Preventing changes to security labels (MLSTABLE option)

If you have the SPECIAL attribute, and if the SECLABEL class is active, you can prevent users from changing the classification of data while the data is in use. Specifically, you can do all of the following:

Prevent any user from changing the security label of a RACF® profile
Prevent any user from changing a SECLABEL profile using the RALTER command unless SETROPTS MLQUIET is in effect. Changes to the access list using the PERMIT command are allowed.

To do this, enter:

SETROPTS MLSTABLE

Restriction: This option cannot be activated when the SECLABEL class is inactive.

To cancel this option, specify NOMLSTABLE on the SETROPTS command.

Note: If you must change security labels while the system is in multilevel stable state, you can issue SETROPTS MLQUIET before making the changes. See Quiescing RACF activity (MLQUIET option).