Security classification processing consists of a two-step checking
process that occurs when RACF® is
processing an authorization request. (Note that the SECDATA class
must be active, the SECLABEL class must not be active, and the protecting
resource profile must have security levels or security categories.)
- RACF compares the security
level of the user with the security level of the resource. If the
resource has a higher security level than the user, RACF denies the request.
For a terminal session, the
security level that RACF uses
for the user is the lower of the user's SECLEVEL and the terminal's
SECLEVEL. Thus if the terminal has a SECLEVEL of 50 and the user has
a SECLEVEL of 100, the user cannot access, through that terminal,
any data that has a SECLEVEL of over 50.
- RACF compares the list
of security categories in the user's profile with the list of security
categories in the resource's profile. If RACF finds any security category in the resource
profile that is not in the user's profile, RACF denies the request. If RACF does not deny the request, RACF continues with authorization processing.
If there are no categories in the resource profile, RACF continues with authorization processing.