Activating security labels by system image (SECLBYSYSTEM option)

If you have the SPECIAL attribute, and if the SECLABEL class is active, you can allow activation of security labels on a system image basis. Specify the SMF ID of each selected system in the member list of profiles in the SECLABEL class to indicate that a particular security label is active on that system.

Rules:

Security labels that are not active on a particular system cannot be used or listed by users without SPECIAL or AUDITOR on that system.
If you define a security label with no member list, the security label is active on all systems.
If you specify a member list for the following security labels, it will be ignored:
- SYSHIGH
- SYSLOW
- SYSNONE
- SYSMULTI

When SECLBYSYSTEM is in effect, a batch job submitted with no security label executes with the security label of the JESINPUT class profile, unless the JESINPUT class security label is SYSMULTI.

After activating SECLBYSYSTEM, you must issue SETROPTS RACLIST(SECLABEL) REFRESH to complete the activation of security labels by system. This option cannot be activated when the SECLABEL class is inactive.

To activate this option, enter:

SETROPTS SECLBYSYSTEM
SETROPTS RACLIST(SECLABEL) REFRESH

To cancel the SECLBYSYSTEM option, specify NOSECLBYSYSTEM on the SETROPTS command. Then, issue the SETROPTS RACLIST(SECLABEL) REFRESH.

Note: Do not specify SETROPTS SECLBYSYSTEM if any system sharing the RACF® database is not at the necessary software level for multilevel security support. Use of the SETROPTS SECLBYSYSTEM option should not cause problems on these systems, but it does not provide full protection on these systems. For details, see z/OS Planning for Multilevel Security and the Common Criteria.