Defining security labels
A security label establishes an association between a RACF® security level and a set of zero or more RACF security categories. For example, a system might have three security levels, unclassified, sensitive, and secret, and three security categories, Project A, Project B, and Project C. Then, PURPLE could be a security label name indicating Secret for Project A, Project B, and Project C. COLUMBIA could be a security label name meaning Sensitive for Project A and Project B; UNION could be a security label name indicating unclassified for Project C.
| Security level | Project A | Project B | Project C |
|---|---|---|---|
| Secret | SECLABEL = PURPLE | ||
| Sensitive | SECLABEL = COLUMBIA | no label defined | |
| Unclassified | no label defined | no label defined | SECLABEL=UNION |
- The SECLEVEL profile contains a member for each hierarchical security level in the system.
- The CATEGORY profile contains a member for each non-hierarchical category in the system.
SECLEVEL: The hierarchical security level defines the degree of sensitivity of the data. “SECRET,” “SENSITIVE,” and “UNCLASSIFIED” are examples of levels you could define. You might define "SECRET" to be a security level of 30, "SENSITIVE" to be a level of 20, and "UNCLASSIFIED" to be a level of 10. The security administrator can define up to 254 security levels.
CATEGORY: The non-hierarchical categories further qualify the access capability. The security administrator can define zero or more categories that correspond to some grouping arrangement in the installation. "PROJECTA", "PROJECTB", and "PROJECTC" could all be categories defined.
Guideline: Although the system allows the definition of several thousand categories, define only the security categories you need. A large number of security categories can decrease performance, particularly at IPL time and for the SETROPTS RACLIST(REFRESH) command.
Security labels: After defining the SECLEVEL and CATEGORY profiles, the security administrator defines a profile in the SECLABEL resource class for each security label. The security label is a name of up to eight uppercase alphanumeric or national characters. The national characters are # (X'7B'), @ (X'7C'), and $ (X'5B'). The first character cannot be numeric. Each security label name must be unique. Each SECLABEL profile specifies the particular combination of a SECLEVEL member and zero or more members of the CATEGORY profile that applies to the security label. You do not need to define a security label for every possible combination of level and category.
There is no limit on the number of security labels that can be defined.
Guideline: Define only the security labels you need. A large number of security labels can decrease performance, particularly at IPL time and for the SETROPTS RACLIST(REFRESH) command.
- the effects on Db2,
- the effects on USS file systems and programs including terminals,
- the effects on TCP/IP and its programs, the implications of shared DASD,
- the implications of connection to a sysplex.
Two security labels with different names can have the same levels and sets of categories for administrative convenience. They are treated as equivalent for access control and name hiding purposes, but will not perform as efficiently as having only a single security label with that definition.
For more information about how to define security labels, see Defining security labels or z/OS Security Server RACF Security Administrator's Guide.