Appendix B. RACF options that control the use of security labels 323
MLSTABLE and NOMLSTABLE
These options control whether authorized users can make changes to security
labels or change the security labels associated with resources while the system
is not quiesced:
The MLSTABLE option prevents authorized users from doing the following
actions while the system is not quiesced:
Changing profiles in the SECLABEL class with the RALTER command
Changing the SECLABEL field in profiles
Security labels can only be changed when any possible users of the
security labels are logged off and the security administrator has issued the
RACF command SETROPTS MLQUIET.
NOMLSTABLE specifies that there are no restrictions on when authorized
users can change security labels.
SECLABELAUDIT and NOSECLABELAUDIT
You can specify that the SECLABEL profile’s auditing options are to be used in
addition to the auditing options specified for the user or the resource.
This additional auditing occurs whenever an attempt is made to access or define
a resource protected by a profile, file security packet (FSP), or IPC security
packet (ISP) that has a security label specified, or whenever a user running with
a security label attempts to access or define a resource. If the user and resource
have different security labels, auditing occurs if either security label’s options
specify auditing. If both security labels’ options specify auditing, the auditing
done is based on the options specified for the resource’s security label.
For example, to specify auditing of all failed accesses to resources that have a
security level of EAGLE, and all failed accesses by users that have a security
label EAGLE, issue the following command:
RALTER SECLABEL(EAGLE) AUDIT(FAILURES(READ))
Guideline: Run with the MLSTABLE option active.

Get Securing DB2 and Implementing MLS on z/OS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.