Rules Associated with a Security Policy
The WITH IDSLBACRULES keywords specify the read access rules and write access rules that the new security policy enforces. If you do not specify them, these keywords are in effect by default, because the IDSLBACRULES access rules are the only access rules that the a security policy can support.
- IDSLBACREADARRAY: Each array component of the user security label must be greater than or equal to the array component of the data row security label. That is, only data at or below the level of the user can be read.
- IDSLBACREADTREE: Each tree component of the user security label must include at least one of the elements in the tree component of the data row security label (or the ancestor of one such element).
- IDSLBACREADSET: Each set component of the user security label must include the set component of the data row security label.
- IDSLBACWRITEARRAY: Each array component of the user security label must be equal to the array component of the data row security label. That is, only data at the same level as the user can be written.
- IDSLBACWRITETREE: Each tree component of the user security label must include at least one of the elements in the tree component of the data row security label (or the ancestor of one such element).
- IDSLBACWRITESET: Each set component of the user security label must include the set component of the data row security label.
If DBSECADM omits the WITH IDSLBACRULES keywords, then those rules are in effect by default. If any specification except IDSLBACRULES follows the WITH keyword, however, the CREATE SECURITY POLICY statement fails with an error, and no security policy is created.
- If the CREATE SECURITY POLICY statement specifies OVERRIDE NOT AUTHORIZED WRITE SECURITY LABEL, then HCL OneDB™ uses the value of the user security label, rather than the security label that is explicitly specified in the DELETE, INSERT, or UPDATE statement, to determine whether the user has write-access to data values that are protected by a security label in the DELETE, INSERT, or UPDATE operation.
- The default is RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL. If you specify these keywords explicitly, or if they are in effect by default, then DELETE, INSERT, or UPDATE statements fail with an error if the user is not authorized to write data in a row or column that has the explicitly specified security label.
CREATE SECURITY POLICY MegaCorp COMPONENTS levels, compartments, groups WITH IDSLBACRULES;For this example to be valid, the levels, compartments, and groups security label components (or components that have been renamed to these identifiers) must have been previously defined by the CREATE SECURITY LABEL COMPONENT statement.