Add column SECURED WITH label clause
The SECURED WITH Label clause associates the new column that the ALTER TABLE ADD statement defines with a label-based access control (LBAC) security label. This clause is valid only for a table that is protected by an LBAC security policy, and for a security label of the same policy.
This syntax fragment is part of the ADD Column Clause.
Element | Description | Restrictions | Syntax |
---|---|---|---|
label | Name of an LBAC security label | Must exist and must belong to the same LBAC security policy that protects the table. | Identifier |
Usage
- In a protected table, any data in a column that the SECURED WITH label clause associates with an LBAC security label is protected with column-level granularity for those columns. Only users whose security credentials satisfy the label of the column can access data in the column.
- In the same table, the data in other columns not referenced by any SECURED WITH label clause are protected with row-level granularity by the LBAC label in the column of type IDSSECURITYLABEL. Only users whose security credentials satisfy that label can access data in any row.
Only users who hold the DBSECADM role can include this clause in the ALTER TABLE statement.
The COLUMN SECURED WITH Label clause is an extension to the ISO/ANSI standard for the SQL language.
The COLUMN keyword is optional, and has no effect on the result of the ALTER TABLE SECURED WITH operation, but it might make your code easier for human readers to understand.
- virtual-table interface (VTI) tables or virtual-index interface (VII) tables
- user-defined or system-defined temporary (TEMP) tables
- tables of named or unnamed ROW types
- parent tables or child tables within a typed-table hierarchy
- a table with no label-based security policy.
You must specify the label name without the policy qualifier, rather than as policy.label, because the current security policy of the table is the only valid policy for any security label that protects data in the table.
The column cannot be of type IDSSECURITYLABEL.
When a user who holds appropriate label-based access privileges attempts to access a value in the protected column, the database server compares this label with the security credentials of the user, and allows or withholds access on the basis of this comparison.
You can use similar syntax in the ALTER TABLE MODIFY statement to associate an existing column of a protected table with an LBAC security label, or to drop the association between a protected column and its label. For more information, see Modify Column Security clause.
For the ALTER TABLE syntax to add an LBAC security policy to protect a table that has no security policy, or to drop the association of the current security policy with the table, see SECURITY POLICY Clause.
Example of adding a column protected by a security label
Suppose that protected table SecuriTab was created with the following schema:
CREATE TABLE SecuriTab
(Col1 CHAR (18),
Col2 INT,
Col4 IDSSECURITYLABEL DEFAULT LabelRW)
SECURITY POLICY company;
The table SecuriTab is protected with row-level granularity by the LBAC security policy company, Col4 of type IDSSECURITYLABEL stores security label LabelRW. The security label LabelRW in the IDSSECURITYLABEL column
ALTER TABLE SecuriTab
ADD (Col3 CHAR (20) BEFORE Col4 COLUMN SECURED WITH Label23);
Like
the security label Label23 in column Col4, the security
label Label23 must be a label of the current security policy,
in this case the company policy.