This section describes graded authentication terms.
The Security Policy object is the object in Novell eDirectory that you can use to manage the elements of graded authentication. The Security Policy object resides in the Security container.
For more information, see Section 4.3, Configuring the Security Policy Object.
A category is an element of a set that represents sensitivity and trust. You use categories to define security labels.
There are two types of categories: secrecy and integrity.
Secrecy Categories: Secrecy controls the disclosure of information.
An object that is assigned a certain secrecy category can’t read to a higher level of secrecy, but it can read to same or lower level of secrecy. The object can’t write to a lower level of secrecy, but it can write to the same or higher level.
Think of it in terms of a government secret agent. The government agency has three levels of secrecy; Unclassified, Secret, and Top Secret. The agent is given a Secret level of secrecy. The agent cannot read information designated as Top Secret, but the agent may read information designated as Unclassified or Secret. The agent cannot write information from his Secret level to the Unclassified level, but the agent can write information to the Secret or Top Secret levels.
Integrity Categories: Integrity controls the validity of information.
An object that is assigned a certain integrity category can’t write to a higher level of integrity, but it can write to the same or lower level. The object can’t read to a lower level of integrity, but it can read to the same or higher level.
Think of this in terms of two newspapers. One newspaper is highly respected for its honesty in reporting the facts. The other newspaper is a supermarket tabloid that manufactures stories. The newspaper with the lower integrity cannot publish stories in the newspaper with higher integrity, but the newspaper with higher integrity could publish a story in the newpaper with less integrity. Likewise, the newspaper with higher integrity would not quote from the stories produced by the newspaper with lower integrity, but the newspaper with lower integrity might quote from the stories produced by the newspaper with higher integrity.
NMAS comes with three secrecy categories (Biometric, Token, Password) and three integrity categories (Biometric, Token, Password) defined. You can define additional integrity categories to meet your company's needs.
For more information, see Defining User-Defined Categories (Closed User Groups).
A security label represents the sensitivity of information. It is a set made up of categories. For example, the Biometric security label contains the Biometric secrecy category. The Biometric and Token and Password security label contains three secrecy categories: Biometric, Token, and Password.
A security label can be assigned to a volume or to any eDirectory attribute. The security label is compared against a user's current clearance to determine what information the user can access.
NMAS comes with eight security labels defined. The following table shows the predefined security labels and single-level clearances:
Novell only uses secrecy categories to define the default security labels. This meets the needs of most users. However, Novell provides you with the ability to create your own security labels that may be a combination of both secrecy and integrity categories to meet your company's needs. This, however, can become very complex. See Section 4.2.1, Determining Access with Security Labels Made Up of Both Secrecy and Integrity Categories
For information on how to create a security label, see Defining Security Labels.
Clearances are assigned to users to represent the amount of trust you have in that user. A clearance has a Read label that specifies what a user can read and a Write label that specifies what information a user can write to. For more information, see Dominance and Section 4.2, Graded Authentication Rules.
There are two types of clearances: single-level and multi-level.
A single-level clearance is a clearance in which the Read label and the Write label are the same. For example, the Biometric clearance's Read label and Write label use the same Biometric label. Therefore, a user who is assigned the Biometric clearance can read information labeled with Biometric and below, but can only write to information labeled Biometric. All labels are used as single-level clearances.
A multi-level clearance is a clearance in which the Read label and the Write label are different. For example, the Multi-Level Administrator clearance is a multi-level clearance and has Biometric and Token and Password for the Read label and Logged In for the Write label. This clearance will allow the user to read all information and to write to all information that is labeled with the default security labels.
NMAS defines only one multi-level clearance: Multi-Level Administrator.
You can define additional clearances to meet your company's needs.
The following table summarizes the access relationships between the predefined single-level clearances and the predefined security labels. Remember that the Novell predefined security labels use secrecy categories only.
For more information, see Defining Clearances.
In administering graded authentication, it is vitally important that you understand the concept of dominance.
All access control decisions are based on the relationship between the labels of the information and the session clearance of the user. There are only three such relationships:
Dominate Relationship
Label A1 is said to dominate Label A2 if:
A1’s secrecy categories include all those of A2
AND
A2’s integrity categories include all those of A1
Equal Relationship
Label A1 is equal to Label A2 if:
A1’s secrecy categories are the same as A2’s secrecy categories.
AND
A1’s integrity categories are the same as A2’s integrity categories.
This may also be expressed as:
A1 dominates A2 and A2 dominates A1.
Incomparable Relationship
Label A1 is incomparable to Label A2 if none of the previous relationships apply.
For more information, see Section 4.2, Graded Authentication Rules.