MLS has three things to be defined before protecting resources: SECLEVEL, CATEGORY (not mandatory), and SECLABEL.

The two first elements SECLEVEL and CATEGORY are independent.
- The SECLEVEL is like a security level. The higher it is, the higher the protection is.
- The CATEGORY is like a profile or a set to group similar objects. It can be projects, departments, jobnames etc.

To create a SECLEVEL use: TSS ADD(MLS) SECLEVEL(5) LVLNAME(anyuser)

To create a CATEGORY use: TSS ADD(MLS) CATEGORY(category_name) which can be a department name, a project, a jobname.

For example:

TSS ADD(MLS) CATEGORY(PAY)
TSS ADD(MLS) CATEGORY(SALES)
TSS ADD(MLS) CATEGORY(SYSTEM)

Once the SECLEVEL and CATEGORY are defined to MLS, you have to create your SECLABEL. The SECLABEL is an association of an SECLEVEL with a list of CATEGORY(s)
example: with the SECLEVEL defined by you:

TSS ADD(MLS) SECLABEL(ALLxxx) SECLEVEL(200) CATEGORY(PAY,SALES,SYSTEM)
TSS ADD(MLS) SECLABEL(PAYxxx) SECLEVEL(200) CATEGORY(PAY)
TSS ADD(MLS) SECLABEL(SALExxx) SECLEVEL(200) CATEGORY(SALES)
TSS ADD(MLS) SECLABEL(MIXxxx) SECLEVEL(200) CATEGORY(PAY,SALES)
TSS ADD(MLS) SECLABEL(SYSTEMxxx) SECLEVEL(200) CATEGORY(SYSTEM)

Then you have to associate the dataset with the appropriate security label.

For example:

TSS ADD(MLS) DSN(PAY.) SECLABEL(PAYxxx) MODE(WARN)
TSS ADD(MLS) DSN(SALES.) SECLABEL(SALExxx) MODE(WARN)
TSS ADD(MLS) DSN(SYSTEM.) SECLABEL(SYSTEMxxx) MODE(WARN)

It means to access a dataset with hlq 'PAY.', the user has to be signed on with label either PAYxxx or MIXxxx or ALLxxx depending on the required access level.
Labels MIXxxx and ALLxxx dominates the dataset label. Label PAYxxx is equivalent to the dataset label, then allowed access is not the same.

See Verifying User Access to an Object for additional information.

If a user needs to access to both PAY. and SALES, the user has to be signed on either with label MIXxxx or ALLxxx, because these SECLABELs dominate the dataset label.