Security Label Support Functions

The security label support functions enable users to manipulate security labels. A security label can be referenced in three different ways:

  • A name, as declared in the CREATE SECURITY LABEL or RENAME SECURITY LABEL statement.
  • A list of values for each component of the security policy of the security label.
  • An internal encoded value that the IDSSECURITYLABEL data type stores.
These functions can convert between the various forms of a security label. They are typically used to specify a label in DML operations on data rows that are secured by label-based access control (LBAC). In these operations, however, the security label support functions do not provide any more access to protected data than is already provided by the security credentials of the user who invokes the function.

Security Label Support Function

{ SECLABEL_TO_CHAR( 'policy',column ) | SECLABEL_BY_COMP( 'policy',' { component | ( element ) } ') | SECLABEL_BY_NAME ('policy', 'label') }
Element Description Restrictions Syntax
column A column of type IDSSECURITYLABEL Must exist and must store a label of the policy Identifier
component Value of a component of the policy Must exist and must be a component of the policy Quoted String
element Value of an element within a list of values of the component Must exist and must be elements of a single component of the policy Quoted String
label Identifier of the security label whose value the function returns Must exist and must be a label of the policy Quoted String
policy The security policy supported by the security label whose value the function returns Must exist and must be the security policy that secures the table Quoted String
These functions return a security label of the specified security policy. They can be used within DML statements that reference a protected database table, but they can also evaluate to a security label in other calling contexts. Each of these functions requires a different argument list:
  • SECLABEL_TO_CHAR requires the security policy name and an expression that returns a IDSSECURITYLABEL object, such as the name of a column of that data type.
  • SECLABEL_BY_COMP requires the security policy name and the values of the individual components of the security label.
  • SECLABEL_BY_NAME requires the names of the security policy and of the security label.