Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Comparing security labels z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
When authorization checks are made to determine security label
authorization (for example during read-only, write-only, and read-write
requests), the relationship between security labels is assessed. A
relationship can occur between the security labels of two users or
between a user and a resource. (For purposes of this explanation,
examples will be drawn based on the relationship of the security label
of a user and the security label of a resource.) The types of relationships
are:
To be considered dominant, the user's security
label must be greater than or equal to the security label of the resource.
When dominance occurs, both of the following
conditions are true:
To be considered equivalent, the user's
security label must have the same definition as the security label
of the resource. When equivalence occurs, both of
the following conditions are true:
When security labels are equivalent, each security label can be said to dominate and be dominated by the other. To be considered disjoint, the user's
current security label and the resource security label must not be
equivalent and neither one can dominate the other. When a disjoint
occurs, both of the following conditions are
true:
|
Copyright IBM Corporation 1990, 2014
|