[1] It was developed by David Elliott Bell,[2] and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell, to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy.
To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode.
The model defines one discretionary access control (DAC) rule and two mandatory access control (MAC) rules with three security properties: The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in the Bell–LaPadula model via the concept of trusted subjects.
It did not treat the following extensively: The Strong Star Property is an alternative to the *-Property, in which subjects may write to objects with only a matching security level.
The Strong Star Property is usually discussed in the context of multilevel database management systems and is motivated by integrity concerns.