Accreditation Range Examples
The figures in this section (Figure 1-3, Figure 1-4, and Figure 1-5) illustrate how the system and user accreditation ranges are defined in a label_encodings(4) file with the classifications TOP SECRET (TS), SECRET (S), and CONFIDENTIAL (C) and the compartments A, B, and C.
Figure 1-3 shows which labels are included in and excluded from the system accreditation range when word B is defined in the REQUIRED COMBINATIONS section to always appear with A. TS B, S B, and C B are excluded because B always must appear with A. However, because A is not defined to always appear with B, TS A, S A, and C A are in the system accreditation range.
Figure 1-3 Example of Possible Combinations Restricted by REQUIRED COMBINATIONS
The following figure continues the example, showing that the user accreditation range is described by rules in the same file's ACCREDITATION RANGE section. The possible label combination S A and S alone are excluded by the line that specifies that S A B is the only valid compartment combination for S.
Figure 1-4 User Accreditation Range Constrained by Valid Compartment Combinations
The following figure shows the User Accreditation Range is further constrained by the minimum clearance and minimum sensitivity label settings S A B. C A B and C are now excluded.
Figure 1-5 User Accreditation Range Constrained By Minimum Clearance and Minimum Sensitivity Label
The table below summarizes the differences between the possible combinations, the system accreditation range and user accreditation range in the example.
Table 1-12 System and User Accreditation Range and Account Label Range|
Possible Combinations |
System Accreditation Range |
User Accreditation Range |
Account Label Range (with TS A B Clearance) |
Account Label Range (with TS A Clearance) |
|---|---|---|---|---|
|
ADMIN_HIGH |
ADMIN_HIGH |
|
|
|
|
TS A B |
TS A B |
|
|
|
|
TS A |
TS A |
TS A |
TS A |
TS A |
|
TS |
TS |
TS |
TS |
TS |
|
S A B |
S A B |
S A B |
S A B |
|
|
S A |
|
|
|
|
|
S |
|
|
|
|
|
C A B |
C A B |
|
|
|
|
C A |
C A |
|
|
|
|
C |
C |
|
|
|
|
ADMIN_LOW |
ADMIN_LOW |
|
|
|
Normal users without any authorizations can work only with the sensitivity labels in the User Accreditation Range column. The fourth column in Table 1-12 shows the Account Label Range for a user with a clearance of TS A B and a minimum sensitivity label of S A B. (Remember that a clearance does not have to be in the user accreditation range.) The account's label range allows the user to work with the following set of sensitivity labels: TS A, TS, and S A B. As shown in the fifth column of Table 1-12, an account with a clearance of TS A would be allowed to work only with TS A and TS sensitivity labels, because the sensitivity label S A B includes the word B, which is not in the clearance.
The following table can be used for planning compartments and user accreditation range combinations. The ACCREDITATION RANGE settings should be one of the following.
-
only valid compartment combinations;
-
all compartment combinations valid;
-
all compartment combinations valid except;
|
Classification |
Compartment Name/ sname/ Bit |
REQUIRED COMBINATIONS/ COMBINATION CONSTRAINTS |
ACCREDITATION RANGE Settings |
|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- © 2010, Oracle Corporation and/or its affiliates