Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Controlling the write-down privilege z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
When SETROPTS MLS is active in your environment, users are limited in their WRITE actions, such as their authority to copy data from a resource with one security label to a resource with a lower security label. If you need to allow certain users to have this authority, also called the write-down privilege, you can authorize them using a FACILITY class profile called IRR.WRITEDOWN.BYUSER. Restriction: The authority to write down applies to actions on resources in classes defined in the CDT with neither the RVRSMAC nor EQUALMAC attribute. (Such classes are processed using normal MAC processing.) For classes with the RVRSMAC attribute, the write-down privilege allows users to write up. For classes with the EQUALMAC attribute, this privilege has no effect. |
Copyright IBM Corporation 1990, 2014
|