z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Relationships among the SECLABEL class, SETROPTS MLS(FAILURES), SETROPTS MLACTIVE(FAILURES) and SETROPTS MLQUIET

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Table 1 shows the relationships of the SECLABEL class and the SETROPTS MLS, MLACTIVE(FAILURES) and MLQUIET options.

Table 1. Relationships among the SECLABEL class, SETROPTS MLS(FAILURES), SETROPTS MLACTIVE(FAILURES), and SETROPTS MLQUIET
SECLABEL class MLS (FAILURES) MLACTIVE (FAILURES) MLQUIET Effect
Inactive Off Off Off Security labels have no effect on authorization checking.
Active Off Off Off RACF® uses security labels and allows writing to a lower security label.
Active On Off Off RACF uses security labels and prevents writing to a lower security label ("no write down").
Active On On Off All resources must be labeled, RACF uses security labels, and RACF prevents writing to a lower security label.
Active Off On Off Those resources required to have security labels by definition in the class descriptor table (CDT), resources in the DATASET class, and users must have security labels.
Active Either Either On * All attempts to access the system or resources fail (unless the attempt is made by the trusted computing base, a security administrator, or a console operator).
Note: * To activate SETROPTS MLQUIET, you must also enable SETROPTS MLSTABLE.
Parent topic: Authorization checking for RACF-protected resources

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014