|
Guideline: If your installation needs to define resource
classes, to avoid the need to re-IPL do not define your classes in
the static class descriptor table using the ICHERCDE macro. Instead,
define your classes in the dynamic class descriptor table using RDEFINE
and RALTER commands for the CDT resource class. For more information
about the dynamic class descriptor table, see z/OS Security Server RACF Security Administrator's Guide.
The class descriptor table contains information that directs
the processing of general resources. The table consists of an entry
for each resource class except USER, GROUP, and DATASET. The class
descriptor table contains entries that IBM® supplies,
and, optionally, entries defined by the installation. It has two parts: - The static class descriptor table contains
the entries that IBM supplies
(shipped in the module ICHRRCDX), and, optionally, entries defined
by the installation (in the module ICHRRCDE). You must not change
ICHRRCDX. To create or modify ICHRRCDE, use the ICHERCDE macro. You
must re-IPL for the updates to ICHRRCDE to take effect.
- The dynamic class descriptor
table contains entries built from the CDT general resource class. RACF® treats the dynamic class descriptor
table as a logical extension to the static class descriptor table.
To create or modify the dynamic class descriptor table, use the RDEFINE
and RALTER commands. You do not need to re-IPL for updates made to
the dynamic class descriptor table to take effect.
Restriction: A grouping class in the dynamic class descriptor
table cannot reference a member class in the static class descriptor
table, and a member class in the dynamic class descriptor cannot reference
a grouping class in the static class descriptor.
The ICHERCDE macro generates entries for the static class descriptor
table. To generate the table, you must invoke the macro once for each
class. To identify the end of the static class descriptor table, invoke
the macro without specifying any operands.
The installation-defined static class descriptor table, module
ICHRRCDE, must have RMODE(24) and must reside in SYS1.LINKLIB or another
library in your linklist concatenation. Refer to z/OS Security Server RACF System Programmer's Guide for
instructions on how to create ICHRRCDE.
Member RACINSTL in SYS1.SAMPLIB, contains among other items, a
sample job stream for updating or creating a static installation-defined
class descriptor table (ICHRRCDE). Note: - A maximum of 1024 classes can be defined in the class descriptor
table. There are 1024 POSIT values, of which numbers 19–56 and 128–527
are available for installation use. Numbers 0–18, 57–127, and 528–1023
are reserved for IBM's use.
- Installations sharing a database do not need identical class descriptor
tables, but they must be compatible. If the same class is present
on multiple systems, it must have the same attributes; for example,
the POSIT numbers must be the same. Therefore, if systems X and Y
are sharing a database, and system X has a class descriptor table
with classes a, b, and c, and system Y has a class descriptor table
with classes a, b, c, d, e, and f, the classes a, b, and c must be
defined identically on both systems. However, system Y may have classes
d, e, and f that are not defined on system X. Note that when RACF is enabled for sysplex communication, to allow
flexibility when adding new classes to the class descriptor table RACF does not enforce consistency
in the class descriptor table as it does with the data set name table
and the range table.
The ICHERCDE macro produces a CSECT for each invocation. If the
CLASS operand is present, the CSECT name is the name of the class
being defined; otherwise, the CSECT name is ICHRRCDE.
The ICHERCDE macro definition is as follows: [label] ICHERCDE [CLASS=classname]
[,CASE=UPPER|ASIS]
[,DFTRETC=0|4|8]
[,DFTUACC=ALTER|CONTROL|UPDATE|READ|NONE]
[,EQUALMAC=YES|NO]
[,FIRST=ALPHA|NUMERIC|ALPHANUM|ANY|NONATABC|NONATNUM]
[,GENLIST=ALLOWED|DISALLOWED]
[,GENERIC=ALLOWED|DISALLOWED]
[,GROUP=group-class|MEMBER=member-class]
[,ID=number]
[,KEYQUAL=0|nnn]
[,MAXLENX=number]
[,MAXLNTH=8|number]
[,OPER=YES|NO]
[,OTHER=ALPHA|NUMERIC|ALPHANUM|ANY|NONATABC|NONATNUM]
[,POSIT=number]
[,PROFDEF=YES|NO]
[,RACLIST=ALLOWED|DISALLOWED]
[,RACLREQ=YES|NO]
[,RVRSMAC=YES|NO]
[,SIGNAL=YES|NO]
[,SLBLREQ=YES|NO]
- CLASS=class name
- Specifies the name of the resource class. The name must be 1–8
characters long and must consist of the following: A through Z, 0
through 9, or # (X'7B'), @ (X'7C'), $ (X'5B').
The first character must be A through Z, # (X'7B'), @ (X'7C'),
or $ (X'5B'). You must include a # (X'7B'), @ (X'7C'),
$ (X'5B'), or numeric character in the name of any class
you define in order to guarantee that installation-defined classes
do not conflict with classes supplied by IBM.
In this way, classes supplied by IBM should
always have unique class names. If this rule is not followed, the
assembler issues a severity 4 MNOTE warning.
If you specify any
options on the ICHERCDE macro, you must specify the CLASS operand.
- CASE=UPPER | ASIS
- Specifies whether mixed-case profile names are allowed for the
class specified by the CLASS operand. UPPER is the default. When ASIS
is specified, RACF commands
preserve the case of profile names for the specified class. Lowercase
characters are allowed in any position of the profile name where alphabetic
characters are allowed, based on the character restrictions specified
in the FIRST= and OTHER= operands.
- DFTRETC=0|4|8
- Specifies the return code that RACF provides
from RACROUTE REQUEST=AUTH, or REQUEST=FASTAUTH when RACF and the class are active and (if required)
the class has been processed using SETROPTS RACLIST, but RACF does not find a profile to protect the
resource specified on the AUTH or FASTAUTH request.
- 0
- The access request was accepted.
- 4
- No profile exists.
- 8
- The access request was denied.
If you do not specify this parameter, it defaults
to 4.
- DFTUACC= ALTER|CONTROL|UPDATE|READ|NONE
- Specifies the minimum access allowed if the access level is not
set when a resource profile is defined in the class. If you omit DFTUACC,
and no access level is specified at the time the profile is created, RACF uses the default universal
access authority from the command issuer's ACEE.
- EQUALMAC=YES|NO
- Specifies whether equal mandatory access checking is required
when users attempt to access resources protected by profiles in this
class. If EQUALMAC=YES is specified, whenever RACF performs a mandatory access check the security
label of the user and the security label of the resource must be equivalent
to pass the mandatory access check. Security labels are equivalent
when they have the same security level and category definitions. The
SYSMULTI security label is equivalent to any other security label.
Use
EQUALMAC=YES for classes where two-way communication is expected.
EQUALMAC=YES
cannot be specified with RVRSMAC=YES.
- FIRST=
- Specifies a character type restriction for the first character
of the profile name.
- ALPHA
- Specifies an alphabetic, # (X'7B'), @ (X'7C'),
or $ (X'5B'). ALPHA is the default value for both the FIRST
and OTHER operand.
- NUMERIC
- Specifies a digit (0–9).
- ALPHANUM
- Specifies an alphabetic, a numeric, # (X'7B'), @ (X'7C'),
or $ (X'5B').
- ANY
- Specifies any character other than a blank, a comma, a parenthesis,
or a semicolon.
Note: - Resource names (as opposed to profile names) for a class should
not contain the characters *, %, or & because these characters
do not work as expected when generic profile processing is active
for the class.
- This option includes the period ('.'), therefore,
it is needed if you intend to use it as a delimiter.
- NONATABC
- Specifies an alphabetic character. Characters such as # (X'7B'),
@ (X'7C'), $ (X'5B'), and numerics are excluded.
- NONATNUM
- Specifies an alphabetic or numeric character. Characters such
as # (X'7B'), @ (X'7C'), and $ (X'5B')
are excluded.
- GENERIC=ALLOWED|DISALLOWED
Specifies whether SETROPTS GENERIC and SETROPTS GENCMD are
to be allowed for the class. The SETROPTS GENERIC command activates
generic profile checking for a class, and the SETROPTS GENCMD command
activates generic profile command processing for a class.
If
GENERIC=DISALLOWED is specified, GENLIST=ALLOWED cannot be specified.
Because
generic processing is not allowed for grouping classes, GENERIC=ALLOWED
cannot be specified if MEMBER= is also specified.
GENERIC
keyword consideration for a class that shares a POSIT number: - If the class shares a POSIT number with another class, all classes
with the shared POSIT number must have the same setting for the GENERIC
keyword. This is because the SETROPTS GENERIC and SETROPTS GENCMD
commands process all classes that share a POSIT number.
- If your class that shares a POSIT number violates this rule, that
is, at least one class specifies GENERIC=DISALLOWED and at least one
class specifies GENERIC=ALLOWED, the assembler issues a severity 8
MNOTE error.
- If the class shares a POSIT number with an IBM class and it violates this rule, a warning
message will be issued during RACF initialization,
and the value of the GENERIC keyword will be changed by RACF to match the IBM class.
- If the class shares a POSIT number with another installation-defined
class from a separate assembly and violates this rule, a warning message
will be issued during RACF initialization,
and the value of the GENERIC keyword in both classes will be set to
the least restrictive attribute, GENERIC=ALLOWED.
- If your static installation class specifies GENERIC=DISALLOWED,
and subsequently a dynamic class is added that shares a POSIT number
and specifies GENERIC=ALLOWED, the static class will be changed to
GENERIC=ALLOWED (the least restrictive attribute) during SETROPTS
RACLIST(CDT) processing. The GENERIC=ALLOWED setting will remain for
the duration of that IPL.
- If you want to change the setting in the static class back to
GENERIC=DISALLOWED, do the following tasks:
- Change the dynamic class to specify either a different POSIT number
or GENERIC=DISALLOWED. See z/OS Security Server RACF Security Administrator's Guide for
more guidelines for changing dynamic CDT entries.
- Re-IPL the system.
Exception: A grouping class and member class can share
a POSIT number. GENERIC=DISALLOWED should be specified for the grouping
class and GENERIC=ALLOWED may be specified for the member class.
- GENLIST=ALLOWED|DISALLOWED
- Specifies whether SETROPTS GENLIST is to be allowed for the class.
If you GENLIST the class on the SETROPTS command, then if a user requests
access to a resource protected by a generic profile, a copy of that
profile will be brought into the common storage area, rather than
into the user's address space. RACF uses
those generic profiles in common storage to check the authorization
of any users who want to access the resource. The profiles remain
in common storage until a REFRESH occurs.
- GROUP=group-class
- Specifies the name of the class that groups the resources within
the class specified by the CLASS operand. If you omit this operand, RACF does not allow resource grouping
for the resource specified by the CLASS operand. If group is specified,
the group entry must be in the same class descriptor table (IBM or installation) and in the
same part of the class descriptor table (static or dynamic), as the
member entry.
- ID=number
- Specifies a number from 1 to 255 that is associated with the class
name. RACF stores this number
in the general profile. Numbers 1 through 127 are reserved for use
by IBM; numbers 128 through
255 are reserved for use by the installation.
The ID keyword does
not need to be unique for each class; in fact, if more than 128 class
descriptor table entries are defined by the installation, ID numbers
have to be reused. An installation can use ID numbers to identify
related classes; however, RACF does
not use the ID number. Do not confuse the ID number with the POSIT
number described below.
If you specify any options on the ICHERCDE
macro, you must specify the ID operand.
- KEYQUAL=nnn
- Specifies the number of matching qualifiers RACF uses when loading generic profile names
to satisfy an authorization request if a discrete profile does not
exist for the resource. For example, if you specify two for the class,
all generic profile names whose two highest level qualifiers match
the two highest qualifiers of the entity name are loaded into the
user's storage when the user requests access to a resource.
If
you do not specify KEYQUAL, the default is 0, and profile names for
the entire class are loaded and searched. The maximum value you can
specify for KEYQUAL is 123, which is the maximum number of qualifiers
in a name 246 characters long.
When KEYQUAL=nnn is
coded in the ICHERCDE macro, generic profiles created in that class
may not contain generic characters in the first nnn qualifiers
of the profile.
If a KEYQUAL=nnn is greater
than 0 for a class, all discrete and generic profiles in that class
must have at least nnn+1 qualifiers in the profile name. The number
of qualifiers is determined by counting the number of period characters
in the profile and adding one; the first character is not examined.
Any generic characters must be in the nnn+1 qualifier or beyond.
Examples
of valid profile names for KEYQUALIFIERS(2) are:
KEYQUAL= nnn (where nnn is
greater than 0) should be used for a class that has the following
attributes: - The class will generally not be RACLISTed.
- The class will generally not be GENLISTed.
- Profile names in the class have a naming convention where many
generic profiles have the same nnn qualifiers at
the beginning of the profile name.
For example, suppose that you have an application program
that uses an installation class to protect reports on terminal usage,
and you have the following profiles for every user on your z/OS® system:
REPORTS.USER1.TERMUSE.*
REPORTS.USER1.TERMUSE.DEPT60.*
REPORTS.USER1.TERMUSE.2006.JAN.*
REPORTS.USER1.TERMUSE.2006.FEB.*
REPORTS.USER1.TERMUSE.2006.MAR.*
REPORTS.USER1.TERMUSE.2006.APR.*
REPORTS.USER1.TERMUSE.2006.MAY.*
REPORTS.USER1.TERMUSE.2006.JUN.*
REPORTS.USER1.TERMUSE.2006.JUL.*
REPORTS.USER1.TERMUSE.2006.AUG.*
REPORTS.USER1.TERMUSE.2006.SEP.*
REPORTS.USER1.TERMUSE.2006.OCT.*
REPORTS.USER1.TERMUSE.2006.NOV.*
REPORTS.USER1.TERMUSE.2006.DEC.*
You might define
your installation class with KEYQUAL=3 so that when an authorization
check is done for a resource in your class, only the generic profile
whose name matches the first three qualifiers of your report is loaded
into storage for RACF to match
against.
The FILE and DIRECTRY classes have different rules.
For the syntax required for profiles in the DIRECTRY and FILE classes,
see z/OS Security Server RACF Command Language Reference for
your VM system.
- MAXLENX=number
- Specifies the maximum length of resource and profile names for
this class when a RACROUTE macro is invoked with the ENTITYX keyword,
or a profile is added or changed via a RACF command
processor. For installation-defined classes, you can specify a number
from 1 to 246. If MAXLENX is not specified, the value specified for
MAXLNTH is used.
Note: - Do not assemble a static class descriptor table using MAXLENX
and share it with a system running a RACF release
earlier than OS/390 V2R8.
- If you specify a MAXLENX value greater than the MAXLNTH value
for a class, before you define any profiles with names longer than
MAXLNTH, you should verify that any programs using RACROUTE REQUEST=EXTRACT,
TYPE=EXTRACTN or ICHEINTY NEXT for that class will properly handle
the longer names.
- MAXLNTH=8|number
- Specifies the maximum length of resource and profile names for
this class when MAXLENX is not specified. When MAXLENX is also specified,
MAXLNTH represents the maximum length of a resource name only when
a RACROUTE macro is invoked with the ENTITY keyword. For installation-defined
classes, you can specify a number from 1 to 246; the default is 8.
Note: You
cannot use the MAXLNTH or MAXLENX parameters to change the maximum
size allowed for a resource name by the resource manager. For example, CICS® allows a maximum of 13 characters
in a transaction name. Thus, if you define additional CICS transaction classes, you must also specify
MAXLNTH=13. This restriction does not apply to transaction
grouping classes.
- MEMBER=member-class
- Specifies the name of the class grouped by the resources within
the class specified by the CLASS operand. The class name must be from
1 to 8 alphanumeric characters. When this operand is specified, the
class being defined is a resource group. If a member is specified,
the member entry must be in the same class descriptor table (IBM or installation), and in the
same part of the class descriptor table (static or dynamic), as the
group entry.
- OPER=YES|NO
- Specifies whether RACF is
to take the OPERATIONS attribute into account when it performs authorization
checking. If YES is specified, RACF considers
the OPERATIONS attribute; if NO is specified, RACF ignores the OPERATIONS attribute. YES is
the default.
- OTHER=
- Specifies a character type restriction for the characters of the
profile name other than the first character.
- ALPHA
- Specifies an alphabetic or # (X'7B'), @ (X'7C'),
$ (X'5B'). ALPHA is the default value for both the FIRST
and OTHER operand.
- NUMERIC
- Specifies a digit (0–9).
- ALPHANUM
- Specifies an alphabetic, numeric, or # (X'7B'), @ (X'7C'),
$ (X'5B').
- ANY
- Specifies any character other than a blank, comma, a parenthesis,
or semicolon.
Note: - Resource names (as opposed to profile names) for a class should
not contain the characters *, %, or & because these characters
do not work as expected when generic profile processing is active
for the class.
- This option includes the period ('.'), therefore,
it is needed if you intend to use it as a delimiter.
- NONATABC
- Specifies an alphabetic character. Characters such as # (X'7B'),
@ (X'7C'), $ (X'5B'), and numerics are excluded.
- NONATNUM
- Specifies an alphabetic or numeric character. Characters such
as # (X'7B'), @ (X'7C'), and $ (X'5B')
are excluded.
- POSIT=number
- Specifies the POSIT number associated with the class. Each class
in the static class descriptor table has a POSIT number specified
on the ICHERCDE macro. The POSIT number identifies a set of option
flags that controls the following RACF processing
options:
- Whether authorization checking should take place for the class
(SETROPTS CLASSACT)
- Whether auditing should take place for resources within the class
(SETROPTS AUDIT)
- Whether statistics should be kept for resources within the class
(SETROPTS STATISTICS)
- Whether generic profile access checking is active for the class
(SETROPTS GENERIC)
- Whether generic command processing is active for the class (SETROPTS
GENCMD)
- Whether global access checking is active for the class (SETROPTS
GLOBAL)
- Whether user has CLAUTH to a resource class
- Whether special resource access auditing applies to the class
(SETROPTS LOGOPTIONS)
- Whether SETROPTS RACLIST will occur for this class (when the parameter
RACLIST=ALLOWED is also coded)
Before you assemble the static class descriptor table (CDT),
you must decide whether to use a unique set of option flags for each RACF class or whether to have two
or more RACF classes share
the same set of option flags.
If you choose to use a unique
set of option flags for a class, assign the class a unique POSIT number.
If you choose to share the same set of option flags among several
classes, assign those classes the same POSIT number. After creating
your class descriptor table, you can activate the classes that comprise
it and their respective set of option flags via the appropriate keywords
on the SETROPTS command.
Note: The following text describes the use of POSIT numbers
for classes in the static class descriptor table. You can add, delete,
and change classes and change their POSIT numbers without the need
for re-IPLing if you define your classes in the dynamic class descriptor
table. For information about the dynamic class descriptor table, see z/OS Security Server RACF Security Administrator's Guide.
Adding
a new class where a unique POSIT number is wanted to the static class
descriptor table: Suppose that you decide to define a new class
called $TSTCLAS. Since you want this class to be administered separately
from any other class, you select a new POSIT number, 22, which is
not being used by any other class. Now, when you activate or deactivate
SETROPTS options for $TSTCLAS, or grant CLAUTH to this class, no other
classes are affected.
Adding a new class that shares a POSIT
number with an existing class to the static class descriptor table: Suppose
that you have a class called $PONIES that was previously defined with
a unique POSIT number, 21. SETROPTS CLASSACT, SETROPTS AUDIT, and
SETROPTS STATISTICS are currently in effect on your system for class
$PONIES as a result of issuing those commands for class $PONIES.
Later,
you decide to define the class of $HORSES, a class related to $PONIES,
and logically requiring the same RACF processing
options. Therefore, when you code the ICHERCDE macro to include the
$HORSES class in the class descriptor table, specify the POSIT number
as 21, the same as for $PONIES.
When IPLing with the new ICHRRCDE,
the same RACF processing options
that are in effect for class $PONIES are automatically in effect for
the new class $HORSES: SETROPTS CLASSACT, SETROPTS AUDIT, and SETROPTS
STATISTICS.
Further, issuing either of the following
commands: - SETROPTS GLOBAL($PONIES)
- SETROPTS GLOBAL($HORSES)
activates global access checking for both the $PONIES
and the $HORSES classes. Similarly, issuing either of the following
commands: - SETROPTS STATISTICS($PONIES)
- SETROPTS STATISTICS($HORSES)
activates STATISTICS for both the $PONIES and the $HORSES
classes.
Any number of classes can share the same POSIT number.
For example, a third class called $MARES could be added and could
also share POSIT number 21 with $PONIES and $HORSES. Sharing a POSIT
number simplifies administration of related classes.
Because
you have specified the same POSIT number for both $PONIES and $HORSES
(the classes share the same option flag), you do not need to reissue
the SETROPTS command to activate the same set of options for $HORSES. RACF does it automatically because
a relationship has been established between the POSIT number (on the
ICHERCDE macro) and the set of options it represents (activated on
the SETROPTS command.)
Be aware that if two or more classes
share the same POSIT number, and you make a change to the option flag
set of one of the classes via the SETROPTS command, the change will
also be in effect for all the classes that share that POSIT number. Thus,
if you turn off the STATISTICS option for the class of $PONIES, that
action turns off the STATISTICS option for the class of $HORSES, because
both classes share the same POSIT number. You must code a unique POSIT
number for each class if you want RACF to
independently control processing options.
Changing an existing
installation-defined class in the static class descriptor table: If
you change the POSIT value, be aware that changing the POSIT value
could cause unexpected results. For example, you could deactivate
a class if you change it to use a POSIT value associated with a class
that is not active.
If you are changing the POSIT value, do
the following before making the change: - Issue the SETROPTS LIST command and record each active option
for the class.
- Examine your classes to see if any other class is using the current
POSIT value. If not, use the SETROPTS command to turn off all the
options associated with the class, so that you will not get any extraneous
options set if you later add a class using that POSIT value.
- Change the POSIT number associated with the class by updating
the ICHERCDE command for the class with the new POSIT number, re-creating
ICHRRCDE, and re-IPLing all systems that use the class.
- Use the SETROPTS command to set any of the options that are still
relevant for the class, using the output of the previous SETROPTS
LIST command as reference.
Deleting an installation-defined class from the static
class descriptor table: You can delete a class entry from the
static class descriptor table by specifying the name of the class
to be deleted on the OS-linkage-editor REPLACE statement. For the
deletion to take effect, re-IPL all systems that used the class.
You
should ensure that all profiles relating to this class are deleted before deleting
the class descriptor table entry.
Pay special attention to any unique POSIT
values you use. If the class you are deleting has a unique POSIT
value, issue a SETROPTS LIST to check what options you are using with
the class, for example, CLASSACT, LOGOPTIONS, AUDIT, RACLIST, and
so on. Turn off each of the options for the class.
An example:
You might have activated your class. You should deactivate the class
before re-IPLing your system. If you do not deactivate the class and,
at a future date, you create a class with the POSIT value previously
used, the class will automatically be active. The same consideration
applies to each option controlled by the POSIT value.
- PROFDEF=YES|NO
- Specifies whether you want RACF to
allow profiles to be defined for this RACF resource
class. If you specify PROFDEF=NO, RACF will
not allow profiles to be defined to this RACF resource class; if a user attempts to define
a profile to that class, the RDEFINE command responds with an appropriate
message.
- RACLIST=ALLOWED|DISALLOWED
- Specifies whether SETROPTS RACLIST is to be allowed for the class.
If you process the class using SETROPTS RACLIST, RACF brings copies of all discrete and generic
profiles within that class into storage in a data space. RACF uses those profiles in storage to check
the authorization of any users who want to access the resources. The
profiles remain in storage until removed by SETROPTS NORACLIST.
- RACLREQ=YES|NO
- Specifies whether you must process the class using SETROPTS RACLIST
in order to use RACROUTE REQUEST=AUTH. The purpose of this keyword
is to allow routines that cannot tolerate I/O to invoke RACF. If you specify YES, and the class is not
processed by SETROPTS RACLIST and a RACROUTE REQUEST=AUTH is attempted,
the return code is 4. If you do not specify the parameter, it defaults
to NO.
- RVRSMAC=YES|NO
- Specifies whether reverse mandatory access checking is required.
If
RVRSMAC=YES is specified, RACF performs
a reverse mandatory access check (MAC) when and if a mandatory access
check is required. In a reverse mandatory access check, the security
label of the resource must dominate that of the user.
RVRSMAC=YES
cannot be specified with EQUALMAC=YES.
Note that if this parameter
is omitted, it is assigned the default value of RVRSMAC=NO, which
means that when and if a mandatory access check is required, the user's
security label must dominate that of the resource.
- SIGNAL=YES|NO
- Specifies whether an ENF signal is sent to listeners when a SETROPTS
RACLIST, SETROPTS NORACLIST, or SETROPTS RACLIST REFRESH is issued
for the class, activating, deactivating, or updating the profiles
used for authorization checking. For information about signals, see the topic on signals in z/OS Security Server RACF System Programmer's Guide.
- SLBLREQ=YES|NO
- Specifies whether a security label is required for the profiles
of this class.
When MLACTIVE is on, each profile in the class must
have a security label. The default, SLBLREQ=NO, means that RACF will not require a security
label for profiles in this class; however, if a security label exists
for this profile, and the SECLABEL class is active, RACF will use it during authorization checking.
SLBLREQ=NO
applies to general resource classes that have no profiles, such as
DIRAUTH, or for classes that contain no data, such as OPERCMDS and
SECLABEL.
|