z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Comparing security labels

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

When authorization checks are made to determine security label authorization (for example during read-only, write-only, and read-write requests), the relationship between security labels is assessed. A relationship can occur between the security labels of two users or between a user and a resource. (For purposes of this explanation, examples will be drawn based on the relationship of the security label of a user and the security label of a resource.) The types of relationships are:
  • Dominance
  • Equivalence
  • Disjoint
To be considered dominant, the user's security label must be greater than or equal to the security label of the resource. When dominance occurs, both of the following conditions are true:
  1. The security level used to define the user's current security label is equal to or higher than the security level used to define the security label of the resource.
  2. All of the categories (if any) used to define the security label of the resource are in the user's current security label.
Note that the security label of a resource can also dominate the security label of a user in the contrasting scenario.
To be considered equivalent, the user's security label must have the same definition as the security label of the resource. When equivalence occurs, both of the following conditions are true:
  1. The security level used to define the user's current security label must be the same as the security level used to define the security label of the resource.
  2. All of the categories (if any) used to define the security label of the resource are the same as the categories used to define the user's current security label.
To have equivalence, the names of the security labels do not have to be the same.

When security labels are equivalent, each security label can be said to dominate and be dominated by the other.

To be considered disjoint, the user's current security label and the resource security label must not be equivalent and neither one can dominate the other. When a disjoint occurs, both of the following conditions are true:
  1. The set of security categories that defines the user's current security label includes only a subset, or none, of the security categories that define the security label of the resource.
  2. The set of security categories that defines the security label of the resource includes only a subset, or none, of the security categories that define the user's current security label.
Note that a disjoint can occur in the relationship between the security labels of two users.
Parent topic: Understanding security labels

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014