The classifications and compartments in sensitivity labels and user clearances are used in mandatory access control (MAC). Therefore, the legal department's hierarchical labels and the group names need to be encoded as classifications and compartments so that they can be used in the labels that control which individual employees can access files and do other work.
SecCompany defines two sensitivity labels:
PUBLIC, which is assigned the lowest value in the user accreditation range
INTERNAL_USE_ONLY, which is assigned the next highest value above PUBLIC
An employee with no authorizations whose clearance is PUBLIC and whose minimum label is PUBLIC can use the system as follows:
Works only in a PUBLIC workspace
Creates files only at the PUBLIC label
Reads email only at the PUBLIC label
Uses printers that have PUBLIC in their label range
In contrast, an employee with no authorizations whose clearance is INTERNAL_USE_ONLY can use the system as follows:
Works in either a PUBLIC or an INTERNAL_USE_ONLY workspace
Creates files at either the PUBLIC label or the INTERNAL_USE_ONLY label, depending on the employee's current workspace
Receives and sends email at either sensitivity label
Can print a file that is labeled PUBLIC on any printer with PUBLIC in its label range
Can send a file labeled INTERNAL_USE_ONLY to any printer with INTERNAL_USE_ONLY in its label range