The following guidelines, based on the Bell-Lapadula Model, are commonly used for enforcement of access control in government and military applications.
No Read Up (for SELECT operations):
- The session hierarchical level must be >= the row hierarchical level.
Users cannot read a row with a higher classification.
- The session non-hierarchical label must include all compartments found in the row label.
The user can read a row only if assigned to all compartments used to classify the row.
No Write Down (INSERT/UPDATE operations)
- The row hierarchical level must be >= the session hierarchical level.
New or updated rows inherit the session level. This rule prevents an updating user from accidentally reclassifying the row to a lower level.
- The row label must include all non-hierarchical compartments in the session label.
New or updated rows inherit all session compartments. This rule prevents an updating user from accidentally adding excess compartmental classifications to a row.
The sample rules do not contain a DELETE policy, but it is common to require that a row be set to the lowest classification level or to NULL (declassified), before it can be deleted.