z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Authorization summary for SETROPTS MLACTIVE

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Table 1 describes the results of security label authorization when the SECLABEL class is active and either the user's or resource's security label is missing. The results vary depending on the SETROPTS MLACTIVE setting and whether or not the resource class being checked requires security labels. The supplied class descriptor table (ICHRRCDX) specifies which resource classes require security labels. For a listing of the supplied class descriptor table (CDT) entries, see the z/OS Security Server RACF Macros and Interfaces.

Attention: Do not issue the SETROPTS MLACTIVE(FAILURES) command unless you have assigned appropriate security labels to users and to the resources they must access. To recover from such a situation, logon as a user with the SPECIAL attribute, specifying SYSHIGH as the current security label. Then, either assign security labels or issue SETROPTS NOMLACTIVE. If you turn on MLACTIVE and do not correctly define all profiles that need SECLABELs, IPL failures, or other serious problems can occur.

Guidelines:
  • Back up your RACF® database with a database that you know you can use to IPL.
  • Define new system profiles (including classes such as DATASET, TERMINAL, TAPEVOL, APPL or any other active class that has SLBLREQ=YES in the class descriptor table) and ensure they have the correct security labels.
  • Turn MLACTIVE on in WARNING mode.
  • Watch out for relevant warning messages.

Data set and general resource profiles in WARNING mode: A user or task can access a resource that is in WARNING mode and has no security label even when MLACTIVE(FAILURES) is in effect and the class requires security labels. The user or task receives a warning message and gains access. (A data set or general resource is in WARNING mode when you define or modify the profile that protects it and you specify the WARNING operand.)

Table 1. Effects of MLACTIVE settings on security label authorization
Environment Missing user security label (resource security label is present) Missing resource security label (user security label is present) Missing both user and resource security labels
MLACTIVE(FAILURES) and resource class requires security labels Fail1 Fail Fail1
MLACTIVE(WARNING) and resource class requires security labels Fail Pass and warning message sent to security console Pass and warning message sent to security console
NOMLACTIVE and resource class requires security labels Fail Pass Pass
MLACTIVE(FAILURES) and resource class does not require security labels Fail1 Pass Pass1
MLACTIVE(WARNING) and resource class does not require security labels Fail Pass Pass
NOMLACTIVE and resource class does not require security labels Fail Pass Pass
Note: 1 In these cases, the user has a missing security label while SETROPTS MLACTIVE(FAILURES) is in effect because the user logged in without a security label before SETROPTS MLACTIVE(FAILURES) was activated. Authorization requests are passed or failed according to the entries in Table 1. If such a user attempts to log on to the system while SETROPTS MLACTIVE(FAILURES) was in effect, the user is not allowed to log on unless the user has access to the SYSLOW security label. Users who have access to SYSLOW at logon time when MLACTIVE(FAILURES) is active will be assigned and run with SYSLOW.
Parent topic: Security label authorization checking

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014