data set contents by examining the link pack area (LPA) in virtual storage. Because the data sets' contents are exposed, it is important to note that data sets classified higher than SYSLOW should not be in the LPA concatenation.
Tip: To add default security labels to a large number of data set profiles, use the SEARCH command to generate a TSO CLIST that you can tailor (by editing) and then run. For example, to generate a CLIST that sets all discrete profiles to the most common security label, use the command: 
SEARCH CLASS(DATASET) CLIST('ALTDSD ' ' SECLABEL(most-common-seclabel)') NOGENERIC
Edit the CLIST, and change the SECLABEL field to the appropriate security label where necessary. After tailoring the CLIST, run it with the command:
EXEC EXEC.RACF.CLIST
To generate a CLIST that sets all generic profiles to the most common security label:
SEARCH CLASS(DATASET) CLIST('ALTDSD ' ' SECLABEL(most-common-seclabel)') GENERIC
Table 1. Recommended security labels for profiles in the DATASET class
Data set Recommended security label Notes
Catalogs SYSNONE Define a UACC of READ or UPDATE, as appropriate. Give ALTER access only to users who maintain the catalogs, because ALTER access allows users to list the names of data sets cataloged in the catalogs.
DFSMShsm control data sets and their logs and journals SYSHIGH Define a UACC of NONE
DFSMSrmm control data sets and their logs and journals SYSHIGH Define a UACC of NONE
Dump analysis and elimination (DAE) data sets SYSHIGH Define a UACC of NONE
Dump job data sets SYSHIGH Define a UACC of NONE
JES2 checkpoint data set SYSHIGH Define a UACC of NONE
JES2 spool offload data set SYSHIGH Define a UACC of NONE
JES3 checkpoint data sets SYSHIGH Define a UACC of NONE
JES3 dump job data set SYSHIGH  
JES3 job control table (JCT) data set SYSHIGH  
Log data sets SYSHIGH Define a UACC of NONE
Page data sets SYSHIGH Define a UACC of NONE
PSF security libraries (overlay, font, page segment, security definitions) SYSHIGH Define a UACC of NONE
SMF data sets SYSHIGH Define a UACC of NONE
SMS configuration data sets (CDS), source control data set (SCDS) and active control data set (ACDS) SYSHIGH Define a UACC of NONE
Spool data sets SYSHIGH Define a UACC of NONE
Spool offload data sets SYSHIGH Define a UACC of NONE
Swap data sets SYSHIGH Define a UACC of NONE
SYS1.dump data sets SYSHIGH Define a UACC of NONE
SYS1.LINKLIB SYSLOW Define a UACC of READ
SYS1.IMAGELIB SYSLOW Define a UACC of READ
SYS1.PARMLIB SYSLOW or installation-defined Define a UACC of NONE
SYS1.PROCLIB SYSLOW Define a UACC of READ
SYS1.VTAMLIST SYSLOW or installation-defined Define a UACC of NONE
System data sets that have no classified content and can be read by all users SYSLOW Define a UACC of READ
System data sets that contain multiple levels of data SYSHIGH Define a UACC of NONE
System data sets that have no classified content and need to be accessed by only certain users SYSLOW or installation-defined Define a UACC of NONE
Trace data sets SYSHIGH Define a UACC of NONE
TSO/E broadcast data set SYSLOW Define a UACC of READ
TSO/E NAMES data set The lowest security label to which the user has access Allows TRANSMIT and RECEIVE to access the data set, and the user can update the data set when logged on at the security label assigned to it. (The data set is named userid.NAMES.TEXT.)
TSO/E log data set User's most commonly used security label A user authorized to more than one security label requires a log data set for each of those security labels, and when using a security label other than the one assigned to LOG.MISC must use the LOGDSNAME or LOGDATASET keyword on the TRANSMIT or RECEIVE command to specify the data set to use for logging. (The data set is named userid.LOG.MISC.)
TSO/E user message log data set (logname.userid) SYSHIGH The log can contain any level of information.
XCF couple data sets SYSHIGH Define a UACC of NONE
zFS debug settings data set SYSLOW The debug_settings_dsn option in the IOEFSPRM file specifies the data set name.
zFS IOEFSPRM file SYSLOW  
zFS output message data set SYSLOW The msg_output_dsn option in the IOEFSPRM file specifies the data set name.
zFS root file system SYSHIGH Set the security label for the VSAM data set to SYSMULTI when you create the VSAM data set and format it as a zFS file system, to assign SYSMULTI to the root. Then change the security label to SYSHIGH.
zFS trace table SYSLOW The trace_dsn option in the IOEFSPRM file specifies the data set name.
zFS translated message data set SYSLOW The msg_input_dsn option in the IOEFSPRM file specifies the data set name.
z/OS® UNIX file systems See Table 1 The security label for a z/OS UNIX data set should be consistent with the security label for the mountpoint.