DROP SECURITY statement
Use the DROP SECURITY statement to remove an existing security object from the current database. The object can be a security policy, security label, or a security label component.
This statement is an extension to the ANSI/ISO standard for SQL.
Syntax
Element | Description | Restrictions | Syntax |
---|---|---|---|
component | Security label component to drop | Must exist in the database | Identifier |
label | Security label to drop | Must exist in the database as a label of the specified policy | Identifier |
policy | Security policy to drop | Must exist in the database | Identifier |
Usage
- sysecpolicies for security policies
- sysseclabels for security labels
- sysseclabelcomponents for security label components.
- SECURITY POLICY policy specifies a security policy
- SECURITY LABEL policy.label specifies a security label
- SECURITY LABEL COMPONENT component specifies a security label component.
There is no SQL statement that selectively drops some elements of a security label component without destroying the entire component object. To remove only a subset of the elements of a security label component from the database, DBSECADM can use the DROP SECURITY LABEL COMPONENT statement to drop the component, and then redefine the dropped component, using the CREATE SECURITY LABEL COMPONENT statement, but without including any elements that are no longer needed. (An alternative is to drop all the security labels that include the deprecated elements, and then use the CREATE SECURITY LABEL statement to redefine new labels with the same components as the dropped labels, but without those elements. In this case, the deprecated elements persist in the database, but no security label uses them as values for their component.)
If you include the optional IF EXISTS keywords, the database server takes no action (rather than sending an exception to the application) if no security object of the specified security object type and of the specified name is registered in the current database.
Examples
DROP SECURITY LABEL witty;The statement fails if any column is protected by the witty label, or if any user holds this label.
DROP SECURITY LABEL COMPONENT adhesive;The statement fails if any security policy depends on the adhesive security label component.
DROP SECURITY POLICY best CASCADE;This statement fails if that policy is currently protecting any table. If this statement succeeds, however, it has the following additional effects because of the CASCADE specification:
- All security labels associated with the best security policy are also dropped.
- All exemptions from the best security policy are revoked.
- All security labels that were dropped because the best security policy was dropped are revoked from all users who hold those labels.