Appendix B
Annotated Sample Encodings
This appendix contains a sample encodings file, along with annotations that describe the
purpose of most specifications within the file. The sample file, which is
similar though not identical to the sample encodings in [DDS-2600-6215-91], is designed to
illustrate a number of realistic examples. All annotations in the file appear
within boxes.
The VERSION specification is useful for identifying different versions of the encodings.
It is stored by the system when the encodings are loaded.
It can be used to facilitate interoperability among multiple CMW systems. |
|
VERSION= DISTRIBUTED DEMO VERSION
CLASSIFICATIONS:
*
* Comments can be placed in the encodings file any place a keyword can start.
* Comments begin with a * and continue to the end of the line. *
The classification
specifications below define the common classifications. The values specified represent the proper
hierarchy among the classifications and leave room for later expansion below UNCLASSIFIED, between
UNCLASSIFIED and CONFIDENTIAL, and above TOP SECRET. There are no initial compartments or
markings specifications for UNCLASSIFIED because all compartment and marking bits are intended to
be 0 in UNCLASSIFIED labels. However, the initial compartment and marking specifications
for the remaining (classified) classifications all specify those bits that are used inversely
in the information label, sensitivity label, and clearances encodings below, plus extra bits
reserved for future use as inverse bits. Compartment bits 4-5 are used
for the release compartments REL CNTRY1 and REL CNTRY2. These bits being
0 in an UNCLASSIFIED label means that the label indicates releasability to both
countries. In other labels, the bits being 1 as specified means that
unless the words REL CNTRY1 or REL CNTRY2 are explicitly added to the
label, the data is not releasable to those countries. Marking bit 11
is the inverse bit used in the REL CNTRY3 release marking. Marking
bit 17 is the inverse bit used in the inverse word charlie.
Marking bit 12 is the inverse bit used in the inverse codeword
bravo4. These words will be discussed in more detail below. Compartments
and marking bits 100-127 are reserved for future expansion as inverse bits. |
|
name= UNCLASSIFIED; sname= U; value= 1;
name= CONFIDENTIAL; sname= C; value= 4; initial compartments= 4-5 100-127;
initial markings= 11 12 17 100-127
name= SECRET; sname= S; value= 5; initial compartments= 4-5 100-127;
initial markings= 11 12 17 100-127
name= TOP SECRET; sname= TS; value= 6; initial compartments= 4-5 100-127;
initial markings= 11 12 17 100-127
INFORMATION LABELS:
WORDS:
Note that
all of the prefixes and suffixes appear at the beginning of the WORDS
subsection. Note also that the case used in specifying names does not
matter. |
|
name= REL; prefix;
name= LIMDIS; sname= LD; suffix;
name= ORCON; sname= OC; prefix;
name= eyes only; sname= eo; suffix;
After the prefixes and suffixes are specified, those words that represent compartments, subcompartments,
and codewords are specified. Note that the words are in order of
decreasing importance. CC, B, and A are main compartments, also commonly called
channels. SB and SA are subcompartments of B and A, respectively.
bravo1 through bravo4 are B codewords, and alpha1 through alpha3 are A codewords.
Note that all of the compartments, subcompartments, and codewords specify marking bit
7. This bit, when in a label with no compartment bits on,
specifies the marking WNINTEL (see below). Since it is invalid to have
WNINTEL in a label if a compartment, subcompartment, or codeword is present, putting
the WNINTEL bit in each of these words creates a hierarchy whereby WNINTEL
is hierarchically below all compartments, subcompartments, and codewords. In effect, all compartments,
subcompartments, and codewords “mean” WNINTEL, but the word WNINTEL is shown only for
non-compartment/subcompartment/codeword WNINTEL data. |
|
name= CC; minclass= TS; compartments= 6; markings= 7;
name= SB; minclass= TS; compartments= 1 3; markings= 7;
Subcompartment SB specifies compartment bits 1 and 3. Bit 3
is the bit for subcompartment SB, whereas bit 1 is the bit for
its main compartment, B. This is specified because, by convention for information
labels, specifying a subcompartment should automatically protect the information as being in the main
compartment (channel). |
|
name= bravo1; sname= b1; minclass= TS; compartments= 1; markings= 3-4 7 12;
name= bravo2; sname= b2; minclass= S; compartments= 1; markings= 3 7 12;
The use of marking bits 3 and 4 in the above
two words specifies a hierarchy with bravo1 above bravo2. If two information
labels, each with one of the words, are combined, the result will contain
only the higher word in the hierarchy—bravo1. Marking bit 12 is specified
in bravo2 to assure that bravo2 is hierarchically above bravo4 (see below).
Marking bit 12 must therefore also be present in bravo1 to assure that
bravo1 is hierarchically above bravo2. |
|
name= bravo3; sname= b3; minclass= S; compartments= 1; markings= 5 7;
bravo3 is a codeword independent of bravo1, bravo2,
and bravo4. |
|
name= bravo4; sname= b4; minclass= S; maxclass= S; compartments= 1; markings= 3 7 ~12;
bravo4 is a compartment B codeword which has some inverse qualities because
bit 12 is off. It acts like an inverse word in
that it persists through the combination of two information labels only if it
is present in both labels. However, because not all of its compartment and
marking bits are 0, it does not appear in UNCLASSIFIED labels, and therefore
does not require an ominclass. It has a maximum classification of SECRET. Also,
note that it is in a hierarchy with bravo2. Thus, if bravo4 data
is combined with any non-bravo4 data (which includes all non-SECRET data), the result
is automatically bravo2, because bit 12 (which is one of the initial markings)
will turn on. |
|
name= B; minclass= C; compartments= 1; markings= 7;
B represents non-codeword compartment B data. If none of the
marking bits defined above for bravo1 through bravo4 (bits 3, 4, 5, and
12) are present in a label with compartment bit 1, the word B
will be used to mark the data. |
|
name= SA; minclass= TS; compartments= 0 2; markings= 7;
Subcompartment SA specifies compartment bits 0
and 2. Bit 2 is the bit for subcompartment SA, whereas bit 0
is the bit for its main compartment, A. This is specified because, by
convention for information labels, specifying a subcompartment should automatically protect the information as
being in the main compartment (channel). |
|
name= alpha1; sname= a1; minclass= TS; compartments= 0; markings= 0-2 7;
name= alpha2; sname= a2; minclass= S; compartments= 0; markings= 0-1 7;
name= alpha3; sname= a3; minclass= S; compartments= 0; markings= 0 7;
The use of marking bits 0, 1, and
2 in the above three words specifies a hierarchy with alpha1 above alpha2
above alpha3. |
|
name= A; minclass= C; compartments= 0; markings= 7;
A represents non-codeword compartment A data. If none of the marking bits
defined above for alpha1 through alpha3 (bits 0, 1, and 2) are
present in a label with compartment bit 0, the word A will be
used to mark the data. |
|
After the compartments, subcompartments, and codewords are specified, those
words that represent markings are specified, in order of decreasing importance. Note that
some of the words below do contain compartment bit references (NOFORN, REL CNTRY1,
and REL CNTRY2). These were placed below because NOFORN and release markings—by convention—appear
towards the end of the label. |
|
name= project x; sname= px; minclass= C; markings= 14;
suffix= LIMDIS; access related;
The flags= keyword to the left serves a
purpose only if the system has assigned some particular meaning to flag bit
3. It is included here only as an example of how flags are
specified. |
|
flags= 3;
name= project y; sname= py; minclass= C; markings= 6;
suffix= LIMDIS; access related;
The two words above both require the suffix LIMDIS. They represent projects whose
data should only be shown to people with need-to-know for the project. There
is another common usage of LIMDIS whereby no project name is specified. Such
a usage would have LIMDIS as a base word, not a suffix,
and would assign a unique marking bit for LIMDIS. |
|
name= charlie; sname= ch; ominclass= c;
minclass= s; maxclass= S; markings= ~17;
charlie is included as an
example of an extremely complicated word specification, to show some of the advanced
specification features. charlie is an inverse marking, which is present when marking bit
17 (one of the marking bits with an initial value of 1) is
0. Because of its minclass and maxclass specifications, it can appear only with
the classification SECRET. As is the case with all inverse markings, charlie includes
an ominclass specification, which prevents charlie from appearing in labels below CONFIDENTIAL. However,
since its minclass is SECRET, why can't the ominclass be SECRET or omitted
entirely? It can't be omitted because to do so would cause charlie
to be displayed with UNCLASSIFIED labels (because it is an inverse marking). It
could be SECRET however. With the ominclass SECRET, charlie could not be added
to a CONFIDENTIAL label. In other words, entering “+charlie” to modify a
CONFIDENTIAL label would fail. With ominclass CONFIDENTIAL however, entering “+charlie” to modify a CONFIDENTIAL
label would force the classification to SECRET and add the marking charlie. The
final thing to note about charlie is that it requires the codeword alpha2
to be present (see REQUIRED COMBINATIONS below). |
|
name= org x; sname= ox; minclass= C; markings= 9;
prefix= ORCON; access related;
name= org y; sname= oy; minclass= C; markings= 15;
prefix= ORCON; access related;
The two words above both require
the prefix ORCON. They represent an extension of the typical usage of ORCON.
The purpose of the extension is to indicate via the base word name
the originator of the ORCON data. Thus ORCON org x indicates ORCON with
org x as the originator, and ORCON org x/org y indicates data that
is a combination of ORCON org x and ORCON org y data.
To specify the more typical ORCON marking, ORCON would be a base
word without a prefix or suffix, and would use a single marking bit. |
|
name= D/E; minclass= C; markings= 16;
access related;
The
word D/E is included in these encodings as an example of a
word that contains a /. Even though / is used as the separator
of multiple words that require the same prefix or suffix, the / character
can be included in word names themselves. Care should be taken in any
such usage of / to avoid confusion. |
|
name= all eyes; access related; markings= 8 10;
The above word is a composite of
the two words that follow. |
|
name= p1; markings= 8;
suffix= eyes only; access related;
name= p2; markings= 10;
suffix= eyes only; access related;
The above two words both require the suffix
eyes only. They serve as an example of the fact that blanks can
be included in word names, even in suffix names. These words represent an
extension of the more typical encoding of eyes only, in that they allow
a specification through the base word name of who can view the data.
To specify the more typical eyes only marking, eyes only would be a
base word without a prefix or suffix, and would use a single marking
bit. |
|
name= WNINTEL; sname= WN; minclass= C; markings= 7;
access related;
Note the relationship between the WNINTEL marking above and the compartment, subcompartment, and
codewords at the top of the information label words, all of which include
marking bit 7 to form a hierarchy with WNINTEL at the bottom. |
|
name= WARNING; minclass= C; markings= 7;
Because
the above word specifies the same compartments and markings as the word before
it, it simply adds a third input-only name to WNINTEL. |
|
The four words
below comprise the release markings and their related marking NOFORN. In these encodings,
NOFORN is encoded such that it cannot appear in the same label with
a release marking. There are alternative encodings whereby NOFORN is totally independent of
the release markings. In this example, REL CNTRY1 and REL CNTRY2 are actually
release compartments, whereas REL CNTRY3 is just a release marking. Such encodings might
be used if citizens of CNTRY1 and CNTRY2 were direct users of this
or a connected system whose access to data was mandatorily controlled through release
compartments, and citizens of CNTRY3 were not users, but could receive hardcopy system
output of marked REL CNTRY3. The encoding of the NOFORN word is such
that it is hierarchically above all of the release compartments and markings. Marking
bit 13 was specifically specified as 1 in NOFORN and as 0 in
the release compartments and markings to ensure this hierarchy. Because they are inverse
words, REL CNTRY1, REL CNTRY2, and REL CNTRY3 all have an ominclass of
CONFIDENTIAL. This ominclass specification prevents these words from appearing in human-readable labels below CONFIDENTIAL.
Therefore, even though the bit representations of these three release compartments/markings indicate that
they should be present with UNCLASSIFIED, by convention they are not shown in
UNCLASSIFIED labels. A useful way to think about the bit assignments involved in
these release compartments/markings is as follows. Compartment bit 4 is the (inverse) bit
for REL CNTRY1. Compartment bit 4 being 0 means that the data is
releasable to CNTRY1. Compartment bit 5 is the (inverse) bit for REL CNTRY2.
Compartment bit 5 being 0 means that the data is releasable to CNTRY2.
Marking bit 11 is the (inverse) bit for REL CNTRY3. Marking bit 11
being 0 means that the data is releasable to CNTRY3. Finally, marking
bit 13 is the NOFORN bit. Marking bit 13 being 1 means
that the data is NOFORN. If the data is neither NOFORN nor
releasable to any of the countries, compartment bits 4 and 5 will be
1, marking bit 11 will be 1, and marking bit 13 will be
0. |
|
name= NOFORN; sname= NF; minclass= C; compartments= 4-5; markings= 11 13;
access related;
name= CNTRY1; sname= c1; ominclass= C; compartments= ~4; markings= ~13;
prefix= REL
name= CNTRY2; sname= C2; ominclass= C; compartments= ~5; markings= ~13
prefix= REL;
name= CNTRY3; sname= c3; ominclass= C; markings= ~11 ~13;
prefix= REL;
The following word acts as an alias for the following combination of the
above words: CC SB bravo1 bravo3 SA alpha1 project X/project Y
LIMDIS ORCON org x/org Y D/E all eyes NOFORN. The alias has
associated all of the compartment and marking bits of the aliased words, and
no others. It also has a minclass equal to the highest minclass
of any of the aliased words. Because it follows these words in
the encodings, it can never appear in an output label; it can be
used only as a shorthand on input for entering or adding to a
label. It is intended to represent the “system high” set of information
label words. |
|
name= SYSHI; minclass= TS; compartments= 0-6; markings= 0-16;
The REQUIRED COMBINATIONS below specify two constraints about the above information label
words. The first specification requires that NOFORN be present in a label
whenever subcompartment SB is present. The second specification requires that the codeword
alpha2 be present in a label whenever the marking charlie is present. |
|
REQUIRED COMBINATIONS:
SB NF
charlie alpha2
The COMBINATION
CONSTRAINTS below specify three constraints about the above information label words. The
first specification requires that codeword bravo4 must stand alone in a label (along
with the classification SECRET as forced by the specification above for bravo4).
The second specification requires that the marking charlie can be combined only with
the codeword alpha2. Note that this specification, when combined with the second
required combination above, requires that the marking charlie, if present in a label,
must appear along with alpha2 and only alpha2 and the classification SECRET (as
forced by the specification above for charlie). The third specification requires that if data
is marked releasable to CNTRY3, it cannot also be releasable to CNTRY1 or
CNTRY2. Note that there is no restriction on marking data releasable
to CNTRY1 and CNTRY2. |
|
COMBINATION CONSTRAINTS:
bravo4 &
charlie & alpha2
The line to the left is continued onto the next
line by ending the line with a \. This is done as
an example of the line continuation feature that might be required on long
combination constraints. |
|
REL CNTRY3 ! REL CNTRY1 | \
REL CNTRY2
SENSITIVITY LABELS:
WORDS:
The PREFIX keyword to the left is shown in upper case
as an example of the case insensitivity of the encodings. Note that
the prefix comes at the beginning of the words. |
|
name= REL; PREFIX;
The sensitivity label compartments below
are ordered in terms of increasing importance, with the exception of the release
compartments, which are at the end by convention. Most of the compartments
require the specification of a single compartment bit. However, SB and the
release compartments are a special case. Since subcompartment SB must appear with
NOFORN, and since NOFORN cannot appear with release compartments or markings (see the
encodings above), SB cannot appear in a sensitivity label with release compartments. This
constraint is enforced below by creating a hierarchy using compartment bits with SB
at the top of the hierarchy above REL CNTRY1 and REL CNTRY2.
Compartment bit 3 is the bit that means SB. The compartments
for SB include bits 4 and 5 to force them to 1 when
SB is specified. Since bits 4 and 5 are the inverse bits
for the release compartments, specifying SB ensures that no release compartments are present.
The ~3 specification in the release compartments is redundant, but serves to
emphasize the hierarchy present. With this hierarchy specified, it is possible to
add SB to a sensitivity label that contains a release compartment, thereby automatically
removing the release compartment. As an alternative to the specification below, it would
have been possible to enforce the fact that SB cannot be combined
with release compartments via a combination constraint of SB ! REL CNTRY1 |
REL CNTRY2. However, such an encoding forms no hierarchy, such that trying
to add SB to a sensitivity label that contains a release compartment would
be considered an error. Because they are inverse words, REL CNTRY1 and
REL CNTRY2 have an ominclass of CONFIDENTIAL. This ominclass specification
prevents these words from appearing in human-readable labels below CONFIDENTIAL. Therefore, even though the
bit representations of these two release compartments indicate that they should be present
with UNCLASSIFIED, by convention they are not shown in UNCLASSIFIED labels. |
|
name= A; minclass= C; compartments= 0;
name= B; minclass= C; compartments= 1;
name= SA; minclass= TS; compartments= 2;
name= SB; minclass= TS; compartments= 3-5;
name= CC; minclass= TS; compartments= 6;
name= CNTRY1; sname= c1; ominclass= C; compartments= ~3 ~4;
prefix= REL;
name= CNTRY2; sname= c2; ominclass= C; compartments= ~3 ~5;prefix= REL;
Because of the
system invariant that the compartment bits in sensitivity labels must always dominate the
compartment bits in associated information labels, the presence of one of the above
two words in a sensitivity label forces the same word to appear in
an associated information labels. |
|
The REQUIRED COMBINATIONS below specify that if subcompartment SB
is present in a sensitivity label, compartment B must also be present.
Similarly, if subcompartment SA is present in a sensitivity label, compartment A must also
be present. Note how differently this requirement is met in this
sensitivity label encoding compared to how it was met above in the information
label encoding. In the sensitivity label—by convention—both compartments and subcompartments can appear, which
is accomplished by this encoding. In the information label, the presence of
a subcompartment automatically forces the appropriate main compartment bit to be present, but
does not include the main compartment name in the human-readable representation of the
label—again by convention. |
|
REQUIRED COMBINATIONS:
SB B
SA A
There are no combination constraints for sensitivity label words, so the subsection
below has no constraints specified. Note that the subsection must be present
even if it is empty. |
|
COMBINATION CONSTRAINTS:
The CLEARANCES section below is similar to the
SENSITIVITY LABELS section above, but with two differences. First, the prefix used
for the release compartments is different. Whereas it makes sense to mark
data REL COUNTRY, when the same concept is applied to clearances, and therefore
related to users, it makes more sense to refer to the nationality of
the user, rather than having REL COUNTRY in the user's clearance. Therefore,
this section uses the prefix NATIONALITY: before the country words. Second, there
is a combination constraint specified. Since the release compartments NATIONALITY: CNTRY1 and
NATIONALITY: CNTRY2 in a clearance mean that the user is a citizen of
the country, the constraint specifies that a clearance cannot specify that a user
is a citizen of more than one country. Note that no such
constraint is needed for sensitivity labels, because the meaning of the release compartments
in a sensitivity label is that the data is releasable to citizens of
the country, and data can be releasable to more than one country.
Because they are inverse words, NATIONALITY: CNTRY1 and NATIONALITY: CNTRY2 have an ominclass
of CONFIDENTIAL. This ominclass specification prevents these words from appearing
in human-readable labels below CONFIDENTIAL. Therefore, even though the bit representations of these two
release compartments indicate that they should be present with UNCLASSIFIED, by convention they
are not shown in UNCLASSIFIED labels. |
|
CLEARANCES:
WORDS:
name= NATIONALITY:; sname= N:; prefix;
name= A; minclass= C; compartments= 0;
name= B; minclass= C; compartments= 1;
name= SA; minclass= TS; compartments= 2;
name= SB; minclass= TS; compartments= 3-5;
name= CC; minclass= TS; compartments= 6;
name= CNTRY1; sname= c1; ominclass= C; compartments= ~3 ~4;
prefix= NATIONALITY:;
name= CNTRY2; sname= c2; ominclass= C; compartments= ~3 ~5;
prefix= NATIONALITY:;
REQUIRED COMBINATIONS:
SB B
SA A
COMBINATION CONSTRAINTS:
NATIONALITY: c1 ! NATIONALITY: c2
The CHANNELS section specifies the HANDLE VIA...
caveats associated with the main compartments (channels) specified above, for use by the
system in producing printer banner pages. If the sensitivity label indicates only one channel
present, the caveat should be of the form HANDLE VIA (CHANNEL NAME) CHANNELS
ONLY. If the sensitivity label indicates multiple channels present, the caveat should be
of the form HANDLE VIA (CHANNEL NAME)/(CHANNEL NAME)/... CHANNELS JOINTLY. The encodings could
specify a unique word for each channel and each combination of channels, but
such an encoding would be extremely long with a large number of encodings.
Rather, the encodings below takes full advantage of the fact that words can
require both a prefix and a suffix to shorten the specifications. To fully
understand the encodings below, you must know how the system uses the channel
words in producing the caveat string. The words are scanned in the order
specified, with all words whose compartment bits are present in the sensitivity label
placed into the caveat string in the order in which they are encountered.
Once a compartment bit has been matched in the sensitivity label, it is
“forgotten” as the rest of the words are scanned. Note that none of
the words below contains an sname, because only long names are used for
producing the channel caveat string. |
|
CHANNELS:
WORDS:
The encodings below define a single prefix, HANDLE VIA,
which is the prefix for every word in the encodings. Two suffixes are
defined: CHANNELS ONLY for the case when only one channel is present,
and CHANNELS JOINTLY for the case when more than one channel is present.
Each main word below requires the prefix and one of the suffixes. |
|
name= CHANNELS JOINTLY; suffix;
name= CHANNELS ONLY; suffix;
name= HANDLE VIA; prefix;
The first
three main words cover the case where only a single channel is present.
The compartment bit specifications of each will match a sensitivity label only if
a single channel is present. Note that all non-channel bits are ignored. For
example, the compartments specification for the word (CH A) is 0 ~1 ~6,
which will match only a sensitivity label with bit 0 (for channel A)
on and bits 1 and 6 (for channels B and CC) off.
These first three entries all require the suffix CHANNELS ONLY. Once a compartment
bit is matched by one of these words, it will be “forgotten” as
the remaining words are scanned, so that none of the final three words
will be placed in the caveat string if one of the first three
are. Note that the order of these first three words does not matter,
because at most one of them will ever match a sensitivity label. |
|
name= (CH A); prefix=HANDLE VIA; compartments= 0 ~1 ~6;
suffix= CHANNELS ONLY;
name= (CH B); prefix=HANDLE VIA; compartments= ~0 1 ~6;
suffix= CHANNELS ONLY;
name= (CH C); prefix=HANDLE VIA; compartments= ~0 ~1 6;
suffix= CHANNELS ONLY;
The last
three main words cover the case where multiple channels are present. Any of
these words that match the sensitivity label will be placed in the caveat
string, preceded by HANDLE VIA, separated by /, and followed by CHANNELS JOINTLY.
Note that these words are in order of decreasing sensitivity, and must follow
the single channel encodings above. |
|
name= (CH C); prefix=HANDLE VIA; compartments= 6;
suffix= CHANNELS JOINTLY;
name= (CH B); prefix=HANDLE VIA; compartments= 1;
suffix= CHANNELS JOINTLY;
name= (CH A); prefix=HANDLE VIA; compartments= 0;
suffix= CHANNELS JOINTLY;
The PRINTER BANNERS section specifies the nonchannel-related caveats associated
with compartments and markings, for use by the system in producing printer banner
pages. Note that none of the words below contains an sname, because
only long names are used for producing the printer banner caveat string.
Note also that these words are in order of decreasing sensitivity. |
|
PRINTER BANNERS:
WORDS:
name= ORCON; prefix;
name= (FULL SB NAME); compartments= 3
name= (FULL SA NAME); compartments= 2
These first
two words specify caveats associated with the subcompartments defined above. Note that
all main compartments (channels) are ignored by the encodings in this section. Each
word specifies the name to be placed in the printer banner caveat string
if the specified compartments (in this case subcompartments) match the sensitivity label. Note
that the compartments specifications could also have included the associated main compartment bits,
because they are forced to be present along with the subcompartment bits (i.e.,
compartments= 3 could have been compartments= 1 3). |
|
name= org x; prefix= ORCON; markings= 9;
name= org y; prefix= ORCON; markings= 15;
These two words specify caveats associated
with certain markings defined above. Each word specifies the name to be placed
in the printer banner caveat string if the specified markings match the information
label. |
|
The ACCREDITATION RANGE section specifies the system and user accreditation ranges and related
constants. The user accreditation range is the set of sensitivity labels at which
normal system users can operate. In the general case, not all possible sensitivity
labels containing the compartments defined for the system are in the user accreditation
range. The encodings allow for the specification of the user accreditation range in
the most compact manner possible, rather than having to list every possible valid
sensitivity label. The valid sensitivity labels for each classification are specified separately.
Since no specification for the classification UNCLASSIFIED appears below, the sensitivity label
UNCLASSIFIED is not in the user accreditation range. |
|
ACCREDITATION RANGE:
In this example, the most compact
way to specify the valid CONFIDENTIAL sensitivity labels is to list only those
sensitivity labels that are invalid, presumably because the list of invalid labels is
shorter or more meaningful. |
|
classification= c; all compartment combinations valid except:cc ac b
In this example, the most compact way to specify
the valid SECRET sensitivity labels is to state only those sensitivity labels that
are valid, presumably because the list of valid labels is shorter or more
meaningful. |
|
classification= s; only valid compartment combinations:
s a b
In this example, all TOP SECRET sensitivity labels are valid. |
|
classification= ts; all compartment combinations valid;
Below the minimum
clearance that can be associated with a user is specified. The system
will not allow a clearance that is below the minimum to be
specified. Note that the clearance specified below represents TOP SECRET with all
compartment bits 0. Note also that this clearance is not a legal clearance
according to the encodings above, but does represent a useful minimum, being the
only clearance immediately below TS NATIONALITY: CNTRY1 and TS NATIONALITY: CNTRY2. |
|
minimum clearance= ts NATIONALITY: CNTRY1/CNTRY2;
Below the minimum
sensitivity label for the system is specified. The system will not allow a
sensitivity label that is below the minimum to be specified. Note that the
sensitivity label specified below represents CONFIDENTIAL with all compartment bits 0. There should
be no sensitivity labels in the user accreditation range specification below the minimum
sensitivity label, but the minimum sensitivity label does not have to be in
the user accreditation range, though it should be the greatest lower bound of
all sensitivity labels in the user accreditation range. In this case it is
in fact the lowest sensitivity label in the user accreditation range. |
|
minimum sensitivity label= c REL CNTRY1/CNTRY2;
Below the minimum
classification that can appear on the top and bottom of printer banner pages
is specified. This classification is also the minimum that will appear in
the printer banner warning statement that specifies how the data must be protected
unless it is manually reviewed and downgraded. |
|
minimum protect as classification= ts;
