The Security Policy object is the object in Novell® eDirectoryTM that you can use to manage the elements of graded authentication. The Security Policy object resides in the Security container.
For more information, see Configuring the Security Policy Object .
A category is an element of a set that represents sensitivity and trust. You use categories to define security labels.
There are two types of categories: secrecy and integrity.
Secrecy controls the disclosure or reading of information. You can define additional secrecy categories to meet your company's needs.
Integrity controls the modification or writing of information.
NMAS comes with three secrecy categories (Biometric, Token, Password) and three integrity categories (Biometric, Token, Password) defined. You can define additional integrity categories to meet your company's needs.
For more information, see Defining User-Defined Categories (Closed User Groups) .
A security label represents the sensitivity of information. It is a set made up of categories. For example, the Biometric security label contains the Biometric secrecy category. The Biometric and Token and Password security label contains three secrecy categories: Biometric, Token, and Password.
A security label can be assigned to a volume or to any eDirectory attribute. The security label is compared against a user's current clearance to determine what information the user can access.
NMAS comes with eight security labels defined. The following table shows the predefined security labels and single-level clearances:
You can define additional security labels to meet your company's needs.
For more information, see Defining Security Labels .
Clearances are assigned to users to represent the amount of trust you have in that user. A clearance has a Read label that specifies what a user can read and a Write label that specifies what information a user can write to. For more information, see Dominance and Graded Authentication Rules .
There are two types of clearances: single-level and multi-level.
A single-level clearance is a clearance in which the Read label and the Write label are the same. For example, the Biometric clearance's Read label and Write label use the same Biometric label. Therefore, a user who is assigned the Biometric clearance can read information labeled with Biometric and below, but can only write to information labeled Biometric. All labels are used as single-level clearances.
A multi-level clearance is a clearance in which the Read label and the Write label are different. For example, the Multi-Level Administrator clearance is a multi-level clearance and has Biometric and Token and Password for the Read label and Logged In for the Write label. This clearance will allow the user to read all information and to write to all information that is labeled with the default security labels.
NMAS defines only one multi-level clearance: Multi-Level Administrator.
You can define additional clearances to meet your company's needs.
The following figure summarizes the access relationships between the predefined clearances and the security labels.
For more information, see Defining Clearances .
In administering graded authentication, it is vitally important that you understand the concept of dominance.
All access control decisions are based on the relationship between the labels of the information and the session clearance of the user. There are only three such relationships:
Label A1 is said to dominate Label A2 if:
A1's secrecy categories include all those of A2
AND
A2's integrity categories include all those of A1
Label A1 is equal to Label A2 if:
A1's secrecy categories are the same as A2's secrecy categories.
AND
A1's integrity categories are the same as A2's integrity categories.
This may also be expressed as:
A1 dominates A2 and A2 dominates A1.
Label A1 is incomparable to Label A2 if none of the previous relationships apply.
For more information, see Graded Authentication Rules .