Trusted Extensions Label Administration

Exit Print View

Updated: July 2014
 
 

Account Label Range Examples

The possible clearances and minimum labels that can be assigned to a user are shown in the following example. These labels are based on the accreditation examples from the previous sections.

Figure 1-6  Constraints on Account Label Ranges

image:Graphic shows how the accreditation range constrains the labels that are available to a user or role.

In this example, TS A B is the highest label in the system accreditation range. This label contains the only two compartments, A and B, that are permitted to appear together in a label with any classification. TS A B is the clearance assigned to the account.

C is the user's minimum label. The definitions in the account label range constrain the user to work at labels TS A B, TS A, TS, S A B, C A B, or C.

The permitted clearances are TS A B, TS A, TS and S A B. A minimum clearance of S A B is set in the label_encodings file.

Even if TS A B were not a valid label, the security administrator could assign the label as a clearance. The assignment would allow the user to use any valid labels that are dominated by TS and that contain the words A and B. In contrast, if TS were assigned as the account clearance, the user could work at the labels TS and C only. TS without any compartments does not dominate S A B or C A B.

Table 1–1 provides a more complex example. The example illustrates the differences between the possible label combinations, the system accreditation range, the user accreditation range, and some example account label ranges.

Table 1-1  Accreditation Range and Account Label Range Examples
Accreditation Range
Account Label Range
Possible Labels
System
User
TS A B Clearance, S A B Min Label
TS Clearance, C Min Label
ADMIN_LOW Clearance and Min Label, solaris.label.delegate Authorization
ADMIN_HIGH
ADMIN_HIGH
TS A B
TS A B
TS A B
TS A
TS A
TS A
TS A
TS
TS
TS
TS
TS
S A B
S A B
S A B
S A B
S A
S
S
C A B
C A B
C A
C A
C
C
C
C
ADMIN_LOW
ADMIN_LOW
ADMIN_LOW
  • Regular users without any authorizations can work only with the labels in the User Accreditation Range column.

  • The fourth column shows the Account Label Range for a user with a clearance of TS A B and a minimum label of S A B. This range allows the user to work with the labels TS A B, TS A, TS, and S A B.

  • The fifth column shows an account with a clearance of TS and a minimum label of C. This account would be allowed to work only with TS, S, and C labels because all the other valid labels that are dominated by TS include the compartments A and B. A and B are not in the clearance.

  • The sixth column shows a user who is authorized to work outside the user accreditation range. This user is assigned a single label of ADMIN_LOW.