Rules on Which Exemptions Are Revoked

The keyword that follows the ON keyword specifies the predefined access rule of the security policy (whose identifier follows the FOR keyword) for which an exemption is cancelled. The access rule for which exemption is revoked applies when a table that is protected by the specified policy is accessed by a user from whom the exemption is revoked. For descriptions of the predefined rules for read access and for write access that are associated with a security policy, see the section Rules Associated with a Security Policy.

The following keywords of the REVOKE EXEMPTION statement identify specific IDSLBACRULES rules that this statement can apply to formerly exempt users:
  • IDSLBACREADARRAY applies to the user the IDSLBACREADARRAY rule for the specified security policy. For a user with no exemption, this rule requires that each array component of the user security label must be greater than or equal to the corresponding array component of the data row security label.
  • IDSLBACREADSET applies to the user the IDSLBACREADSET rule for the specified security policy. For a user with no exemption, this rule requires that each set component of the user security label must include the set component of the data row security label
  • IDSLBACREADTREE applies to the user the IDSLBACREADTREE rule for the specified security policy. For a user with no exemption, this rule requires that each tree component of the user security label must include at least one of the elements in the tree component of the data row security label, or else an ancestor of one such element.
  • IDSLBACWRITEARRAY WRITEDOWN exempts the user from one aspect of the IDSLBACWRITEARRAY rule for the specified security policy. The user who loses this exemption cannot write to a row protected by a label that includes an array component level below the level in the label of the user.
  • IDSLBACWRITEARRAY WRITEUP exempts the user from one aspect of the IDSLBACWRITEARRAY rule for the specified security policy. The user who loses this exemption cannot write to a row protected by a label that includes an array component level above the level in the label of the user.
  • IDSLBACWRITEARRAY (with no WRITEDOWN or WRITEUP keyword) applies to the user the IDSLBACWRITEARRAY rule for the specified security policy. The user who loses this exemption cannot write to a row whose array component level is above or below the level in the label of the user. .
  • IDSLBACWRITESET applies to the user the IDSLBACWRITESET rule for the specified security policy. For a user with no exemption, that rule requires that each set component of the user security label must include the set component of the data row security label
  • IDSLBACWRITETREE applies to the user the IDSLBACWRITETREE rule for the specified security policy. For a user with no exemption, that rule requires that each tree component of the user security label must include at least one of the elements in the tree component of the data row security label, or the ancestor of one such element.
  • ALL revokes an exemption from all IDSLBACRULES rules for the specified security policy.
In the following example, DBSECADM revokes an exemption from all of the rules of the MegaCorp security policy from users manoj and sam:
REVOKE EXEMPTION ON RULE ALL FOR MegaCorp FROM manoj, sam;