Security Policies and Grantees of Exemptions

An exemption applies only to the rules of the security policy whose name follows the FOR keyword. A protected table can have multiple security labels, but no more than one security policy.

The GRANT EXEMPTION statement fails with an error if the specified policy does not exist in the database.

The USER keyword that can follow the TO keyword is optional, and has no effect, but any authorization identifier specified in the GRANT EXEMPTION statement must be the identifier of an individual user, rather than the identifier of a role. This user cannot be the DBSECADM who issues the same GRANT EXEMPTION statement.

In the following example, DBSECADM grants an exemption to user lynette from rule IDSLBACREADARRAY of the MegaCorp security policy:
GRANT EXEMPTION ON RULE IDSLBACREADARRAY FOR MegaCorp TO lynette;
This exemption bypasses the read access rules for all array components of security labels of the specified policy.

When the GRANT EXEMPTION statement successfully grants an exemption to a user, the database server updates the syssecpolicyexemptions table of the system catalog to register the new exemption (or multiple exemptions, if several users are listed after the TO keyword).

For a discussion of LBAC security objects, see your HCL OneDB™.