CREATE SECURITY POLICY statement

Use the CREATE SECURITY POLICY statement to define a new security policy in the current database and to identify its security label components and access rules.

This statement is an extension to the ANSI/ISO standard for SQL.

Syntax


1  CREATE SECURITY POLICY? IF NOT EXISTS policy COMPONENTS + , component(1) !  WITH IDSLBACRULES
2.1! RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL
2.1? OVERRIDE NOT AUTHORIZED WRITE SECURITY
LABEL
Notes:
  • 1 You can specify no more than 16 components.

Element Description Restrictions Syntax
component A security label component Must already exist in the database, and be unique among the names of components for this policy Identifier
policy Name declared here for a security policy Must be unique among the names of security policies in the database Identifier

Usage

A security policy is a named database object that stores the following information:
  • It defines a set of security label components that comprise a security label.
  • It associates that security label with a set of access rules.
For tables that are protected by a security policy, the access rules enable HCL OneDB™ to compare the security credentials of a user with the security label of a row or column. The security policy is applied to determine whether a user who holds a given security label can read or write data in a row or column that is labeled with a security label. A security policy has no effect on data that has no security label.

No more than one security policy can be attached to a table at any point in time, and a security policy can include no more than 16 security label components.

If you include the optional IF NOT EXISTS keywords, the database server takes no action (rather than sending an exception to the application) if a security policy of the specified name is already registered in the current database. In this case, no new security policy is created is created, and the CREATE SECURITY POLICY statement has no effect on the existing security policy that it referenced.

Only DBSECADM can issue this statement. When the CREATE SECURITY POLICY statement executes successfully, HCL OneDB makes the following updates to the system catalog of the current database:
  • Registers the specified policy name and the cardinality of its security label components in the syssecpolicies table
  • Creates for each component a new row in the syssecpolicycomponentrules table.

Example of creating a new security policy

This is the sequence in which LBAC security objects associated with a specific security label must be created:
  • Security label components
  • Security policy
  • Security label
For example, the following CREATE SECURITY LABEL COMPONENT statement registers a security label component named Departments of type SET in the sysseclabelcomponents system catalog table of the database:
CREATE SECURITY LABEL COMPONENT departments 
   SET { 'Sales','Legal','IT','CanineResources' };
The same statement also registers the four elements of the departments component, namely 'Sales', 'Legal', 'IT', and 'CanineResources' in the sysseclabelcomponentelements system catalog table.

Note that this example of a security label component definition specifies no security policy, because only the CREATE SECURITY POLICY statement can associate a component with a security policy.

For more information about security label components, see Types and Elements of Security Label Components and CREATE SECURITY LABEL COMPONENT statement.

The following SQL statement registers a new security policy called WatchDog in the current database:
CREATE SECURITY POLICY WatchDog
   COMPONENTS departments
      WITH IDSLBACRULES;
Here the security label component departments must already exist in the database, and the name WatchDog must be unique among the identifiers of existing security policies in the database. For an explanation of the WITH IDSLBACRULES keywords, see Rules Associated with a Security Policy, which also provides a more general example of defining a security policy with multiple components.
Note that the definition of the WatchDog security policy includes no explicit references to security labels. Any security labels that the CREATE SECURITY LABEL statement associates with the WatchDog security policy must reference departments as their component, because this security policy has no other component. The following example illustrates this requirement for WatchDog labels:
CREATE SECURITY LABEL WatchDog.label9
   COMPONENT departments 'Sales','CanineResources';
This statement declares label9 as the name of a new label of the WatchDog security policy. It also registers the following information in the sysseclabels system catalog table:
  • this label name,
  • and the numeric identifier of the associated WatchDog security policy,
  • and the cardinality of its two (2) security label components.
The COMPONENT clause in the same example specifies that the label9 label is valid for both the 'Sales' and for the 'CanineResources' elements of the departments component of the WatchDog security policy.

For more information about security labels, see Components and Elements of a Security Label and CREATE SECURITY LABEL statement.

For information on protecting a new table by attaching a security policy when the table is being created, see the SECURITY POLICY Clause of the CREATE TABLE statement.

For the syntax to attach or to drop a security policy for an existing table, see SECURITY POLICY Clause of the ALTER TABLE statement.