Understanding security labels

You can use security labels to associate a specific security level with a set of (zero or more) security categories. Security labels, when associated with resources, users, and jobs, provide the following advantages over security levels and security categories:
  • Security labels can be assigned to data that is not necessarily protected by a resource profile. For example, spool files are assigned the security label of their creators. In many cases, data that has been assigned a security label retains that security label from the time the data is created until the data is deleted. For example, when a spool file is created by a user or job that is running under a security label, the spool file is assigned the security label of the user or job. The spool file retains that security label until the spool file itself is deleted (which can be long after the user logs off or the job ends).
  • Users can log on with different security labels at different times but with the same user ID; without security labels, a user always has the same (default) security level and categories.
  • Output printed for a user or job by Print Services Facility (PSF) for z/OS® can have a PSF identification label related to the security label of the user or job printed on every page.
  • It is easier to maintain the security classification of users and data (changing the definition of a security label affects all users and resources that have that security label; you need not make the same change for many different profiles as you would for security levels and categories).