search cancel

Move from multiple SECLABELs to a single label

book

Article ID: 202447

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

In Top Secret, you need to move from using multiple SECLABELs to a single SECLABEL.

= TSS LIS(MLS) SECLEVEL(ALL) ============

MLS SECLEVEL RECORDS

SECLEVEL = 025  LVLNAME = PROPRIETARY

SECLEVEL = 050  LVLNAME = CONFIDENTIAL

SECLEVEL = 100  LVLNAME = RESTRICTED

SECLEVEL = 200  LVLNAME = NPPI

TSS0300I  LIST     FUNCTION SUCCESSFUL

 

= TSS LIS(MLS) SECLABEL(ALL) ============

MLS SECLABEL RECORDS

SECLABEL = ALL200     SECLEVEL = 200

   CATEGORY = PCI

   CATEGORY = SSN

SECLABEL = PCI200     SECLEVEL = 200

   CATEGORY = PCI

SECLABEL = TYPE200    SECLEVEL = 200

   CATEGORY = SSN

   CATEGORY = PCI

TSS0300I  LIST     FUNCTION SUCCESSFUL

Environment

  • Release : 16.0
  • Component : CA Top Secret for z/OS

Resolution

Use the SECLABEL to authorize a user to a dataset through MLS:

  1. Define a SECLABEL which is composed of a SECLEVEL and CATEGORY.
  2. Attach the SECLABEL to a resource like a dataset.
  3. Add the SECLABEL to any acid that will access to that dataset.

Example of combining SECLABELS

To move to one SECLABEL TYPE200 from two SECLABELs (TYPE200 and PCI200), all datasets that have been assigned PCI200 need the following command issued to replace the SECLABEL with TYPE200:

TSS REP(MLS) DATASET(dataset_name) SECLABEL(TYPE200)

All users that had SECLABEL PCI200 need to be replaced with TYPE200 SECLABEL to their acids:

TSS REP(acid) SECLABEL(TYPE200)

Per documentation, changes to the SECLABEL for the datasets and acid should be done around the same timeframe.