Assigning security labels to data sets
When MLACTIVE(FAILURES) is active, if a data set is not protected by a profile, or if the profile that protects a data set does not have a security label assigned to it, every attempt to access the data set fails. Therefore, you need to ensure that every data set is protected by a profile in the DATASET class, and that every profile in the DATASET class has a security label, before you activate MLACTIVE(FAILURES).
Tip: The RACF® PROTECTALL
option ensures that a user can create or access a data set only if
it is RACF-protected. If you are not already running with the PROTECTALL
option in FAILURES mode, activate it in WARNING mode while you are
assigning security labels to your data set profiles:
SETROPTS PROTECTALL(WARNING)
RACF
will issue a warning message if a user attempts to create or access
a data set that is not RACF-protected. When you are sure that all
of your data sets are RACF-protected, activate the PROTECTALL option
in FAILURES mode:SETROPTS PROTECTALL(FAILURES)
If a user
attempts to create or access a data set that is not RACF-protected,
the attempt fails.Guidelines: To determine the security label
to assign to a system data set, consider the data that the data set
contains:
- Data that has no classified content and can be read by all users can have a security label of SYSLOW (or an installation-defined security label) and a UACC of READ, or an entry in the global access checking table specifying READ access. Data sets such as SYS1.LINKLIB and SYS1.PROCLIB are in this category.
- Data that has no classified content and needs to be accessed by only certain users can have a security label of SYSLOW (or an installation- defined security label) and a UACC of NONE. If a user requires access to the data set, the user must be permitted specifically. The access authority (for example, to READ or to UPDATE) can be set for each individual user allowed to access the data set. Examples of this type of data set are SYS1.PARMLIB and SYS1.VTAMLST.
- Assign all catalogs a security label of SYSNONE.
- Assign the SYSHIGH security label to data sets that contain multiple levels of data. To further protect these data sets from unauthorized access, specify a UACC of NONE and permit only certain users to access the data set.
Note: Regardless of the protection established for data
sets in the LPA concatenation, any user can read most of the data
set contents by examining the link pack area (LPA) in virtual storage.
Because the data sets' contents are exposed, it is important to note
that data sets classified higher than SYSLOW should not be in the
LPA concatenation.
Tip: To add default security labels to a
large number of data set profiles, use the SEARCH command to generate
a TSO CLIST that you can tailor (by editing) and then run. For example,
to generate a CLIST that sets all discrete profiles to the most common
security label, use the command:
SEARCH CLASS(DATASET) CLIST('ALTDSD ' ' SECLABEL(most-common-seclabel)') NOGENERIC
Edit the
CLIST, and change the SECLABEL field to the appropriate security label
where necessary. After tailoring the CLIST, run it with the command:EXEC EXEC.RACF.CLIST
To
generate a CLIST that sets all generic profiles to the most common
security label:SEARCH CLASS(DATASET) CLIST('ALTDSD ' ' SECLABEL(most-common-seclabel)') GENERIC
Data set | Recommended security label | Notes |
---|---|---|
Catalogs | SYSNONE | Define a UACC of READ or UPDATE, as appropriate. Give ALTER access only to users who maintain the catalogs, because ALTER access allows users to list the names of data sets cataloged in the catalogs. |
DFSMShsm control data sets and their logs and journals | SYSHIGH | Define a UACC of NONE |
DFSMSrmm control data sets and their logs and journals | SYSHIGH | Define a UACC of NONE |
Dump analysis and elimination (DAE) data sets | SYSHIGH | Define a UACC of NONE |
Dump job data sets | SYSHIGH | Define a UACC of NONE |
JES2 checkpoint data set | SYSHIGH | Define a UACC of NONE |
JES2 spool offload data set | SYSHIGH | Define a UACC of NONE |
JES3 checkpoint data sets | SYSHIGH | Define a UACC of NONE |
JES3 dump job data set | SYSHIGH | |
JES3 job control table (JCT) data set | SYSHIGH | |
Log data sets | SYSHIGH | Define a UACC of NONE |
Page data sets | SYSHIGH | Define a UACC of NONE |
PSF security libraries (overlay, font, page segment, security definitions) | SYSHIGH | Define a UACC of NONE |
SMF data sets | SYSHIGH | Define a UACC of NONE |
SMS configuration data sets (CDS), source control data set (SCDS) and active control data set (ACDS) | SYSHIGH | Define a UACC of NONE |
Spool data sets | SYSHIGH | Define a UACC of NONE |
Spool offload data sets | SYSHIGH | Define a UACC of NONE |
Swap data sets | SYSHIGH | Define a UACC of NONE |
SYS1.dump data sets | SYSHIGH | Define a UACC of NONE |
SYS1.LINKLIB | SYSLOW | Define a UACC of READ |
SYS1.IMAGELIB | SYSLOW | Define a UACC of READ |
SYS1.PARMLIB | SYSLOW or installation-defined | Define a UACC of NONE |
SYS1.PROCLIB | SYSLOW | Define a UACC of READ |
SYS1.VTAMLIST | SYSLOW or installation-defined | Define a UACC of NONE |
System data sets that have no classified content and can be read by all users | SYSLOW | Define a UACC of READ |
System data sets that contain multiple levels of data | SYSHIGH | Define a UACC of NONE |
System data sets that have no classified content and need to be accessed by only certain users | SYSLOW or installation-defined | Define a UACC of NONE |
Trace data sets | SYSHIGH | Define a UACC of NONE |
TSO/E broadcast data set | SYSLOW | Define a UACC of READ |
TSO/E NAMES data set | The lowest security label to which the user has access | Allows TRANSMIT and RECEIVE to access the data set, and the user can update the data set when logged on at the security label assigned to it. (The data set is named userid.NAMES.TEXT.) |
TSO/E log data set | User's most commonly used security label | A user authorized to more than one security label requires a log data set for each of those security labels, and when using a security label other than the one assigned to LOG.MISC must use the LOGDSNAME or LOGDATASET keyword on the TRANSMIT or RECEIVE command to specify the data set to use for logging. (The data set is named userid.LOG.MISC.) |
TSO/E user message log data set (logname.userid) | SYSHIGH | The log can contain any level of information. |
XCF couple data sets | SYSHIGH | Define a UACC of NONE |
zFS debug settings data set | SYSLOW | The debug_settings_dsn option in the IOEFSPRM file specifies the data set name. |
zFS IOEFSPRM file | SYSLOW | |
zFS output message data set | SYSLOW | The msg_output_dsn option in the IOEFSPRM file specifies the data set name. |
zFS root file system | SYSHIGH | Set the security label for the VSAM data set to SYSMULTI when you create the VSAM data set and format it as a zFS file system, to assign SYSMULTI to the root. Then change the security label to SYSHIGH. |
zFS trace table | SYSLOW | The trace_dsn option in the IOEFSPRM file specifies the data set name. |
zFS translated message data set | SYSLOW | The msg_input_dsn option in the IOEFSPRM file specifies the data set name. |
z/OS® UNIX file systems | See Table 1 | The security label for a z/OS UNIX data set should be consistent with the security label for the mountpoint. |