z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Restricting changes to security labels (SECLABELCONTROL option)

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

If you have the SPECIAL attribute, you can prevent users who do not have the SPECIAL attribute from doing either of the following:
  • Specifying or changing a security label in a resource profile
  • Changing a SECLABEL profile using the RALTER command
To place this control into effect, enter: 
SETROPTS SECLABELCONTROL
When the SECLABELCONTROL option is in effect, only certain users can specify the SECLABEL operand on RACF® commands:
  • Users with the SPECIAL attribute can specify the SECLABEL operand on any RACF command.
  • Users with the group-SPECIAL attribute can specify the SECLABEL operand only on the ADDUSER and ALTUSER commands when they add a user to a group within their scope of control. Also, group-SPECIAL users must be permitted to the SECLABEL profiles with at least READ access authority.
  • Users without the SPECIAL attribute cannot specify the SECLABEL operand.

To cancel this option, specify NOSECLABELCONTROL on the SETROPTS command.

Parent topic: SETROPTS options related to security labels

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014