Security label components
Security label components are security objects for defining security policies. The elements of these components are used to define security labels, which control access to protected tables.
Security label components represent any criteria that your organization might use to decide if a user must have access to a table row or column. Typical examples of such criteria include:
- How much authority the user has in the organization
- Which confidential data, if any, the user is entitled to read or write
- To which department the user belongs
- Whether the user is involved in a particular project
Before you create security label components, you must know how your organization's privacy plan corresponds with a data classification scheme. You also must identify the security policy and security labels that you build from the components. Data classifications that you implement through label-based access control (LBAC) map to the elements that you list when you create security label components. When a user attempts to access protected data, the label values of a user is compared to the label values of the row or column. Security label components, and their elements that are used in the security labels, specify these values.
Types of security label components
- ARRAY: Each element represents a point on an ordered scale of relative values (see Security label component type: ARRAY )
- SET: Each element represents one member of an unordered set (see Security label component type: SET)
- TREE: Each element represents a node in a tree-like hierarchy (see Security label component type: TREE)
As you design an LBAC solution, you identify the security label component type that best reflects the relationship among varying authority levels and groups of users. A basic LBAC implementation can draw on the organization's existing categorizations to name and group the elements, so that the elements are entities the organization already uses. As an overview, the following examples briefly describe the way security label components can function in two different situations.
Example of a component reflecting a strictly ranked data classification scheme
If you are creating a security label component to represent a simple, linear ranking of data-access classifications, you use a component of type ARRAY. An ARRAY-type security label component that represents four data-access classifications can have the following elements: Top Secret, Secret, Confidential, and Unclassified.
Example of a component reflecting an organizational chart
The executive management of a fictional information-services
corporation in the United States named "JK Enterprises" wants to limit
access to specific rows of data on a database to which all employees
have access. JK Enterprises has branched its national organization
into regions and subregions. Much of JK Enterprises' privacy policy
to be implemented with LBAC allows or denies access based on the user's
affiliation with a regional level. The higher-level regions encompass
larger areas of the organization.For example, an employee designated
as part of the West regional level is entrusted with more authority
than employees designated with the subordinate Southwest, California,
and Pacific Northwest regional levels. The security label component
type that best suits this set of criteria is TREE. Therefore, the
user with DBSECADM authority at JK Enterprises creates a security
label component named region
and identifies the following
elements for the component:
West
Southwest
California
Pacific Northwest
Because the regions of JK Enterprises encompass the entire
United States, the four regions previously listed compose a partial
list of elements. The diagram in Security label component type: TREE illustrates
all the elements of this company'sregion
security
label component.