Hierarchical Compartment Words (Solaris Trusted Extensions Label Administration)

Solaris Trusted Extensions Label Administration

Hierarchical Compartment Words

Hierarchical compartments can be used to differentiate between documents that are available to everyone in a larger group, and documents that are available to subgroups only.

Example 3–6 Using Bit Combinations to Establish Hierarchies

By defining a word that uses one bit and a second word that uses that same bit along with a second bit, you define a hierarchical relationship between the two words. The compartment word that is more general must be defined below the word that is more specific. For example, by defining a word that uses bit number 1 and another word that uses bits number 1 and 2, you give the two words a hierarchical relationship.

In this example, a Sales compartment is defined with two subcompartments, Direct Sales, and Indirect Sales. A single classification that is named WebCo is previously defined.

name= Direct_Sales;   compartments= 1, 2
name= Indirect_Sales;   compartments= 1, 3
name= Sales;   compartments= 1

This definition allows the WebCo company to differentiate between documents that can be accessed by anyone in the entire sales force, documents that can be accessed only by members of the indirect sales force, and documents that can be accessed only by members of the direct sales force.

The security administrator gives the WebCo Direct_Sales clearance to employees in the direct sales organization. The WebCo Indirect_Sales clearance is given to employees in the indirect sales organization.
Documents created by anyone working at the WebCo Direct_Sales label get the same label, so the documents are only accessible to employees in the direct sales department.
Anyone in the indirect or direct sales forces can work at the WebCo Sales label because the compartment word Sales is below both the Direct_Sales and Indirect_Sales words. Creating documents at the WebCo Sales label makes the documents available to everyone in the Sales department.

Example 3–7 Using `REQUIRED COMBINATIONS` to Establish Hierarchies

If two words are specified together in the REQUIRED COMBINATIONS section, the second label is added to the label whenever the first word is used.

In this example, the definition of the Direct Sales, Indirect_Sales, and Sales serves essentially the same effect as the example in Example 3–6. The difference is that the Direct_Sales word will always have the Sales word with it

name= Direct_Sales;   compartments= 2
name= Indirect_Sales;   compartments= 3
name= Sales;   compartments= 1

REQUIRED COMBINATIONS:

Direct_Sales            Sales
Indirect_Sales          Sales