Rules for User Security Labels
The following rules affect security labels that are granted to users by
the GRANT SECURITY LABEL statement:
- The user cannot be the DBSECADM who issues this GRANT SECURITY LABEL statement.
- A user without a security label has a NULL or zero label. A user with no security label cannot access data in a protected table, unless the user holds the necessary exemptions on the policy.
- By default, the IDSSECURITYLABEL column of a protected table cannot have NULL values. A user with no security label cannot insert data into a table with row protection, even if the user has been granted the necessary exemptions on the security policy, unless the row label is explicitly specified in the INSERT statement. For details of how to specify a security label explicitly in the INSERT statement, see Security Label Support Functions.
- User security labels have no effect on the following types of database
tables, because these tables cannot be protected by a security policy:
- Virtual Table Interface tables,
- tables with Virtual Index Interface indexes,
- tables in a typed-table hierarchy,
- temporary tables.