DEFAULT security labels

When DBSECADM adds a IDSSECURITYLABEL column to a table that is protected by a security policy, the DEFAULT label specification is required unless the table is empty. If the table is not empty, the specified label is inserted into the existing rows of the table

If the DEFAULT value is the name of a security label, an error is issued in the following cases:
  • if the label is the default value for a column whose data type is not IDSSECURITYLABEL,
  • or if the table has no security policy,
  • or if the security policy of the label is not the security policy of the table.
The same ALTER TABLE statement that adds the IDSSECURITYLABEL column can add a security policy.

To define a specific label as the default value of an IDSSECURITYLABEL column, specify the label name without the policy qualifier, rather than as policy.label. The current security policy of the table is the only valid policy for any security label that protects data in the table.

Examples of security labels as default values

The ALTER TABLE statement in the following example adds security policy MegaCorp to table T1 and specifies column-level protection for the table by declaring a new column D of type IDSSECURITYLABEL, whose default value is a security label called mylabel: 
ALTER TABLE T1 
   ADD (D IDSSECURITYLABEL DEFAULT mylabel1)
   ADD SECURITY POLICY MegaCorp;
Because no BEFORE clause is included, column D is last among the columns in the schema of table T1. This statement fails if any of the database objects that it references (except new column D) does not already exist in the database, or if the table already has a different security policy.
To replace the security policy of a table, you must hold the DBSECADM role. You must first use the ALTER TABLE DROP SECURITY POLICY statement to drop the current security policy and any of its labels from the table. Then you must add the new security policy, and at least one of its labels, as in the following example:
ALTER TABLE T1 
   DROP SECURITY POLICY MegaCorp;
ALTER TABLE T1 
   ADD (D IDSSECURITYLABEL DEFAULT myNewLabel1)
   ADD SECURITY POLICY Watchdog;
In these ALTER TABLE statements that reference table T1,
  • The DROP SECURITY POLICY clause of the first statement removes table T1 from the protection of the MegaCorp security policy,
  • and automatically drops from the schema of table T1 any IDSSECURITYLABEL column that stores a label of the MegaCorp security policy. This has no effect, however, on other tables in the database that are protected by the MegaCorp security policy.
  • The ADD (D IDSSECURITYLABEL DEFAULT myNewLabel1) clause protects table T1 with the myNewLabel1 security label,
  • and the ADD SECURITY POLICY Watchdog clause replaces MegaCorp with Watchdog as the new security policy of table T1.
The second ALTER TABLE example fails unless the myNewLabel1 security label is a label of the Watchdog security policy.

For more information about using the ALTER TABLE statement to add, modify, or drop an association between a table and a label-based security policy, see Modify Column Security clause and SECURITY POLICY Clause. See also the DDL statements for creating label-based security objects, including CREATE SECURITY POLICY statement, CREATE SECURITY LABEL statement, and CREATE SECURITY LABEL COMPONENT statement.