With Security Server (RACF®), you can use security labels to protect system resources. Use Security Server (RACF) to define security labels for TSO/E users. When TSO/E users log on, the security label (SECLABEL) is associated with their TSO/E logon session. You must define all TSO/E users through Security Server (RACF) and create TSO segments for those users so that the system saves each user's SECLABEL from logon session to logon session.

You can also protect the security classification of messages that are sent from one user to another. Messages must be stored in the logname.userid user log (not the broadcast data set), where logname is the name specified on the LOGNAME operand of the SEND PARMLIB parameter and userid is the user's user ID. Users can only view their logname.userid user logs by using the TSO/E LISTBC command. Procedures to protect the user logs are described in Activating the functions of TSO/E.