In an MLS environment, security labels are added to user acid records. One or more seclabels may be specified. You must define SECLEVEL, CATEGORY, and SECLABEL data records in the MLS record before you can add a seclabel to a user.
Important! If you change or delete an existing security label (for example Seclabel data record) that has been assigned to users or resources, you may get unexpected results during MLS validation. Before changing or removing a security label from the system, check whether it has been assigned to any users or resources. If it has, confirm that the change or deletion is intended. If it is, make any necessary changes to user and resource Seclabel records that are using the security label. Likewise, if you delete a security level or category that is used in any existing security label, before removing the level or category from the system, confirm that the deletion is intended. If it is, make any necessary changes to existing security labels, and any user and resource Seclabel records that are using the security labels.
This command has the format:
TSS {add|remove|replace}{acid}
SECLABEL(seclabel1,…seclabeln)
DFLLSLBL(seclabel)
Specifies the security labels which a user is authorized to use when entering a system and that will be used during validation to determine whether acces to classified MLS data sets and resources will be allowed or denied. The seclabel value is the 1- to 8-character uppercased name of an existing MLS SECLABEL record segment that contains the security label data. You may assign more than one security label to a user, but only one label may be active at a time and used to validate MLS access to data sets and resources. If multiple security labels are assigned, any of these are available to the user to signon to a system. This field is required and cannot be masked. A comma or blank is the only valid delimiter between specified security label values. The system-defined security label SYSNONE is not valid for a user.
Specifies the name of a security label that will be active and used to validate MLS access if a security label is not specified at system entry when MLS is active. The seclabel value is the 1- to 8-character name of an existing MLS SECLABEL Record segment that contains the security label data. This field is required. The default value is the system-defined label, SYSLOW, which is always the lowest security label defined by the system and will be dominated by all other security labels.
CA Top Secret provides three system-defined, internal security labels that can never be directly created or modified by a user but can be assigned to users: SYSHIGH, SYSLOW, and SYSMULTI.
To add a SECLABEL to a user, enter:
TSS ADD(usera) SECLABEL(label2)
DFLTSLBL(syslow)
Note: Any security label specified in the record must be valid (defined in the system) for the record to be successfully added.
To delete a SECLABEL from a user, enter:
TSS REM(usera) SECLABEL(label2)
|
Copyright © 2010 CA Technologies.
All rights reserved.
|
|