Security label component type: TREE

Security label component type TREE contains a group of elements that represent a family of parent-child relationships.

The elements in this type of security label component can be thought of as being in a tree. The first element you specify for a TREE-type component is ROOT, which represents the highest level of authority. Then you specify the other elements sequentially to follow the different levels of children and grandchildren that you want in the component.

The maximum number of elements in a TREE security label component is 64. The value of a TREE component in a label can be one or more of its nodes.

Example: JK Enterprises decides that its levels of authority to access protected data must follow its organizational chart. The company can use this scheme to outline its TREE security label component. The following example shows a statement creating the region security label component:
CREATE SECURITY LABEL COMPONENT region 
TREE ( 'USA Headquarters' ROOT, 
       'West' UNDER 'USA Headquarters', 
       'Central' UNDER 'USA Headquarters', 
       'East' UNDER 'USA Headquarters', 
       'Pacific Northwest' UNDER 'West', 
       'California' UNDER 'West', 
       'Pacific Southwest' UNDER 'West',
       'North Central' UNDER 'Central',
       'South Central' UNDER 'Central',
       'Northeast' UNDER 'East',
       'Mid Atlantic' UNDER 'East',
       'Southeast' UNDER 'East');
Relationship of elements in a TREE example illustrates the relationships among the TREE component elements in this example.
Figure 1: Relationship of elements in a TREE example

Diagram illustrates the hierarchy of the TREE component for a sample company called JK Enterprises. USA Headquarters is at the top node. Under this node, the children branch out to three different regions of the United States. For example, one such child is Central, under which there are child nodes called North Central and South Central.
When a user label with one or more TREE components is compared to a data label with TREE components:
  • For read access, the IDSLBACREADTREE rule lets the user label dominate and have read access when the label's TREE component includes at least one of the elements in the value for the tree component of the data label or the ancestor of one such element.
  • For write access, the IDSLBACWRITETREE rule lets the user label dominate and have write access when each of the label's TREE components includes at least one of the elements in the value for the tree component of the data label or the ancestor of one such element.