The ADD TREE Clause

A security label component of type TREE has the logical topology of a simple graph with no loops. Each TREE component has a single root node and no more than 63 additional nodes. Any new elements that the ALTER SECURITY LABEL COMPONENT statement adds to this hierarchy must be inserted below the root node. The string constant for each new node must be followed by the keyword UNDER and by the string constant for some previously declared node. The set of elements of the TREE component, including their UNDER keywords and comma separators, must be enclosed between a pair of parenthesis ( ( ... ) ) symbols.

The component element specified after the UNDER keyword is called the parent of the new element that precedes the same UNDER keyword. The new element is called the child of that parent element. The ALTER SECURITY LABEL COMPONENT statement fails with an error, however, if the ADD TREE clause specifies a parent element that is not already defined in the database for this component. The UNDER keyword cannot be followed by an element that is added to the component in the same ADD TREE clause.

The string constant that designates the root node of a TREE component has the highest data sensitivity of all the nodes within the TREE hierarchy. In any subset of successive parent nodes and child nodes in the tree, each non-root element has lower data sensitivity than its parent element or than any ancestor of its parent element, but has higher data sensitivity than any of its child elements or than the descendents of its child elements.

When a user who holds no exemptions attempts to access a data row that is protected by a label that includes a TREE component, a read operation fails if the security label of the user does not include an element that matches one of the TREE elements for the same component of the data row label, or that matches an ancestor of one of those elements. Unless the security policy of the label includes the OVERRIDE clause, a write operation also fails in the same circumstances. If the data row label has multiple TREE components, the user security label must include a matching (or an ancestral) element value for every TREE component of the data row security label.

In the following example, the ALTER SECURITY LABEL COMPONENT statement modifies a tree component called Oakland by adding two new nodes to its tree structure that was defined with six nodes by this CREATE SECURITY LABEL COMPONENT statement:
CREATE SECURITY LABEL COMPONENT Oakland 
TREE ( 'Port' ROOT,
       'Downtown' UNDER 'Port',
       'Airport' UNDER 'Port',
       'Estuary' UNDER 'Airport',
       'Avenues' UNDER 'Downtown',
       'Hills' UNDER 'Avenues');

ALTER SECURITY LABEL COMPONENT Oakland 
   ADD TREE ( 'Uptown' UNDER 'Port',
              'Bay' UNDER 'Estuary');
Here new Uptown node is a child of Port, which has the highest data sensitivity because it is the root node. The new Bay node is the child of Estuary, which is the child of Airport, which is the child of Port, implying that Bay has a lower data sensitivity than these three nodes of the hierarchy. In practice, it is unlikely that any data would be labeled with Port, rather than classified at a lower level. The Port value might be used for a label granted to a user who is allowed to access all of the data about the Port.

If the ALTER SECURITY LABEL COMPONENT statement in this example succeeds, and a subsequently defined data row label specifies Bay as its value for the Oakland component, a user with no exemption for the security policy who attempts to read the protected row in a query would need either Port, Airport, Estuary, or Bay as a user label value to satisfy this component of the data row label. Values of Uptown or Downtown for this component in the user label are insufficient, because they do not match Bay and are not ancestors of Bay. For a query to read the protected row, the security label of the user must also include values that satisfy any other components of the row security label, and the user must also hold Select access privilege on the table and at least Connect access privilege on the database that contains the protected row.

The ADD TREE clause cannot interpose a new node between an existing child node and its parent.