Annotated Sample Encodings
This appendix contains a sample encodings file, along with annotations
that describe the purpose of most specifications within the file. The sample
file, which is similar though not identical to the sample encodings in [DDS-2600-6215-91],
is designed to illustrate a number of realistic examples. All annotations
in the file appear within boxes.
The VERSION specification is useful for identifying different versions
of the encodings. It is stored by the system when the encodings are loaded.
It can be used to facilitate interoperability among multiple CMW systems.
|
|
VERSION= DISTRIBUTED DEMO VERSION
CLASSIFICATIONS:
*
* Comments can be placed in the encodings file any place a keyword can start.
* Comments begin with a * and continue to the end of the line. *
The classification specifications below define the common classifications.
The values specified represent the proper hierarchy among the classifications
and leave room for later expansion below UNCLASSIFIED, between UNCLASSIFIED
and CONFIDENTIAL, and above TOP SECRET. There are no initial compartments
or markings specifications for UNCLASSIFIED because all compartment and marking
bits are intended to be 0 in UNCLASSIFIED labels. However, the initial compartment
and marking specifications for the remaining (classified) classifications
all specify those bits that are used inversely in the information label, sensitivity
label, and clearances encodings below, plus extra bits reserved for future
use as inverse bits. Compartment bits 4-5 are used for the release compartments
REL CNTRY1 and REL CNTRY2. These bits being 0 in an UNCLASSIFIED label means
that the label indicates releasability to both countries. In other labels,
the bits being 1 as specified means that unless the words REL CNTRY1 or REL
CNTRY2 are explicitly added to the label, the data is not releasable to those
countries. Marking bit 11 is the inverse bit used in the REL CNTRY3 release
marking. Marking bit 17 is the inverse bit used in the inverse word charlie.
Marking bit 12 is the inverse bit used in the inverse codeword bravo4. These
words will be discussed in more detail below. Compartments and marking bits
100-127 are reserved for future expansion as inverse bits.
|
|
name= UNCLASSIFIED; sname= U; value= 1;
name= CONFIDENTIAL; sname= C; value= 4; initial compartments= 4-5 100-127;
initial markings= 11 12 17 100-127
name= SECRET; sname= S; value= 5; initial compartments= 4-5 100-127;
initial markings= 11 12 17 100-127
name= TOP SECRET; sname= TS; value= 6; initial compartments= 4-5 100-127;
initial markings= 11 12 17 100-127
INFORMATION LABELS:
WORDS:
Note that all of the prefixes and suffixes appear at the beginning of
the WORDS subsection. Note also that the case used in specifying names does
not matter.
|
|
name= REL; prefix;
name= LIMDIS; sname= LD; suffix;
name= ORCON; sname= OC; prefix;
name= eyes only; sname= eo; suffix;
After the prefixes and suffixes are specified, those words that represent
compartments, subcompartments, and codewords are specified. Note that the
words are in order of decreasing importance. CC, B, and A are main compartments,
also commonly called channels. SB and SA are subcompartments of B and A,
respectively. bravo1 through bravo4 are B codewords, and alpha1 through alpha3
are A codewords. Note that all of the compartments, subcompartments, and
codewords specify marking bit 7. This bit, when in a label with no compartment
bits on, specifies the marking WNINTEL (see below). Since it is invalid to
have WNINTEL in a label if a compartment, subcompartment, or codeword is present,
putting the WNINTEL bit in each of these words creates a hierarchy whereby
WNINTEL is hierarchically below all compartments, subcompartments, and codewords.
In effect, all compartments, subcompartments, and codewords "mean"
WNINTEL, but the word WNINTEL is shown only for non-compartment/subcompartment/codeword
WNINTEL data.
|
|
name= CC; minclass= TS; compartments= 6; markings= 7;
name= SB; minclass= TS; compartments= 1 3; markings= 7;
Subcompartment SB specifies compartment bits 1 and 3. Bit 3 is the
bit for subcompartment SB, whereas bit 1 is the bit for its main compartment,
B. This is specified because, by convention for information labels, specifying
a subcompartment should automatically protect the information as being in
the main compartment (channel).
|
|
name= bravo1; sname= b1; minclass= TS; compartments= 1; markings= 3-4 7 12;
name= bravo2; sname= b2; minclass= S; compartments= 1; markings= 3 7 12;
The use of marking bits 3 and 4 in the above two words specifies a hierarchy
with bravo1 above bravo2. If two information labels, each with one of the
words, are combined, the result will contain only the higher word in the hierarchy – bravo1.
Marking bit 12 is specified in bravo2 to assure that bravo2 is hierarchically
above bravo4 (see below). Marking bit 12 must therefore also be present in
bravo1 to assure that bravo1 is hierarchically above bravo2.
|
|
name= bravo3; sname= b3; minclass= S; compartments= 1; markings= 5 7;
bravo3 is a codeword independent of bravo1, bravo2, and bravo4.
|
|
name= bravo4; sname= b4; minclass= S; maxclass= S; compartments= 1; markings= 3 7 ~12;
bravo4 is a compartment B codeword which has some inverse qualities
because bit 12 is off. It acts like an inverse word in that it persists through
the combination of two information labels only if it is present in both labels.
However, because not all of its compartment and marking bits are 0, it does
not appear in UNCLASSIFIED labels, and therefore does not require an ominclass.
It has a maximum classification of SECRET. Also, note that it is in a hierarchy
with bravo2. Thus, if bravo4 data is combined with any non-bravo4 data (which
includes all non-SECRET data), the result is automatically bravo2, because
bit 12 (which is one of the initial markings) will turn on.
|
|
name= B; minclass= C; compartments= 1; markings= 7;
B represents non-codeword compartment B data. If none of the marking
bits defined above for bravo1 through bravo4 (bits 3, 4, 5, and 12) are present
in a label with compartment bit 1, the word B will be used to mark the data.
|
|
name= SA; minclass= TS; compartments= 0 2; markings= 7;
Subcompartment SA specifies compartment bits 0 and 2. Bit 2 is the bit
for subcompartment SA, whereas bit 0 is the bit for its main compartment,
A. This is specified because, by convention for information labels, specifying
a subcompartment should automatically protect the information as being in
the main compartment (channel).
|
|
name= alpha1; sname= a1; minclass= TS; compartments= 0; markings= 0-2 7;
name= alpha2; sname= a2; minclass= S; compartments= 0; markings= 0-1 7;
name= alpha3; sname= a3; minclass= S; compartments= 0; markings= 0 7;
The use of marking bits 0, 1, and 2 in the above three words specifies
a hierarchy with alpha1 above alpha2 above alpha3.
|
|
name= A; minclass= C; compartments= 0; markings= 7;
A represents non-codeword compartment A data. If none of the marking
bits defined above for alpha1 through alpha3 (bits 0, 1, and 2) are present
in a label with compartment bit 0, the word A will be used to mark the data.
|
|
After the compartments, subcompartments, and codewords are specified,
those words that represent markings are specified, in order of decreasing
importance. Note that some of the words below do contain compartment bit references
(NOFORN, REL CNTRY1, and REL CNTRY2). These were placed below because NOFORN
and release markings – by convention – appear towards the end of the
label.
|
|
name= project x; sname= px; minclass= C; markings= 14;
suffix= LIMDIS; access related;
The flags= keyword to the left serves a purpose only if the system has
assigned some particular meaning to flag bit 3. It is included here only as
an example of how flags are specified.
|
|
flags= 3;
name= project y; sname= py; minclass= C; markings= 6;
suffix= LIMDIS; access related;
The two words above both require the suffix LIMDIS. They represent projects
whose data should only be shown to people with need-to-know for the project.
There is another common usage of LIMDIS whereby no project name is specified.
Such a usage would have LIMDIS as a base word, not a suffix, and would assign
a unique marking bit for LIMDIS.
|
|
name= charlie; sname= ch; ominclass= c;
minclass= s; maxclass= S; markings= ~17;
charlie is included as an example of an extremely complicated word specification,
to show some of the advanced specification features. charlie is an inverse
marking, which is present when marking bit 17 (one of the marking bits with
an initial value of 1) is 0. Because of its minclass and maxclass specifications,
it can appear only with the classification SECRET. As is the case with all
inverse markings, charlie includes an ominclass specification, which prevents
charlie from appearing in labels below CONFIDENTIAL. However, since its minclass
is SECRET, why can't the ominclass be SECRET or omitted entirely? It can't
be omitted because to do so would cause charlie to be displayed with UNCLASSIFIED
labels (because it is an inverse marking). It could be SECRET however. With
the ominclass SECRET, charlie could not be added to a CONFIDENTIAL label.
In other words, entering "+charlie" to modify a CONFIDENTIAL
label would fail. With ominclass CONFIDENTIAL however, entering "+charlie"
to modify a CONFIDENTIAL label would force the classification to SECRET and
add the marking charlie. The final thing to note about charlie is that it
requires the codeword alpha2 to be present (see REQUIRED COMBINATIONS below).
|
|
name= org x; sname= ox; minclass= C; markings= 9;
prefix= ORCON; access related;
name= org y; sname= oy; minclass= C; markings= 15;
prefix= ORCON; access related;
The two words above both require the prefix ORCON. They represent an
extension of the typical usage of ORCON. The purpose of the extension is to
indicate via the base word name the originator of the ORCON data. Thus ORCON
org x indicates ORCON with org x as the originator, and ORCON org x/org y
indicates data that is a combination of ORCON org x and ORCON org y data.
To specify the more typical ORCON marking, ORCON would be a base word without
a prefix or suffix, and would use a single marking bit.
|
|
name= D/E; minclass= C; markings= 16;
access related;
The word D/E is included in these encodings as an example of a word
that contains a /. Even though / is used as the separator of multiple words
that require the same prefix or suffix, the / character can be included in
word names themselves. Care should be taken in any such usage of / to avoid
confusion.
|
|
name= all eyes; access related; markings= 8 10;
The above word is a composite of the two words that follow.
|
|
name= p1; markings= 8;
suffix= eyes only; access related;
name= p2; markings= 10;
suffix= eyes only; access related;
The above two words both require the suffix eyes only. They serve as
an example of the fact that blanks can be included in word names, even in
suffix names. These words represent an extension of the more typical encoding
of eyes only, in that they allow a specification through the base word name
of who can view the data. To specify the more typical eyes only marking, eyes
only would be a base word without a prefix or suffix, and would use a single
marking bit.
|
|
name= WNINTEL; sname= WN; minclass= C; markings= 7;
access related;
Note the relationship between the WNINTEL marking above and the compartment,
subcompartment, and codewords at the top of the information label words, all
of which include marking bit 7 to form a hierarchy with WNINTEL at the bottom.
|
|
name= WARNING; minclass= C; markings= 7;
Because the above word specifies the same compartments and markings
as the word before it, it simply adds a third input-only name to WNINTEL.
|
|
The four words below comprise the release markings and their related
marking NOFORN. In these encodings, NOFORN is encoded such that it cannot
appear in the same label with a release marking. There are alternative encodings
whereby NOFORN is totally independent of the release markings. In this example,
REL CNTRY1 and REL CNTRY2 are actually release compartments, whereas REL CNTRY3
is just a release marking. Such encodings might be used if citizens of CNTRY1
and CNTRY2 were direct users of this or a connected system whose access to
data was mandatorily controlled through release compartments, and citizens
of CNTRY3 were not users, but could receive hardcopy system output of marked
REL CNTRY3. The encoding of the NOFORN word is such that it is hierarchically
above all of the release compartments and markings. Marking bit 13 was specifically
specified as 1 in NOFORN and as 0 in the release compartments and markings
to ensure this hierarchy. Because they are inverse words, REL CNTRY1, REL
CNTRY2, and REL CNTRY3 all have an ominclass of CONFIDENTIAL. This ominclass
specification prevents these words from appearing in human-readable labels
below CONFIDENTIAL. Therefore, even though the bit representations of these
three release compartments/markings indicate that they should be present with
UNCLASSIFIED, by convention they are not shown in UNCLASSIFIED labels. A useful
way to think about the bit assignments involved in these release compartments/markings
is as follows. Compartment bit 4 is the (inverse) bit for REL CNTRY1. Compartment
bit 4 being 0 means that the data is releasable to CNTRY1. Compartment bit
5 is the (inverse) bit for REL CNTRY2. Compartment bit 5 being 0 means that
the data is releasable to CNTRY2. Marking bit 11 is the (inverse) bit for
REL CNTRY3. Marking bit 11 being 0 means that the data is releasable to CNTRY3.
Finally, marking bit 13 is the NOFORN bit. Marking bit 13 being 1 means that
the data is NOFORN. If the data is neither NOFORN nor releasable to any of
the countries, compartment bits 4 and 5 will be 1, marking bit 11 will be
1, and marking bit 13 will be 0.
|
|
name= NOFORN; sname= NF; minclass= C; compartments= 4-5; markings= 11 13;
access related;
name= CNTRY1; sname= c1; ominclass= C; compartments= ~4; markings= ~13;
prefix= REL
name= CNTRY2; sname= C2; ominclass= C; compartments= ~5; markings= ~13
prefix= REL;
name= CNTRY3; sname= c3; ominclass= C; markings= ~11 ~13;
prefix= REL;
The following word acts as an alias for the following combination of
the above words: CC SB bravo1 bravo3 SA alpha1 project X/project Y LIMDIS
ORCON org x/org Y D/E all eyes NOFORN. The alias has associated all of the
compartment and marking bits of the aliased words, and no others. It also
has a minclass equal to the highest minclass of any of the aliased words.
Because it follows these words in the encodings, it can never appear in an
output label; it can be used only as a shorthand on input for entering or
adding to a label. It is intended to represent the "system high"
set of information label words.
|
|
name= SYSHI; minclass= TS; compartments= 0-6; markings= 0-16;
The REQUIRED COMBINATIONS below specify two constraints about the above
information label words. The first specification requires that NOFORN be
present in a label whenever subcompartment SB is present. The second specification
requires that the codeword alpha2 be present in a label whenever the marking
charlie is present.
|
|
REQUIRED COMBINATIONS:
SB NF
charlie alpha2
The COMBINATION CONSTRAINTS below specify three constraints about the
above information label words. The first specification requires that codeword
bravo4 must stand alone in a label (along with the classification SECRET as
forced by the specification above for bravo4). The second specification requires
that the marking charlie can be combined only with the codeword alpha2. Note
that this specification, when combined with the second required combination
above, requires that the marking charlie, if present in a label, must appear along
with alpha2 and only alpha2 and the classification SECRET (as forced by the
specification above for charlie). The third specification requires that
if data is marked releasable to CNTRY3, it cannot also be releasable to CNTRY1
or CNTRY2. Note that there is no restriction on marking data releasable to
CNTRY1 and CNTRY2.
|
|
COMBINATION CONSTRAINTS:
bravo4 &
charlie & alpha2
The line to the left is continued onto the next line by ending the line
with a \. This is done as an example of the line continuation feature that
might be required on long combination constraints.
|
|
REL CNTRY3 ! REL CNTRY1 | \
REL CNTRY2
SENSITIVITY LABELS:
WORDS:
The PREFIX keyword to the left is shown in upper case as an example
of the case insensitivity of the encodings. Note that the prefix comes at
the beginning of the words.
|
|
name= REL; PREFIX;
The sensitivity label compartments below are ordered in terms of increasing
importance, with the exception of the release compartments, which are at the
end by convention. Most of the compartments require the specification of
a single compartment bit. However, SB and the release compartments are a
special case. Since subcompartment SB must appear with NOFORN, and since
NOFORN cannot appear with release compartments or markings (see the encodings
above), SB cannot appear in a sensitivity label with release compartments.
This constraint is enforced below by creating a hierarchy using compartment
bits with SB at the top of the hierarchy above REL CNTRY1 and REL CNTRY2.
Compartment bit 3 is the bit that means SB. The compartments for SB include
bits 4 and 5 to force them to 1 when SB is specified. Since bits 4 and 5
are the inverse bits for the release compartments, specifying SB ensures that
no release compartments are present. The ~3 specification in the release
compartments is redundant, but serves to emphasize the hierarchy present.
With this hierarchy specified, it is possible to add SB to a sensitivity
label that contains a release compartment, thereby automatically removing
the release compartment. As an alternative to the specification below, it
would have been possible to enforce the fact that SB cannot be combined with
release compartments via a combination constraint of SB ! REL CNTRY1 | REL
CNTRY2. However, such an encoding forms no hierarchy, such that trying to
add SB to a sensitivity label that contains a release compartment would be
considered an error. Because they are inverse words, REL CNTRY1 and REL CNTRY2
have an ominclass of CONFIDENTIAL. This ominclass specification prevents
these words from appearing in human-readable labels below CONFIDENTIAL. Therefore,
even though the bit representations of these two release compartments indicate
that they should be present with UNCLASSIFIED, by convention they are not
shown in UNCLASSIFIED labels.
|
|
name= A; minclass= C; compartments= 0;
name= B; minclass= C; compartments= 1;
name= SA; minclass= TS; compartments= 2;
name= SB; minclass= TS; compartments= 3-5;
name= CC; minclass= TS; compartments= 6;
name= CNTRY1; sname= c1; ominclass= C; compartments= ~3 ~4;
prefix= REL;
name= CNTRY2; sname= c2; ominclass= C; compartments= ~3 ~5;prefix= REL;
Because of the system invariant that the compartment bits in sensitivity
labels must always dominate the compartment bits in associated information
labels, the presence of one of the above two words in a sensitivity label
forces the same word to appear in an associated information labels.
|
|
The REQUIRED COMBINATIONS below specify that if subcompartment SB is
present in a sensitivity label, compartment B must also be present. Similarly,
if subcompartment SA is present in a sensitivity label, compartment A must
also be present. Note how differently this requirement is met in this sensitivity
label encoding compared to how it was met above in the information label encoding.
In the sensitivity label – by convention – both compartments and
subcompartments can appear, which is accomplished by this encoding. In the
information label, the presence of a subcompartment automatically forces the
appropriate main compartment bit to be present, but does not include the main
compartment name in the human-readable representation of the label – again
by convention.
|
|
REQUIRED COMBINATIONS:
SB B
SA A
There are no combination constraints for sensitivity label words, so
the subsection below has no constraints specified. Note that the subsection
must be present even if it is empty.
|
|
COMBINATION CONSTRAINTS:
The CLEARANCES section below is similar to the SENSITIVITY LABELS section
above, but with two differences. First, the prefix used for the release compartments
is different. Whereas it makes sense to mark data REL COUNTRY, when the same
concept is applied to clearances, and therefore related to users, it makes
more sense to refer to the nationality of the user, rather than having REL
COUNTRY in the user's clearance. Therefore, this section uses the prefix
NATIONALITY: before the country words. Second, there is a combination constraint
specified. Since the release compartments NATIONALITY: CNTRY1 and NATIONALITY:
CNTRY2 in a clearance mean that the user is a citizen of the country, the
constraint specifies that a clearance cannot specify that a user is a citizen
of more than one country. Note that no such constraint is needed for sensitivity
labels, because the meaning of the release compartments in a sensitivity label
is that the data is releasable to citizens of the country, and data can be
releasable to more than one country. Because they are inverse words, NATIONALITY:
CNTRY1 and NATIONALITY: CNTRY2 have an ominclass of CONFIDENTIAL. This
ominclass specification prevents these words from appearing in human-readable
labels below CONFIDENTIAL. Therefore, even though the bit representations
of these two release compartments indicate that they should be present with
UNCLASSIFIED, by convention they are not shown in UNCLASSIFIED labels.
|
|
CLEARANCES:
WORDS:
name= NATIONALITY:; sname= N:; prefix;
name= A; minclass= C; compartments= 0;
name= B; minclass= C; compartments= 1;
name= SA; minclass= TS; compartments= 2;
name= SB; minclass= TS; compartments= 3-5;
name= CC; minclass= TS; compartments= 6;
name= CNTRY1; sname= c1; ominclass= C; compartments= ~3 ~4;
prefix= NATIONALITY:;
name= CNTRY2; sname= c2; ominclass= C; compartments= ~3 ~5;
prefix= NATIONALITY:;
REQUIRED COMBINATIONS:
SB B
SA A
COMBINATION CONSTRAINTS:
NATIONALITY: c1 ! NATIONALITY: c2
The CHANNELS section specifies the HANDLE VIA... caveats associated
with the main compartments (channels) specified above, for use by the system
in producing printer banner pages. If the sensitivity label indicates only
one channel present, the caveat should be of the form HANDLE VIA (CHANNEL
NAME) CHANNELS ONLY. If the sensitivity label indicates multiple channels
present, the caveat should be of the form HANDLE VIA (CHANNEL NAME)/(CHANNEL
NAME)/... CHANNELS JOINTLY. The encodings could specify a unique word for
each channel and each combination of channels, but such an encoding would
be extremely long with a large number of encodings. Rather, the encodings
below takes full advantage of the fact that words can require both a prefix
and a suffix to shorten the specifications. To fully understand the encodings
below, you must know how the system uses the channel words in producing the
caveat string. The words are scanned in the order specified, with all words
whose compartment bits are present in the sensitivity label placed into the
caveat string in the order in which they are encountered. Once a compartment
bit has been matched in the sensitivity label, it is "forgotten"
as the rest of the words are scanned. Note that none of the words below contains
an sname, because only long names are used for producing the channel caveat
string.
|
|
CHANNELS:
WORDS:
The encodings below define a single prefix, HANDLE VIA, which is the
prefix for every word in the encodings. Two suffixes are defined: CHANNELS
ONLY for the case when only one channel is present, and CHANNELS JOINTLY for
the case when more than one channel is present. Each main word below requires
the prefix and one of the suffixes.
|
|
name= CHANNELS JOINTLY; suffix;
name= CHANNELS ONLY; suffix;
name= HANDLE VIA; prefix;
The first three main words cover the case where only a single channel
is present. The compartment bit specifications of each will match a sensitivity
label only if a single channel is present. Note that all non-channel bits
are ignored. For example, the compartments specification for the word (CH
A) is 0 ~1 ~6, which will match only a sensitivity label with bit 0 (for channel
A) on and bits 1 and 6 (for channels B and CC) off. These first three entries
all require the suffix CHANNELS ONLY. Once a compartment bit is matched by
one of these words, it will be "forgotten" as the remaining words
are scanned, so that none of the final three words will be placed in the caveat
string if one of the first three are. Note that the order of these first three
words does not matter, because at most one of them will ever match a sensitivity
label.
|
|
name= (CH A); prefix=HANDLE VIA; compartments= 0 ~1 ~6;
suffix= CHANNELS ONLY;
name= (CH B); prefix=HANDLE VIA; compartments= ~0 1 ~6;
suffix= CHANNELS ONLY;
name= (CH C); prefix=HANDLE VIA; compartments= ~0 ~1 6;
suffix= CHANNELS ONLY;
The last three main words cover the case where multiple channels are
present. Any of these words that match the sensitivity label will be placed
in the caveat string, preceded by HANDLE VIA, separated by /, and followed
by CHANNELS JOINTLY. Note that these words are in order of decreasing sensitivity,
and must follow the single channel encodings above.
|
|
name= (CH C); prefix=HANDLE VIA; compartments= 6;
suffix= CHANNELS JOINTLY;
name= (CH B); prefix=HANDLE VIA; compartments= 1;
suffix= CHANNELS JOINTLY;
name= (CH A); prefix=HANDLE VIA; compartments= 0;
suffix= CHANNELS JOINTLY;
The PRINTER BANNERS section specifies the nonchannel-related caveats
associated with compartments and markings, for use by the system in producing
printer banner pages. Note that none of the words below contains an sname,
because only long names are used for producing the printer banner caveat string.
Note also that these words are in order of decreasing sensitivity.
|
|
PRINTER BANNERS:
WORDS:
name= ORCON; prefix;
name= (FULL SB NAME); compartments= 3
name= (FULL SA NAME); compartments= 2
These first two words specify caveats associated with the subcompartments
defined above. Note that all main compartments (channels) are ignored by
the encodings in this section. Each word specifies the name to be placed in
the printer banner caveat string if the specified compartments (in this case
subcompartments) match the sensitivity label. Note that the compartments specifications
could also have included the associated main compartment bits, because they
are forced to be present along with the subcompartment bits (i.e., compartments=
3 could have been compartments= 1 3).
|
|
name= org x; prefix= ORCON; markings= 9;
name= org y; prefix= ORCON; markings= 15;
These two words specify caveats associated with certain markings defined
above. Each word specifies the name to be placed in the printer banner caveat
string if the specified markings match the information label.
|
|
The ACCREDITATION RANGE section specifies the system and user accreditation
ranges and related constants. The user accreditation range is the set of sensitivity
labels at which normal system users can operate. In the general case, not
all possible sensitivity labels containing the compartments defined for the
system are in the user accreditation range. The encodings allow for the specification
of the user accreditation range in the most compact manner possible, rather
than having to list every possible valid sensitivity label. The valid sensitivity
labels for each classification are specified separately. Since no specification
for the classification UNCLASSIFIED appears below, the sensitivity label UNCLASSIFIED
is not in the user accreditation range.
|
|
ACCREDITATION RANGE:
In this example, the most compact way to specify the valid CONFIDENTIAL
sensitivity labels is to list only those sensitivity labels that are invalid,
presumably because the list of invalid labels is shorter or more meaningful.
|
|
classification= c; all compartment combinations valid except:cc ac b
In this example, the most compact way to specify the valid SECRET sensitivity
labels is to state only those sensitivity labels that are valid, presumably
because the list of valid labels is shorter or more meaningful.
|
|
classification= s; only valid compartment combinations:
s a b
In this example, all TOP SECRET sensitivity labels are valid.
|
|
classification= ts; all compartment combinations valid;
Below the minimum clearance that can be associated with a user is specified.
The system will not allow a clearance that is below the minimum to be specified.
Note that the clearance specified below represents TOP SECRET with all compartment
bits 0. Note also that this clearance is not a legal clearance according to
the encodings above, but does represent a useful minimum, being the only clearance
immediately below TS NATIONALITY: CNTRY1 and TS NATIONALITY: CNTRY2.
|
|
minimum clearance= ts NATIONALITY: CNTRY1/CNTRY2;
Below the minimum sensitivity label for the system is specified. The
system will not allow a sensitivity label that is below the minimum to be
specified. Note that the sensitivity label specified below represents CONFIDENTIAL
with all compartment bits 0. There should be no sensitivity labels in the
user accreditation range specification below the minimum sensitivity label,
but the minimum sensitivity label does not have to be in the user accreditation
range, though it should be the greatest lower bound of all sensitivity labels
in the user accreditation range. In this case it is in fact the lowest sensitivity
label in the user accreditation range.
|
|
minimum sensitivity label= c REL CNTRY1/CNTRY2;
Below the minimum classification that can appear on the top and bottom
of printer banner pages is specified. This classification is also the minimum
that will appear in the printer banner warning statement that specifies how
the data must be protected unless it is manually reviewed and downgraded.
|
|
minimum protect as classification= ts;