Account Label Range Examples
The possible clearances and minimum labels that can be assigned to an account is shown in the following figure based on the accreditation examples from the previous sections.
Figure 1-4 Constraints on Account Label Ranges
TS A B is the highest label in the user accreditation range from the ongoing example and contains the only two compartments permitted to appear in together in a label with any classification: A and B. The example user account range illustrated on the left of the previous figure is bounded at the top by TS A B, which the clearance assigned to the account, and at the bottom by C, the (account) minimum label. As a result of these definitions, the account is constrained to work at labels TS A B, TS A, TS, S A B, C A B, or C. The permitted clearances shown are TS A B, TS A, TS and S A B, with the minimum clearance of S A B set in the label_encodings file Even if TS A B was not a valid label, the security administrator could assign it as a clearance to allow the account to use any valid labels that are dominated by TS and that contain the words A and B. In contrast, if TS was assigned as the account clearance, the only two labels at which the user could work would be TS and C, because TS without any compartments does not dominate S A B or C A B.
Note -
If you specify the account's clearance to be the same as the account's minimum label, the user can only work at the specified single label. To do this you would also need to make sure that the minimum clearance you set in the label_encodings file is dominated by all the account clearances you plan to assign.
The following table summarizes the differences between the potential label combinations, the system accreditation range, the user accreditation range, and some example account label ranges . Normal users without any authorizations can work only with the labels in the User Accreditation Range column. The fourth column in Table 1-3 shows the Account Label Range for a user with a clearance of TS A B and a minimum label of S A B, which allows the user to work with the following set of labels: TS A B, TS A, TS, and S A B. As shown in the fifth column of Table 1-3, an account with a clearance of TS and a minimum label of C would be allowed to work only with TS, S, and C labels, because all the other valid labels dominated by TS include the words A and B, which are not in the clearance. A sixth column shows a user authorized to work outside the user accreditation range, assigned a single label of ADMIN_LOW.
Table 1-3 System and User Accreditation Range and Account Label Range Examples|
Possible Labels |
System Accreditation Range |
User Accred.Range |
Account Label Range (with TS A B Clearance, S A B Min Label) |
Account Label Range (with TS Clearance, C Min Label) |
Account Label Range (with ADMIN_LOW Clearance and Min Label and the |
|---|---|---|---|---|---|
|
ADMIN_HIGH |
ADMIN_HIGH |
|
|
|
|
|
TS A B |
TS A B |
|
TS A B |
|
|
|
TS A |
TS A |
TS A |
TS A |
|
|
|
TS |
TS |
TS |
TS |
TS |
|
|
S A B |
S A B |
S A B |
S A B |
|
|
|
S A |
|
|
|
|
|
|
S |
|
|
|
S |
|
|
C A B |
C A B |
|
|
|
|
|
C A |
C A |
|
|
|
|
|
C |
C |
C |
|
C |
|
|
ADMIN_LOW |
ADMIN_LOW |
|
|
|
ADMIN_LOW |
- © 2010, Oracle Corporation and/or its affiliates