4.2 Graded Authentication Rules

IMPORTANT:Graded authentication is an additional level of control. It does not take the place of regular eDirectory and file system access rights. Regular eDirectory and file system access rights still need to be administered.

The following rules apply to graded authentication in NMAS:

4.2.1 Determining Access with Security Labels Made Up of Both Secrecy and Integrity Categories

If you were to create a security label with both the Token and Password secrecy categories (Ts and Ps) and the Token and Password integrity categories (Ti and Pi), the possible combinations would look like the following:

{Ts, Ps; 0}

 

 

{Ts; 0}

 

 

{Ps; 0}

 

 

{0; 0}

 

 

{Ts, Ps; Ti}

 

 

{Ts; Ti}

 

 

{Ps; Ti}

 

 

{0; Ti}

 

 

{Ts, Ps; Pi}

 

 

{Ts; Pi}

 

 

{Ps; Pi}

 

 

{0; Pi}

 

 

{Ts, Ps; Ti, Pi}

 

 

{Ts; Ti, Pi}

 

 

{Ps; Ti, Pi}

 

 

{0; Ti, Pi}

 

 

Now, using the rules of dominance (see Dominance), you can check these combinations as user clearances against all possible security labels. For the purposes of this example, we will just compare the single-level clearances (Read and Write label are the same) against two randomly selected security labels - {Ts, Ps; Ti} and {Ts; Pi}.

User Clearances (A1)

Security Label (A2)

Security Label (A2)

Read = R . . . Write = W

{Ts, Ps; Ti}

{Ts; Pi}

R {Ts, Ps; 0} W {Ts, Ps; 0}

Dominate

Dominate

R {Ts; 0} W {Ts; 0}

Incomparable

Incomparable

R {Ps; 0} W {Ps; 0}

Incomparable

Incomparable

R {0; 0} W {0; 0}

Incomparable

Incomparable

R {Ts, Ps; Ti} W {Ts, Ps; Ti}

Equal

Incomparable

R {Ts; Ti} W {Ts; Ti}

Incomparable

Incomparable

R {Ps; Ti} W {Ps; Ti}

Incomparable

Incomparable

R {0; Ti} W {0; Ti}

Incomparable

Incomparable

R {Ts, Ps; Pi} W {Ts, Ps; Pi}

Incomparable

Incomparable

R {Ts; Pi} W {Ts; Pi}

Incomparable

Equal

R {Ps; Pi} W {Ps; Pi}

Incomparable

Incomparable

R {0; Pi} W {0; Pi}

Incomparable

Incomparable

R{Ts, Ps; Ti, Pi} W {Ts, Ps; Ti, Pi}

Incomparable

Incomparable

R {Ts; Ti, Pi} W {Ts; Ti, Pi}

Incomparable

Incomparable

R {Ps; Ti, Pi} W {Ps; Ti, Pi}

Incomparable

Incomparable

R {0; Ti, Pi} W {0; Ti, Pi}

Incomparable

Incomparable

Once you have determined the dominance for each combination, you can refer to the graded authentication rules (see Section 4.2, Graded Authentication Rules) to determine the access the user will have, as follows:

User Clearances (A1)

Security Label (A2)

Security Label (A2)

R = Read . . . W=Write

{Ts, Ps; Ti}

{Ts; Pi}

R {Ts, Ps; 0} W {Ts, Ps; 0}

Read

Read

R {Ts; 0} W {Ts; 0}

NA

NA

R {Ps; 0} W {Ps; 0}

NA

NA

R {0; 0} W {0; 0}

NA

NA

R {Ts, Ps; Ti} W {Ts, Ps; Ti}

Read/Write

NA

R {Ts; Ti} W {Ts; Ti}

NA

NA

R {Ps; Ti} W {Ps; Ti}

NA

NA

R {0; Ti} W {0; Ti}

NA

NA

R {Ts, Ps; Pi} W {Ts, Ps; Pi}

NA

NA

R {Ts; Pi} W {Ts; Pi}

NA

Read/Write

R {Ps; Pi} W {Ps; Pi}

NA

NA

R {0; Pi} W {0; Pi}

NA

NA

R{Ts, Ps; Ti, Pi} W {Ts, Ps; Ti, Pi}

NA

NA

R {Ts; Ti, Pi} W {Ts; Ti, Pi}

NA

NA

R {Ps; Ti, Pi} W {Ps; Ti, Pi}

NA

NA

R {0; Ti, Pi} W {0; Ti, Pi}

NA

NA

The above example is provided to help you understand the details of how security access is determined. NMAS provides a tool calculates this access information for you. See Viewing Security Clearance Access.

For another example of how Graded Authentication works, see Section 4.6, Graded Authentication Example.