Go to main content

Trusted Extensions Label Administration

Exit Print View

Updated: August 2018

How to Plan the Encodings File

The following practices help you create a correct label_encodings file that can be safely extended later.


Caution  - For CLASSIFICATIONS and COMPARTMENTS, the security administrator can later change the textual representation. However, the integer and bit values cannot be changed without potentially serious complications.

  1. Create a label_encodings file.

    For ideas, see Sources for Encodings Files. For the procedure, see Managing a Label Encodings File.

  2. Leave gaps in the label_encodings file to add items.
    1. Leave gaps when you number classifications.

      For example, you could number classifications in increments of 10. The increments allow intermediate classifications to be added later.

    2. Leave gaps in compartment bits.

      Leave gaps in compartment bit numbers for possible later additions.

    3. Reserve some initial compartment bits for later definition.

      If your site uses inverse compartments, see Default and Inverse Words. To learn more about inverse compartments, see Compartmented Mode Workstation Labeling: Encodings Format.

  3. Determine classifications for the site.

    As described in CIPSO Label Definition, the total number of classification values that you can use is 254. Do not use classification 0.

    A Trusted Extensions system treats a classification value of 10 as more security-sensitive than a classification value of 2. The textual representations are not used to determine security levels.

    The same classification value cannot be assigned to different names. Each classification must be higher or lower, or disjoint, from any other classification. Every classification must be distinct.

    A table can be used to plan classifications. For a completed example, see Figure 5, Table 5, Classifications Planner for SecCompany.

  4. Determine the compartments for the site.

    Decide how data and programs are grouped. Decide whether any data or programs can be intermixed. For example, perhaps purchase order data should not be viewable by programs that manage personnel files. Perhaps purchase order data should be accessible to programs that address shipment tracking problems.

    At this point, do not think in terms of users. Think of what, not who.

  5. Name the classifications and compartments.

    CLASSIFICATIONS and WORDS (for compartments) in the label_encodings file have two forms: a mandatory long name and an optional short name. Short names can be used interchangeably with long names when labels are being specified.

  6. Arrange the relationships among the classifications and among the compartments.

    Compartments are not intrinsically hierarchical. However, compartments can be configured to have hierarchical relationships. Before setting up relationships, study the example section in Compartmented Mode Workstation Labeling: Encodings Format.

    To make this step easier, use a large board and pieces of paper that represent your classifications and compartments, as illustrated here. With this method, you can visualize the relationships and rearrange the pieces until they all fit together.

    Note - Unless you are creating a set of encodings that must be compatible with another organization's labels, you can assign any valid number as a compartment bit. Keep track of the numbers that you use and their relationships to each other.

    image:Graphic shows a board to help administrators plan label                 assignments.
  7. Arrange the labels in order of increasing sensitivity.
  8. Decide which clearances to assign to which users.

    You can use a table to plan clearances. For a completed example, see Figure 8, Table 8, Clearance Planner for SecCompany.

    When you assign a clearance to a user, the classification component of the clearance must dominate all classifications at which the user can work. The clearance can be equal to the user's highest work classification. The compartment component of the clearance must include all compartments that the user might need.

  9. Associate the definitions for each compartment with an internal format of integers, bit patterns, and logical relationship statements.

    A table can be used to track compartment bit assignments. For a completed example, see Figure 7, Table 7, Compartment Bits Planner for SecCompany.

  10. Copy the WORDS section under SENSITIVITY LABELS to the INFORMATION LABELS section.

    Although Trusted Extensions does not support information labels, the INFORMATION LABELS: WORDS: section must be identical to the SENSITIVITY LABELS: WORDS: section to be a valid encodings file.

  11. Decide which colors to associate with which labels.

    For suggestions and examples, see Specifying Colors for Labels.

  12. Analyze the label relationships.

    On a system that is configured with Trusted Extensions, use the chk_encodings -a command to generate a detailed report on the label relationships in your label_encodings file.

    # chk_encodings -a encodings-file