The account label range is the range of labels that is available to an individual user or to a role account. This range governs the labels at which the user can work when logging in to the system.
The labels that are available in the account label range have the following constraints:
The user clearance defines the top of the account label range.
A clearance does not have to be a valid label. Because it must dominate all labels at which the account is to work, the clearance must contain all the components of all the labels at which the account is to work.
The minimum label sets the bottom of the account label range.
The minimum sensitivity label in the label_encodings file defines an absolute minimum on labels at which any user can work.
The user accreditation range defines the set of valid labels from the user's clearance to the user's minimum label.
For example, a label_encodings file could prohibit the combination of compartments A, B, and C in a label.
The minimum label would be TS with no compartments.
TS A B C would be a valid clearance. TS A B C would not be a valid label.
Valid labels for a user would be TS, TS A, TS B, and TS C.