Granting security labels

When you issue the GRANT SECURITY LABEL statement, you can optionally specify that the users receive the label for read access, write access, or all access. If you do not specify access, then the statement grants users an all-access label.

If a user is granted a different security label for read access than for write access, then the values given for the security label components must follow these rules:

• For security label components of type ARRAY, the value must be the same in both security labels.
• For security label components of type SET, the values given in the security label used for WRITE access must be a subset of the values given in the security label used for READ access. If all of the values are the same, this is considered a subset, and is allowed.
• For security label components of type TREE, every element in the TREE component of the security label for write access must be either an element or a descendent of an element in the TREE component of the security label for read access.

To grant a security label, see the documentation about the GRANT SECURITY LABEL statement in HCL OneDB™ Guide to SQL: Syntax

In the following example of this SQL statement, label2 of the company security policy is granted to user maria.

GRANT SECURITY LABEL company.label2
   TO maria;