You might want to extend a user's label range to give the user read access to an administrative application. For example, a user who can log in to the global zone could then view a list of the systems that run at a particular label. The user could view, but not change the contents.
Alternatively, you might want to restrict the user's label range. For example, a guest user might be limited to one label.
Before You Begin
You must be in the Security Administrator role in the global zone.
# usermod -K min_label=INTERNAL -K clearance=ADMIN_HIGH jdoe
You can also extend the user's label range by lowering the minimum label.
# usermod -K min_label=PUBLIC -K clearance=INTERNAL jdoe
For more information, see the usermod(1M) and user_attr(4) man pages.
# usermod -K min_label=INTERNAL -K clearance=INTERNAL jdoe