CREATE SECURITY LABEL COMPONENT statement

Use the CREATE SECURITY LABEL COMPONENT statement to define a new security label component in the current database and to define the elements the component.

This statement is an extension to the ANSI/ISO standard for SQL.

Syntax

CREATE SECURITY LABEL COMPONENT [IF NOT EXISTS] component { ARRAY[ element ] | SET{ element } | TREE( elementROOT ,elementUNDERelement ) }

Element Description Restrictions Syntax
component Name declared here for this component Must be unique among the names of security label components in the database. Identifier
element Component element that is defined here Must be unique among elements of this component, and no longer than 32 bytes. The left ( ( ) and right ( ) ) parentheses, comma ( , ), and colon ( : ) symbols are not valid characters. Quoted String

Usage

Only the DBSECADM can issue the CREATE SECURITY LABEL COMPONENT statement, which defines a security label component. This is a database object that defines one or more logical categories whose values can be used in a security policy to determine whether a user's request to read or write data is accepted or rejected. The set of all the valid individual values that the security component can have is defined by the set of security label elements that this statement specifies for the component.

The logical categories that security label components implement are identified by DBSECADM in the process of designing a security policy, which is the core construct of label-based access control (LBAC). To implement this security feature in the database, however, DBSECADM must create security objects in the following sequence:
  1. A set of one or more security components, each of which can be defined by the CREATE SECURITY LABEL COMPONENT statement. This statement specifies the name of a security component, the structure of its range of values, and the possible values for this component that can be assigned to a security label that applies a security policy to data or to a user.
  2. One or more security policies, each of which can be defined by the CREATE SECURITY POLICY statement, which specifies a list of one or more components and a set of rules that the security policy applies to data and to users who attempt read or write operations on data that the security policy protects in the database. A security policy always includes all the elements of a component that CREATE SECURITY POLICY specifies.
  3. A security label can be defined by the CREATE SECURITY LABEL statement, which specifies one or more values for each of one or more components of the security policy that the label supports. The security label can be applied to data and to users. All the components of a security label must be components of the same security policy, but multiple security policies and multiple security labels can share the same component. A security label typically includes only a subset of the elements of a security component that CREATE SECURITY LABEL COMPONENT defines.

If you include the optional IF NOT EXISTS keywords, the database server takes no action (rather than sending an exception to the application) if a security label component of the specified name is already registered in the current database.

See the GRANT Security and REVOKE Security statements for information on how security labels and exemptions from the rules of a security policy define the LBAC credentials of a user or of a role.

See the CREATE TABLE and ALTER TABLE statements for information on how security labels can be associated with a database table or with an individual data row in a table.