The possible clearances and minimum labels that can be assigned to a user are shown in the following example. These labels are based on the accreditation examples from the previous sections.
Figure 1-6 Constraints on Account Label Ranges
In this example, TS A B is the highest label in the system accreditation range. This label contains the only two compartments, A and B, that are permitted to appear together in a label with any classification. TS A B is the clearance assigned to the account.
C is the user's minimum label. The definitions in the account label range constrain the user to work at labels TS A B, TS A, TS, S A B, C A B, or C.
The permitted clearances are TS A B, TS A, TS and S A B. A minimum clearance of S A B is set in the label_encodings file.
Even if TS A B were not a valid label, the security administrator could assign the label as a clearance. The assignment would allow the user to use any valid labels that are dominated by TS and that contain the words A and B. In contrast, if TS were assigned as the account clearance, the user could work at the labels TS and C only. TS without any compartments does not dominate S A B or C A B.
Table 1–1 provides a more complex example. The example illustrates the differences between the possible label combinations, the system accreditation range, the user accreditation range, and some example account label ranges.
|
Regular users without any authorizations can work only with the labels in the User Accreditation Range column.
The fourth column shows the Account Label Range for a user with a clearance of TS A B and a minimum label of S A B. This range allows the user to work with the labels TS A B, TS A, TS, and S A B.
The fifth column shows an account with a clearance of TS and a minimum label of C. This account would be allowed to work only with TS, S, and C labels because all the other valid labels that are dominated by TS include the compartments A and B. A and B are not in the clearance.
The sixth column shows a user who is authorized to work outside the user accreditation range. This user is assigned a single label of ADMIN_LOW.