SECLABEL Class

Each record in the SECLABEL class associates a security level with security categories. A security label overrides the specific security level and security category assignments in the USER record if the SECLABEL class is active. Assigning a security label is equivalent to explicitly assigning the security level and security categories of the security label to the user.
capamsc141
Each record in the SECLABEL class associates a security level with security categories. A security label overrides the specific security level and security category assignments in the USER record if the SECLABEL class is active. Assigning a security label is equivalent to explicitly assigning the security level and security categories of the security label to the user.
When a USER record includes a security label, the user is granted access to a resource only if the following conditions are met:
  • The user security level specified in the security label is equal to or greater than the resource security level.
  • All categories specified in the resource record are included in the security category list of the user security label.
On Windows, each security label defined to
PAM Server Control
must have a record in the SECLABEL class.
The key of the SECLABEL class record is the name of the security label. This name is used to identify the security label when assigning it to a user or resource.
The following definitions describe the properties contained in this class record. Most properties are modifiable and can be manipulated using selang or the administration interfaces. Non-modifiable properties are marked
informational
.
  • CATEGORY
    Defines one or more security categories assigned to a user or a resource.
  • COMMENT
    Defines additional information that you want to include in the record. 
    PAM Server Control
    does not use this information for authorization.
    Limit:
    255 characters.
  • CREATE_TIME
    (Informational) Displays the date and time when the record was created.
  • OWNER
    Defines the user or group that owns the record.
  • SECLEVEL
    Defines the security level of an accessor or resource.
    Note:
    This property corresponds to the level[-] parameter of the ch[x]usr and chres commands.
  • UPDATE_TIME
    (Informational) Displays the date and time when the record was last modified.
  • UPDATE_WHO
    (Informational) Displays the administrator who performed the update.