IMPORTANT:Graded authentication is an additional level of control. It does not take the place of regular eDirectory and file system access rights. Regular eDirectory and file system access rights still need to be administered. Graded authentication is available only on Netware.
The following rules apply to graded authentication in NMAS:
If the Read label of the clearance dominates or is equal to the assigned security label and the security label dominates or is equal to the Write label of the clearance, then access is Read and Write.
If the Read label of the clearance dominates or is equal to the assigned security label but the security label does not dominate and is not equal to the write label, then access is Read-only.
For example, if a user has a clearance with a Read label of Password & Token and a Write label of Password & Token and wants to access a NetWare volume that has a security label of Password & Token, then the user has Read and Write access to that volume. However, the user has Read-only access to each NetWare volume assigned a Password security label.
NOTE:Read-only access prevents passing higher classified data to lower classified areas. Access is always Read-only to security labels that are lower than the clearance's Write label.
If the Read label of the clearance is dominated by the assigned security label, then no access is allowed.
Using a login sequence does not grant access rights unless the user is assigned the session clearance.
If you were to create a security label with both the Token and Password secrecy categories (Ts and Ps) and the Token and Password integrity categories (Ti and Pi), the possible combinations would look like the following:
|
{Ts, Ps; 0} |
|
|
|
{Ts; 0} |
|
|
|
{Ps; 0} |
|
|
|
{0; 0} |
|
|
|
{Ts, Ps; Ti} |
|
|
|
{Ts; Ti} |
|
|
|
{Ps; Ti} |
|
|
|
{0; Ti} |
|
|
|
{Ts, Ps; Pi} |
|
|
|
{Ts; Pi} |
|
|
|
{Ps; Pi} |
|
|
|
{0; Pi} |
|
|
|
{Ts, Ps; Ti, Pi} |
|
|
|
{Ts; Ti, Pi} |
|
|
|
{Ps; Ti, Pi} |
|
|
|
{0; Ti, Pi} |
|
|
Now, using the rules of dominance (see Dominance), you can check these combinations as user clearances against all possible security labels. For the purposes of this example, we will just compare the single-level clearances (Read and Write label are the same) against two randomly selected security labels - {Ts, Ps; Ti} and {Ts; Pi}.
Table 4-2 Dominance Example
|
User Clearances (A1) |
Security Label (A2) |
Security Label (A2) |
|---|---|---|
|
Read = R . . . Write = W |
{Ts, Ps; Ti} |
{Ts; Pi} |
|
R {Ts, Ps; 0} W {Ts, Ps; 0} |
Dominate |
Dominate |
|
R {Ts; 0} W {Ts; 0} |
Incomparable |
Incomparable |
|
R {Ps; 0} W {Ps; 0} |
Incomparable |
Incomparable |
|
R {0; 0} W {0; 0} |
Incomparable |
Incomparable |
|
R {Ts, Ps; Ti} W {Ts, Ps; Ti} |
Equal |
Incomparable |
|
R {Ts; Ti} W {Ts; Ti} |
Incomparable |
Incomparable |
|
R {Ps; Ti} W {Ps; Ti} |
Incomparable |
Incomparable |
|
R {0; Ti} W {0; Ti} |
Incomparable |
Incomparable |
|
R {Ts, Ps; Pi} W {Ts, Ps; Pi} |
Incomparable |
Incomparable |
|
R {Ts; Pi} W {Ts; Pi} |
Incomparable |
Equal |
|
R {Ps; Pi} W {Ps; Pi} |
Incomparable |
Incomparable |
|
R {0; Pi} W {0; Pi} |
Incomparable |
Incomparable |
|
R{Ts, Ps; Ti, Pi} W {Ts, Ps; Ti, Pi} |
Incomparable |
Incomparable |
|
R {Ts; Ti, Pi} W {Ts; Ti, Pi} |
Incomparable |
Incomparable |
|
R {Ps; Ti, Pi} W {Ps; Ti, Pi} |
Incomparable |
Incomparable |
|
R {0; Ti, Pi} W {0; Ti, Pi} |
Incomparable |
Incomparable |
After you have determined the dominance for each combination, you can refer to the graded authentication rules (see Section 4.2, Graded Authentication Rules) to determine the access the user will have, as follows:
Table 4-3 User Access
|
User Clearances (A1) |
Security Label (A2) |
Security Label (A2) |
|---|---|---|
|
R = Read . . . W=Write |
{Ts, Ps; Ti} |
{Ts; Pi} |
|
R {Ts, Ps; 0} W {Ts, Ps; 0} |
Read |
Read |
|
R {Ts; 0} W {Ts; 0} |
NA |
NA |
|
R {Ps; 0} W {Ps; 0} |
NA |
NA |
|
R {0; 0} W {0; 0} |
NA |
NA |
|
R {Ts, Ps; Ti} W {Ts, Ps; Ti} |
Read/Write |
NA |
|
R {Ts; Ti} W {Ts; Ti} |
NA |
NA |
|
R {Ps; Ti} W {Ps; Ti} |
NA |
NA |
|
R {0; Ti} W {0; Ti} |
NA |
NA |
|
R {Ts, Ps; Pi} W {Ts, Ps; Pi} |
NA |
NA |
|
R {Ts; Pi} W {Ts; Pi} |
NA |
Read/Write |
|
R {Ps; Pi} W {Ps; Pi} |
NA |
NA |
|
R {0; Pi} W {0; Pi} |
NA |
NA |
|
R{Ts, Ps; Ti, Pi} W {Ts, Ps; Ti, Pi} |
NA |
NA |
|
R {Ts; Ti, Pi} W {Ts; Ti, Pi} |
NA |
NA |
|
R {Ps; Ti, Pi} W {Ps; Ti, Pi} |
NA |
NA |
|
R {0; Ti, Pi} W {0; Ti, Pi} |
NA |
NA |
The above example is provided to help you understand the details of how security access is determined. NMAS provides a tool calculates this access information for you. See Viewing Security Clearance Access.
For another example of how Graded Authentication works, see Section 4.6, Graded Authentication Example.