Figure 3-10
This process flow diagram describes how labels are evaluated for write
access with COMPACCESS privilege. There are three successive tests by which
a label may be evaluated for write access, when the user has COMPACCESS
privilege:
Test 1: Levels. Is the data level equal to or less than the
user level? No. Access is denied. Yes. Is the data level
equal to or greater than the user minimum level? If no, access is
denied. If yes, then proceed to Test 2.
Test 2: Groups. Does the data have groups? No. Proceed
to Test 3, Case A. Yes. Does the user have at least one group with
write access? If no, proceed to Test 3, Case B. If yes, proceed
to Test 3, Case C.
Test 3: Compartments. Does the data have compartments? Case
A: No. Access is granted. Yes. Does the user have all
compartments with write access? If yes, access is granted. If no,
access is denied. Case B: No. Access is denied. Yes.
Does the user have all compartments with write access? If yes,
access is granted. If no, access is denied. Case C: No.
Access is granted. Yes. Does the user have all compartments?
If yes, access is granted. If no, access is denied.