Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

developerWorks Community:

  • Close [x]

DB2 Label-Based Access Control, a practical guide, Part 1: Understand the basics of LBAC in DB2

A step-by-step guide to protect sensitive data

Carmen K. Wong (ckmwong@ca.ibm.com), Software Developer, EMC
author photo
Carmen Wong has worked in the DB2 Administration Tools Team as a software developer for five years. Her experiences include designing and implementing Java GUI using Swing for DB2 Administration Tools, specializing in monitoring tools (Visual Explain and Event Monitor). She was also involved in the LBAC project in the DB2 Viper release. Carmen is the co-author of a DB2 security book, which will be released in fall 2006.
Stan Musker (smusker@ca.ibm.com), DB2 Information Developer, EMC
Stan Musker has worked as an information developer for 18 years, the last 8 years in Information Management. He currently leads the team that creates the documentation for the DB2 Administration Tools. In addition, he has helped develop product videos, tutorials, and eBooks.

Summary:  Label-Based Access Control (LBAC) is a security feature introduced in the DB2® Viper release. With LBAC, administrators can control read and write access of a user at the table column and row level. This tutorial includes use case scenarios that demostrate how users can apply LBAC to protect their data from illegal access, and yet have the flexibility of allowing users to access data restrictively. The tutorial provides a step-by-step guide to creating LBAC solutions based on use-case scenarios.

View more content in this series

Date:  04 May 2006
Level:  Intermediate PDF:  A4 and Letter (526 KB | 28 pages)Get Adobe® Reader®

Activity:  37315 views
Comments:  

Before you start

About this series

The tutorial is divided into two parts. The first part covers the basic row protection and column protection. The second part contains more complex scenarios, and introduces the use of exemptions.


About this tutorial

This tutorial provides a guide to using DB2's Label-Based Access Control (LBAC) security feature. LBAC controls access to table objects by attaching security labels to them. Users attempting to access an object must have its security label granted to them. When there's a match, access is permitted; without a match, access is denied. There are three types of security labels:

  • Row security labels. A security label associated with a data row or record in a database table.
  • Column security labels. A security label associated with a column in a database table.
  • User security labels. A security label granted to a database user.

A security label is composed of one or more security label components. There are three types of security label components that you can use to build your security labels:

  • Sets. A set is a collection of elements where the order in which those elements appear is not important. All elements are deemed equal.
  • Arrays. An array is an ordered set that can be used to represent a simple hierarchy. In an array, the order in which the elements appear is important. For example, the first element ranks higher than the second element and the second higher than the third.
  • Trees. A tree represents a more complex hierarchy that can have multiple nodes and branches. For example, trees can be used to represent organizational charts. You use a security policy to define the security label components that make up a particular security label.

DB2 Security Administrator (SECADM) is required to manipulate LBAC objects. SECADM authority can only be granted by SYSADM. A database manager (DBM) does not have SECADM by default.

This tutorial shows how to use security labels to control access to data at the row level, column level, and at a combination of both row and column. You will also learn how to determine which security label component is most appropriate when creating those security labels. And finally you will learn how to use a security policy to associate your security label components with your security labels. Using examples from the financial industry and the police services area, you will:

  1. Analyze the required data restrictions.
  2. Design the LBAC security solution.
  3. Implement the LBAC security solution.
  4. See your LBAC security solution in action.

Prerequisites

This tutorial is written for DB2 database developers and DB2 database administrators. You should understand the basic concepts of LBAC.


System requirements

DB2 Viper for Linux®, UNIX®, and Windows®

1 of 6 | Next

Comments



static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Information Management
ArticleID=110545
TutorialTitle=DB2 Label-Based Access Control, a practical guide, Part 1: Understand the basics of LBAC in DB2
publish-date=05042006
author1-email=ckmwong@ca.ibm.com
author1-email-cc=
author2-email=smusker@ca.ibm.com
author2-email-cc=