Previous Topic: Delete a Security CategoryNext Topic: Enable Security Label Checking


Security Labels

A security label represents an association between a particular security level and zero or more security categories.

When security label checking is enabled, CA ControlMinder performs security label checking in addition to other authorization checks. When a user requests access to a resource that has a security label assigned to it, CA ControlMinder compares the list of security categories specified in the resource record's security label with the list of security categories specified in the user record's security label. If every category assigned to the resource's security label appears in the user's security label, CA ControlMinder continues with the security level check; otherwise, the user is denied access to the resource. CA ControlMinder compares the security level specified in the resource record's security label with the security level specified in the user record's security label. If the security level assigned in the user's security label is equal to or greater than the security level assigned in the resource's security label, CA ControlMinder continues with other authorization checking; otherwise, the user is denied access to the resource.

When security label checking is enabled, the security categories and security level specified in the user and resource records are ignored; only the security level and categories specified in the security label definitions are used.

To protect a resource by security label checking, assign a security label to the resource's record. The label parameter of the newres or chres command assigns a security label to a resource.

To allow a user access to resources protected by security label checking, assign a security label to the user's record. The label parameter of the newusr or chusr command assigns security labels to a user.