The System Administrator role installs software that meets the following criteria:
Does not need to run with privilege
Does not need to run with an effective UID or GID that differs from the real UID or GID of the invoking user
Does not need to run at multiple labels
Does not need to be added to a public directory
The System Administrator role also controls who can bring in software by granting or denying the device allocation authorization to individual users. An account with the device allocation authorization can import or export data at any single label within that user's clearance.