The user accreditation range is the largest set of labels that regular users can access when using Trusted Extensions. The user accreditation range always excludes ADMIN_HIGH and ADMIN_LOW. The user accreditation range is further constrained by any rules that constrain the System Accreditation Range. In addition, the user accreditation range can be constrained by a set of rules in the ACCREDITATION RANGE section of the label_encodings file. Figure 1–5 continues the Figure 1–4 example. Figure 1–5 shows three different types of rules in the ACCREDITATION RANGE section and their effects on the user accreditation range. The lines bracket to the well-formed labels that the particular rule permits.
Figure 1-5 ACCREDITATION RANGE Section of label_encodings File
As shown in the box to the right, the user accreditation range excludes ADMIN_HIGH and ADMIN_LOW. The rule for the TS classification (shown in Figure 1–4) includes all TS combinations except TS B. However, because TS B, and S B and C B, were previously overruled by the REQUIRED COMBINATIONS rule B A (as shown in Figure 1–4), TS A B, TS A, and TS are the only allowed TS combinations. As shown in Figure 1–5, because S A B is defined as the only valid combination for the S classification, S B is excluded again. All C combinations except C A are valid, according the rule for the C classification. However, because C B was overruled earlier, the only permitted combinations for the C classification are C A B and C.