SECURITY LABEL Clause

The REVOKE SECURITY LABEL statement cancels a security label (or all the security labels of a specified security policy) held by one or more users.

SECURITY LABEL Clause

1   SECURITY LABEL policy .
2.1 label
2.1   *   FROM + ,?  USER user
1!  FOR ALL ACCESS
1 ? FOR READ ACCESS
1 ? FOR WRITE ACCESS

Element Description Restrictions Syntax
label Name of an existing security label Must exist as a label for the specified security policy Identifier
policy The security policy of this label Must already exist in the database Identifier
user User from whom the label is revoked Must be the authorization identifier of a user Owner name

Only a user who holds the DBSECADM role can issue the REVOKE SECURITY LABEL statement.

A security label is a database object that is always associated with a security policy. That policy defines the set of valid security components that make up the security label. The label stores a set of one or more values for each component of the security policy.

The DBSECADM can associate a security label with the following entities:
  • A column of a database table, which a column security label can protect
  • A row of a database table, which a row security label can protect
  • A user, whose user security label (and any exemptions from rules of the security policy that have been granted to the user) are called the security credentials of the user.

When a user who holds a security label for a specific security policy attempts to access a row that is protected by a row security label of the same security policy, the database server compares the sets of values in the user security label and in the row security label in determining whether or not the user should be allowed to access the data. Similarly, LBAC takes into account the user security label and the column security label in determining whether or not the credentials of the user should be allowed to access a protected column.

The GRANT SECURITY LABEL and REVOKE SECURITY LABEL statements enable DBSECADM to control the association of a user with a label. (Data values in a protected table are associated with a row security label or with a column security label by options to the CREATE TABLE or ALTER TABLE statements that only DBSECADM can execute, rather than by the GRANT SECURITY LABEL statement.)

Immediately following the LABEL keyword, the asterisk ( * ) symbol in the policy.* specification instructs the database server to revoke every security label of the policy. If instead of an asterisk you specify policy.label, that label must be the name of a security label of the specified policy. In this case, if the statement is successful, only that security label is revoked from the user list.

The USER keyword that can follow the FROM keyword is optional, but any authorization identifier specified in the REVOKE SECURITY LABEL statement must be the identifier of an individual user, rather than the identifier of a role.