The following guidelines, based on the Bell-Lapadula Model, are commonly used for enforcement of access control in government and military applications.
No Read Up (for SELECT operations):
- The session hierarchical level must be greater than or equal to the row hierarchical level.
Users cannot read a row with a higher classification.
- The session non-hierarchical label must include all compartments found in the row label.
The user can read a row only if assigned to all compartments used to classify the row.
No Write Down (INSERT/UPDATE operations)
- The row hierarchical level must be greater than or equal to the session hierarchical level.
New or updated rows inherit the session level. This rule prevents an updating user from accidentally reclassifying the row to a lower level.
- The row label must include all non-hierarchical compartments in the session label.
New or updated rows inherit all session compartments. This rule prevents an updating user from accidentally adding excess compartmental classifications to a row.
The sample rules do not contain a DELETE policy, but it is common to require that a row be set to the lowest classification level or to NULL (declassified), before it can be deleted.