17.10 - Basic SQL Access Control Guidelines - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

The following guidelines, based on the Bell-Lapadula Model, are commonly used for enforcement of access control in government and military applications.

No Read Up (for SELECT operations):

  • The session hierarchical level must be >= the row hierarchical level.

    Users cannot read a row with a higher classification.

  • The session non-hierarchical label must include all compartments found in the row label.

    The user can read a row only if assigned to all compartments used to classify the row.

No Write Down (INSERT/UPDATE operations)

  • The row hierarchical level must be >= the session hierarchical level.

    New or updated rows inherit the session level. This rule prevents an updating user from accidentally reclassifying the row to a lower level.

  • The row label must include all non-hierarchical compartments in the session label.

    New or updated rows inherit all session compartments. This rule prevents an updating user from accidentally adding excess compartmental classifications to a row.

The sample rules do not contain a DELETE policy, but it is common to require that a row be set to the lowest classification level or to NULL (declassified), before it can be deleted.