Examples of Granting User Security Labels

The following three statements create three security label components called level, compartments, and groups respectively:

CREATE SECURITY LABEL COMPONENT 
   level ARRAY ['TS','S','C','U'];  

CREATE SECURITY LABEL COMPONENT 
   compartments SET {'A','B','C','D'}; 

CREATE SECURITY LABEL COMPONENT 
   groups TREE ('G1' ROOT, 
                'G2' UNDER ROOT, 
                'G3' UNDER ROOT);

The following statement creates a security policy called secPolicy based on the three components above:

CREATE SECURITY POLICY secPolicy COMPONENTS 
   level, compartments, groups;

The following statement creates a security label called secLabel1:

CREATE SECURITY LABEL secPolicy.secLabel1 
   COMPONENT level 'S', 
   COMPONENT compartments 'A', 'B', 
   COMPONENT groups 'G2';

The following statement creates a security label called secLabel2:

CREATE SECURITY LABEL secPolicy.secLabel2 
   COMPONENT level 'S', 
   COMPONENT compartments 'B', 
   COMPONENT groups 'G2';

The following statement creates a security label called secLabel3:

CREATE SECURITY LABEL secPolicy.secLabel3 
   COMPONENT level 'S', 
   COMPONENT compartments 'A', 
   COMPONENT groups 'G3';

The following statement creates a security label called secLabel4:

CREATE SECURITY LABEL secPolicy.secLabel4 
   COMPONENT level 'TS', 
   COMPONENT compartments 'A', 
   COMPONENT groups 'G1';

The following statement grants a security label for read access to user sam:

 GRANT SECURITY LABEL secPolicy.secLabel1 
   TO sam FOR READ ACCESS;

The following statement grants a security label for write access to user sam. This statement succeeds because it satisfies the rules given above.

 GRANT SECURITY LABEL secPolicy.secLabel2 
   TO sam FOR WRITE ACCESS;

The following statement grants a security label for read access to user lynette:

GRANT SECURITY LABEL secPolicy.secLabel1 
   TO lynette FOR READ ACCESS;

The following statement attempts to grant a security label for write access to user sam. This statement fails because it violates the rule with respect to the tree component.

GRANT SECURITY LABEL secPolicy.secLabel3 
   TO sam FOR WRITE ACCESS;

The following statement attempts to grant a security label for write access to user sam. This statement fails because it violates the rule with respect to the array component.

 GRANT SECURITY LABEL secPolicy.secLabel4 
   TO sam FOR WRITE ACCESS;

When the GRANT SECURITY LABEL statement successfully grants a security label to a user, the database server updates the sysseclabelauth table of the system catalog to register the new holder of the security label.

For a discussion of LBAC security objects, see your HCL OneDB™ Security Guide