Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

Select a language:

  • Close [x]
  • Close [x]

IDS Label-Based Access Control, a practical guide, Part 1: Understand the basics of LBAC in IDS

A step-by-step guide to protect sensitive data

Carmen K. Wong (ckmwong@ca.ibm.com), Software Developer, IBM
author photo
Carmen Wong has worked in the DB2 Administration Tools Team as a software developer for five years. Her experiences include designing and implementing Java GUI using Swing for DB2 Administration Tools, specializing in monitoring tools: Visual Explain and Event Monitor. She was also involved in the LBAC project in the DB2 9 release. Carmen is the co-author of Understanding DB2 9 Security (IBM Press, December 2006).
Stan Musker (smusker@ca.ibm.com), DB2 Information Developer, IBM
Stan Musker has worked as an information developer for 18 years, the last 8 years in Information Management. He currently leads the team that creates the documentation for the DB2 Administration Tools. In addition, he has helped develop product videos, tutorials, and eBooks.
Manjula Panthagani (manjulap@us.ibm.com), Advanced Support Engineer, IBM
Author photo: Manjula Panthagani
Manjula Panthagani is an Advanced Support Engineer for Informix Dynamic Server at IBM. She has been in this position supporting IDS for over seven years and participated in the development of the IDS Certification exam.
Joseph W. Baric, Jr. (jbaric@us.ibm.com), Advanced Support Engineer, IBM
Joe Baric photo
Joe Baric has been working in Advanced Support for Informix Products for over ten years. In that time he has coded new features, provided bug fixes, served as a subject matter expert, helped develop course materials, and taught various classes on IDS. He can be reached at jbaric@us.ibm.com.

Summary:  Apply Label-Based Access Control (LBAC) to protect your data from illegal access, yet have the flexibility to allow users to restrictively access data. Create these and other LBAC solutions in this step-by-step guide based on use-case scenarios.

View more content in this series

Date:  30 Aug 2007
Level:  Intermediate
PDF:  A4 and Letter (138 KB | 35 pages)Get Adobe® Reader®

Activity:  19576 views
Comments:  

Before you start

Introduction

Label-Based Access Control (LBAC) is a security feature introduced in IBM® Informix® Dynamic Server 11. With LBAC, administrators can control read and write access of a user at the table, column, and row level. onmouseover="linkQueryAppend(this)"

About this series

This series consists of two tutorials: the first part covers the basic row protection and column protection; the second part contains more complex scenarios and introduces the use of exemptions.

This series is based on the tutorials originally published about using LBAC with DB2 entitled "DB2 Label-Based Access Control, a practical guide" by Carmen Wong and Stan Musker. This series is adapted for Informix Dynamic Server by Manjula Pathangani and Joseph Baric.

Back to top

About this tutorial

This tutorial provides a guide to using IDS' Label-Based Access Control (LBAC) security feature. LBAC controls access to table objects by attaching security labels to them. Users attempting to access an object must have its security label granted to them. When there's a match, access is permitted; without a match, access is denied. There are three types of security labels:

  • Row security labels: A security label associated with a data row or record in a database table
  • Column security labels: A security label associated with a column in a database table
  • User security labels: A security label granted to a database user

A security label is composed of one or more security label components. There are three types of security label components that you can use to build your security labels:

  • Sets: A set is a collection of elements where the order in which those elements appear is not important. All elements are deemed equal
  • Arrays: An array is an ordered set that can be used to represent a simple hierarchy. In an array, the order in which the elements appear is important. For example, the first element ranks higher than the second element, and the second higher than the third
  • Trees: A tree represents a more complex hierarchy that can have multiple nodes and branches. For example, trees can be used to represent organizational charts. You use a security policy to define the security label components that make up a particular security label

IDS Security Administrator (DBSECADM) is required to manipulate LBAC objects. DBSECADM authority can only be granted by SYSADM. A database manager (DBM) does not have DBSECADM by default.

This tutorial shows how to use security labels to control access to data at the row level, column level, and at a combination of both row and column levels. You will also learn how to determine which security label component is most appropriate when creating those security labels. And finally you will learn how to use a security policy to associate your security label components with your security labels. Using examples from the financial industry and the police services area, you will:

  1. Analyze the required data restrictions
  2. Design the LBAC security solution
  3. Implement the LBAC security solution
  4. See your LBAC security solution in action

Back to top

Prerequisites

This tutorial is written for IDS database developers and IDS database administrators. You should understand the basic concepts of LBAC.

Back to top

System requirements

IDS 11 for Linux®, UNIX®, and Windows®

1 of 7 | Next

Comments

Back to top

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Information Management
ArticleID=252439
TutorialTitle=IDS Label-Based Access Control, a practical guide, Part 1: Understand the basics of LBAC in IDS
publish-date=08302007
author1-email=ckmwong@ca.ibm.com
author1-email-cc=
author2-email=smusker@ca.ibm.com
author2-email-cc=
author3-email=manjulap@us.ibm.com
author3-email-cc=
author4-email=jbaric@us.ibm.com
author4-email-cc=

Table of contents

1 of 7 | Next

Next steps from IBM

WebSphere Portal can help your small and midsize business achieve better website security, along with faster time to value with easily deployable and customizable example Web sites.

Tags

Help
Use the search field to find all types of content in My developerWorks with that tag.

Use the slider bar to see more or fewer tags.

Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).

My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

Use the search field to find all types of content in My developerWorks with that tag. Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere). My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

 

Dig deeper into Information Management on developerWorks

Try IBM PureSystems. No charge.

IBM PureSystems on a kaleideoscope background

Experience today!

Get started with the cloud-based trial and pattern development kit.

Share this page:

  • Close [x]

Follow developerWorks:

  • Close [x]