CREATE SECURITY POLICY statement
Use the CREATE SECURITY POLICY statement to define a new security policy in the current database and to identify its security label components and access rules.
This statement is an extension to the ANSI/ISO standard for SQL.
Syntax
Element | Description | Restrictions | Syntax |
---|---|---|---|
component | A security label component | Must already exist in the database, and be unique among the names of components for this policy | Identifier |
policy | Name declared here for a security policy | Must be unique among the names of security policies in the database | Identifier |
Usage
- It defines a set of security label components that comprise a security label.
- It associates that security label with a set of access rules.
No more than one security policy can be attached to a table at any point in time, and a security policy can include no more than 16 security label components.
If you include the optional IF NOT EXISTS keywords, the database server takes no action (rather than sending an exception to the application) if a security policy of the specified name is already registered in the current database. In this case, no new security policy is created is created, and the CREATE SECURITY POLICY statement has no effect on the existing security policy that it referenced.
- Registers the specified policy name and the cardinality of its security label components in the syssecpolicies table
- Creates for each component a new row in the syssecpolicycomponentrules table.
Example of creating a new security policy
- Security label components
- Security policy
- Security label
SET
in the sysseclabelcomponents system
catalog table of the database:CREATE SECURITY LABEL COMPONENT departments
SET { 'Sales','Legal','IT','CanineResources' };
The
same statement also registers the four elements of the departments component,
namely 'Sales', 'Legal', 'IT', and 'CanineResources' in
the sysseclabelcomponentelements system catalog table.Note that this example of a security label component definition specifies no security policy, because only the CREATE SECURITY POLICY statement can associate a component with a security policy.
For more information about security label components, see Types and Elements of Security Label Components and CREATE SECURITY LABEL COMPONENT statement.
CREATE SECURITY POLICY WatchDog
COMPONENTS departments
WITH IDSLBACRULES;
Here the security label component departments must
already exist in the database, and the name WatchDog must be
unique among the identifiers of existing security policies in the
database. For an explanation of the WITH IDSLBACRULES
keywords,
see Rules Associated with a Security Policy, which also
provides a more general example of defining a security policy with
multiple components. CREATE SECURITY LABEL WatchDog.label9
COMPONENT departments 'Sales','CanineResources';
This statement declares label9 as the name of a
new label of the WatchDog security policy. It also registers
the following information in the sysseclabels system catalog
table:- this label name,
- and the numeric identifier of the associated WatchDog security policy,
- and the cardinality of its two (2) security label components.
COMPONENT
clause in the same example specifies
that the label9 label is valid for both the 'Sales' and
for the 'CanineResources' elements of the departments component
of the WatchDog security policy. For more information about security labels, see Components and Elements of a Security Label and CREATE SECURITY LABEL statement.
For information on protecting a new table by attaching a security policy when the table is being created, see the SECURITY POLICY Clause of the CREATE TABLE statement.
For the syntax to attach or to drop a security policy for an existing table, see SECURITY POLICY Clause of the ALTER TABLE statement.