Examples of Granting User Security Labels
The following three statements create three security label
components called level, compartments, and groups respectively:
CREATE SECURITY LABEL COMPONENT
level ARRAY ['TS','S','C','U'];
CREATE SECURITY LABEL COMPONENT
compartments SET {'A','B','C','D'};
CREATE SECURITY LABEL COMPONENT
groups TREE ('G1' ROOT,
'G2' UNDER ROOT,
'G3' UNDER ROOT);
The following statement creates a security policy called secPolicy based
on the three components above:
CREATE SECURITY POLICY secPolicy COMPONENTS
level, compartments, groups;
The following statement creates a security label called secLabel1:
CREATE SECURITY LABEL secPolicy.secLabel1
COMPONENT level 'S',
COMPONENT compartments 'A', 'B',
COMPONENT groups 'G2';
The following statement creates a security label called secLabel2:
CREATE SECURITY LABEL secPolicy.secLabel2
COMPONENT level 'S',
COMPONENT compartments 'B',
COMPONENT groups 'G2';
The following statement creates a security label called secLabel3:
CREATE SECURITY LABEL secPolicy.secLabel3
COMPONENT level 'S',
COMPONENT compartments 'A',
COMPONENT groups 'G3';
The following statement creates a security label called secLabel4:
CREATE SECURITY LABEL secPolicy.secLabel4
COMPONENT level 'TS',
COMPONENT compartments 'A',
COMPONENT groups 'G1';
The following statement grants a security label for read
access to user sam:
GRANT SECURITY LABEL secPolicy.secLabel1
TO sam FOR READ ACCESS;
The following statement grants a security label for write
access to user sam. This statement succeeds because it satisfies
the rules given above.
GRANT SECURITY LABEL secPolicy.secLabel2
TO sam FOR WRITE ACCESS;
The following statement grants a security label for read
access to user lynette:
GRANT SECURITY LABEL secPolicy.secLabel1
TO lynette FOR READ ACCESS;
The following statement attempts to grant a security label
for write access to user sam. This statement fails because
it violates the rule with respect to the tree component.
GRANT SECURITY LABEL secPolicy.secLabel3
TO sam FOR WRITE ACCESS;
The following statement attempts to grant a security label
for write access to user sam. This statement fails because
it violates the rule with respect to the array component.
GRANT SECURITY LABEL secPolicy.secLabel4
TO sam FOR WRITE ACCESS;
When the GRANT SECURITY LABEL statement successfully grants a security label to a user, the database server updates the sysseclabelauth table of the system catalog to register the new holder of the security label.
For a discussion of LBAC security objects, see your Informix® Security Guide