IDSSECURITYLABEL Data Type

In a table that is protected by a label-based security policy, the IDSSECURITYLABEL data type of HCL OneDB™ stores a security label.

Only a user who holds the DBSECADM role can create, alter, or drop a column of this data type. This is a built-in DISTINCT OF VARCHAR(128) data type, but it is not classified as a character data type because its use is restricted to label-based access control. A table that has a security policy can have no more than one IDSSECURITYLABEL column, and a table that is associated with no security policy can have none.

The DBSECADM can use the GRANT statement to associate a specific security label with a user, and the REVOKE statement can cancel a security label that a user holds. For a given security policy, a user can have no more than one label that supports both read and write access, or no more than one label for write access and no more than one label for read access. For data protected by a security policy, but for which the user has been granted discretionary access privileges, the database server determines whether a specific user can access the data by comparing the security label of the data with the security label of the user, while also taking into consideration any exemptions to the security policy rules that the user holds.

For information on how to specify an IDSSECURITYLABEL value, see Security Label Support Functions.

For a discussion of security policies, security components, security labels, and other concepts of label-based access control (LBAC), see the HCL OneDB Security Guide.