Account Label Range Examples

Language:

The possible clearances and minimum labels that can be assigned to a user are shown in the following example. These labels are based on the accreditation examples from the previous sections.

Figure 1-6 Constraints on Account Label Ranges

image:Graphic shows how the accreditation range constrains the labels that are available to a user or role.

In this example, TS A B is the highest label in the system accreditation range. This label contains the only two compartments, A and B, that are permitted to appear together in a label with any classification. TS A B is the clearance assigned to the account.

C is the user's minimum label. The definitions in the account label range constrain the user to work at labels TS A B, TS A, TS, S A B, C A B, or C.

The permitted clearances are TS A B, TS A, TS and S A B. A minimum clearance of S A B is set in the label_encodings file.

Even if TS A B were not a valid label, the security administrator could assign the label as a clearance. The assignment would allow the user to use any valid labels that are dominated by TS and that contain the words A and B. In contrast, if TS were assigned as the account clearance, the user could work at the labels TS and C only. TS without any compartments does not dominate S A B or C A B.

Table 1–1 provides a more complex example. The example illustrates the differences between the possible label combinations, the system accreditation range, the user accreditation range, and some example account label ranges.

Table 1-1 Accreditation Range and Account Label Range Examples

	Accreditation Range		Account Label Range
Possible Labels	System	User	`TS A B` Clearance, `S A B` Min Label	`TS` Clearance, `C` Min Label	ADMIN_LOW Clearance and Min Label, solaris.label.delegate Authorization
ADMIN_HIGH	ADMIN_HIGH
`TS A B`	`TS A B`		`TS A B`
`TS A`	`TS A`	`TS A`	`TS A`
`TS`	`TS`	`TS`	`TS`	`TS`
`S A B`	`S A B`	`S A B`	`S A B`
`S A`
`S`				`S`
`C A B`	`C A B`
`C A`	`C A`
`C`	`C`	`C`		`C`
ADMIN_LOW	ADMIN_LOW				ADMIN_LOW

Regular users without any authorizations can work only with the labels in the User Accreditation Range column.
The fourth column shows the Account Label Range for a user with a clearance of TS A B and a minimum label of S A B. This range allows the user to work with the labels TS A B, TS A, TS, and S A B.
The fifth column shows an account with a clearance of TS and a minimum label of C. This account would be allowed to work only with TS, S, and C labels because all the other valid labels that are dominated by TS include the compartments A and B. A and B are not in the clearance.
The sixth column shows a user who is authorized to work outside the user accreditation range. This user is assigned a single label of ADMIN_LOW.