Graded Authentication Terms


Security Policy Object

The Security Policy object is the object in Novell eDirectory that you can use to manage the elements of graded authentication. The Security Policy object resides in the Security container.

For more information, see Configuring the Security Policy Object.


Category

A category is an element of a set that represents sensitivity and trust. You use categories to define security labels.

There are two types of categories: secrecy and integrity.

NMAS comes with three secrecy categories (Biometric, Token, Password) and three integrity categories (Biometric, Token, Password) defined. You can define additional integrity categories to meet your company's needs.

For more information, see Defining User-Defined Categories (Closed User Groups).


Security Label

A security label represents the sensitivity of information. It is a set made up of categories. For example, the Biometric security label contains the Biometric secrecy category. The Biometric and Token and Password security label contains three secrecy categories: Biometric, Token, and Password.

A security label can be assigned to a volume or to any eDirectory attribute. The security label is compared against a user's current clearance to determine what information the user can access.

NMAS comes with eight security labels defined. The following table shows the predefined security labels and single-level clearances:

Default Security Labels Secrecy Categories Integrity Categories

Biometric & Password & Token

{Biometric, Token, Password}

{0}

Biometric & Password

{Biometric, Password}

{0}

Biometric & Token

{Biometric, Token}

{0}

Password & Token

{Token, Password}

{0}

Biometric

{Biometric}

{0}

Password

{Password}

{0}

Token

{Token}

{0}

Logged In

{0}

{0}

You can define additional security labels to meet your company's needs.

For more information, see Defining Security Labels.


Clearance

Clearances are assigned to users to represent the amount of trust you have in that user. A clearance has a Read label that specifies what a user can read and a Write label that specifies what information a user can write to. For more information, see Dominance and Graded Authentication Rules.

There are two types of clearances: single-level and multi-level.


Single-Level Clearance

A single-level clearance is a clearance in which the Read label and the Write label are the same. For example, the Biometric clearance's Read label and Write label use the same Biometric label. Therefore, a user who is assigned the Biometric clearance can read information labeled with Biometric and below, but can only write to information labeled Biometric. All labels are used as single-level clearances.


Multi-Level Clearance

A multi-level clearance is a clearance in which the Read label and the Write label are different. For example, the Multi-Level Administrator clearance is a multi-level clearance and has Biometric and Token and Password for the Read label and Logged In for the Write label. This clearance will allow the user to read all information and to write to all information that is labeled with the default security labels.

NMAS defines only one multi-level clearance: Multi-Level Administrator.

You can define additional clearances to meet your company's needs.

The following figure summarizes the access relationships between the predefined clearances and the security labels. For more information, see Defining Clearances.


Clearance Table


Dominance

In administering graded authentication, it is vitally important that you understand the concept of dominance.

All access control decisions are based on the relationship between the labels of the information and the session clearance of the user. There are only three such relationships:

For more information, see Graded Authentication Rules.