16.10 - Basic SQL Access Control Guidelines - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

The following guidelines, based on the Bell-Lapadula Model, are commonly used for enforcement of access control in government and military applications.

No Read Up (for SELECT operations):

  • The session hierarchical level must be >= the row hierarchical level.

    Users cannot read a row with a higher classification.

  • The session non-hierarchical label must include all compartments found in the row label.

    The user can read a row only if assigned to all compartments used to classify the row.

No Write Down (INSERT/UPDATE operations)

  • The row hierarchical level must be >= the session hierarchical level.

    New or updated rows inherit the session level. This rule prevents an updating user from accidentally reclassifying the row to a lower level.

  • The row label must include all non-hierarchical compartments in the session label.

    New or updated rows inherit all session compartments. This rule prevents an updating user from accidentally adding excess compartmental classifications to a row.

The sample rules do not contain a DELETE policy, but it is common to require that a row be set to the lowest classification level or to NULL (declassified), before it can be deleted.