17.20 - Basic SQL Access Control Guidelines - Analytics Database - Teradata Vantage

Teradata Vantage™ - Analytics Database Security Administration - 17.20

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-03-07
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572

The following guidelines, based on the Bell-Lapadula Model, are commonly used for enforcement of access control in government and military applications.

No Read Up (for SELECT operations):

  • The session hierarchical level must be greater than or equal to the row hierarchical level.

    Users cannot read a row with a higher classification.

  • The session non-hierarchical label must include all compartments found in the row label.

    The user can read a row only if assigned to all compartments used to classify the row.

No Write Down (INSERT/UPDATE operations)

  • The row hierarchical level must be greater than or equal to the session hierarchical level.

    New or updated rows inherit the session level. This rule prevents an updating user from accidentally reclassifying the row to a lower level.

  • The row label must include all non-hierarchical compartments in the session label.

    New or updated rows inherit all session compartments. This rule prevents an updating user from accidentally adding excess compartmental classifications to a row.

The sample rules do not contain a DELETE policy, but it is common to require that a row be set to the lowest classification level or to NULL (declassified), before it can be deleted.