The possible clearances and minimum labels that can be assigned to a user are shown in the following example. These labels are based on the accreditation examples from the previous sections.
Figure 1-6 Constraints on Account Label Ranges
In this example, TS A B is the highest label in the system accreditation range. This label contains the only two compartments, A and B, that are permitted to appear together in a label with any classification. TS A B is the clearance assigned to the account.
C is the user's minimum label. The definitions in the account label range constrain the user to work at labels TS A B, TS A, TS, S A B, C A B, or C.
The permitted clearances are TS A B, TS A, TS and S A B. A minimum clearance of S A B is set in the label_encodings file.
Even if TS A B were not a valid label, the security administrator could assign the label as a clearance. The assignment would allow the user to use any valid labels that are dominated by TS and that contain the words A and B. In contrast, if TS were assigned as the account clearance, the user could work at the labels TS and C only. TS without any compartments does not dominate S A B or C A B.
Table 1–1 provides a more complex example. The example illustrates the differences between the possible label combinations, the system accreditation range, the user accreditation range, and some example account label ranges.
Regular users without any authorizations can work only with the labels in the User Accreditation Range column.
The fourth column shows the Account Label Range for a user with a clearance of TS A B and a minimum label of S A B. This range allows the user to work with the labels TS A B, TS A, TS, and S A B.
The fifth column shows an account with a clearance of TS and a minimum label of C. This account would be allowed to work only with TS, S, and C labels because all the other valid labels that are dominated by TS include the compartments A and B. A and B are not in the clearance.
The sixth column shows a user who is authorized to work outside the user accreditation range. This user is assigned a single label of ADMIN_LOW.