Description of the illustration olsag034.gif
Label Evaluation Process for Read Access with COMPACCESS Privilege and Inverse Groups: This flow diagram illustrates the criteria that must be satisfied to gain write access with inverse groups. Failing any criterion prohibits access. Criteria: 1. The data level must be less than or equal to the user level. 2. If the user has groups, then the data must have all the groups that are in the user label, and the data must have no compartments or, if it has compartments, the user has all the compartments. 3. If the user has groups, but the data does not have all the groups that are in the user label, then the data must have compartments and the user must have all the compartments. 4. If the user does not have groups, then the data must have no compartments or, if it has compartments, the user has all the compartments. Failing any of these criteria causes denial of access. In all other conditions, access is granted.