z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Preventing the copying of data to a lower security label (SETROPTS MLS option)

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

If you have the SPECIAL attribute, and if the SECLABEL class is active, you can prevent unauthorized users from copying data from a resource with one security label to a resource with a lower security label. This protection is also called controlling "writedown".

To do this, enter: 
SETROPTS MLS(FAILURES)
Restrictions:
  • You cannot activate this option when the SECLABEL class is inactive.
  • The resource you want to protect must be in a resource class that is defined in the CDT with neither the RVRSMAC nor EQUALMAC attribute. (If the class has the RVRSMAC attribute, users are prevented from writing-up. If the class as EQUALMAC, users are not restricted in their write actions.)
You can authorize certain users to copy data from a resource with one security label to a resource with a lower security label by defining and controlling the writedown privilege. (For more information, see Controlling the write-down privilege.)

You can specify MLS(WARNING), rather than MLS(FAILURES), to allow the user request, but to send a warning message to the user and the security administrator. If you do not specify the FAILURES option with the SETROPTS MLS command, then MLS(WARNING) will be activated.

Restriction: SETROPTS MLS(WARNING) does not apply to resources controlled by the SETROPTS MLFSOBJ option (z/OS UNIX files and directories) and the SETROPTS MLIPCOBJ option (interprocess communication objects).

To cancel the SETROPTS MLS option, specify NOMLS on the SETROPTS command.

Parent topic: SETROPTS options related to security labels

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014