Basic SQL Access Control Guidelines - Advanced SQL Engine - Teradata Database

Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantageā„¢

The following guidelines, based on the Bell-Lapadula Model, are commonly used for enforcement of access control in government and military applications.

No Read Up (for SELECT operations):

  • The session hierarchical level must be >= the row hierarchical level.

    Users cannot read a row with a higher classification.

  • The session non-hierarchical label must include all compartments found in the row label.

    The user can read a row only if assigned to all compartments used to classify the row.

No Write Down (INSERT/UPDATE operations)

  • The row hierarchical level must be >= the session hierarchical level.

    New or updated rows inherit the session level. This rule prevents an updating user from accidentally reclassifying the row to a lower level.

  • The row label must include all non-hierarchical compartments in the session label.

    New or updated rows inherit all session compartments. This rule prevents an updating user from accidentally adding excess compartmental classifications to a row.

The sample rules do not contain a DELETE policy, but it is common to require that a row be set to the lowest classification level or to NULL (declassified), before it can be deleted.