The system accreditation range includes the administrative labels ADMIN_HIGH and ADMIN_LOW. The system accreditation range also includes all the well-formed labels that are constructed from the label components in the label_encodings file.
Administrative role accounts are usually the only accounts that can work at every label within the system accreditation range. An organization can also set up regular user accounts so that users can perform a task that requires an administrative label.
Figure 1-4 How System Accreditation Range Is Constrained by Rules
Figure 1–4 (a) shows all potential combinations given the classifications, TS (TOP SECRET), S (SECRET), and C (CONFIDENTIAL), and the compartments, A and B.
Figure 1–4 (b) shows a typical rule from the REQUIRED COMBINATIONS subsection of the SENSITIVITY LABELS section and its effects. The lines bracket the labels that are disqualified by the rule. Disqualified labels appear with lines through them. The REQUIRED COMBINATIONS syntax B A means that any label that has B as a compartment must also contain A. The converse is not true. Compartment A is not required to be combined with any other compartments. Because compartment B is only permitted when A is also present, the labels TS B, S B, and C B are not well-formed. Labels that are not well-formed are not in the system accreditation range.