CREATE SECURITY POLICY statement

The CREATE SECURITY POLICY statement defines a security policy.

Invocation

This statement can be embedded in an application program or issued interactively. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).

Authorization

The privileges held by the authorization ID of the statement must include SECADM authority.

Syntax

Read syntax diagramSkip visual syntax diagramCREATE SECURITY POLICYsecurity-policy-name COMPONENTS ,component-name WITH DB2LBACRULESOVERRIDE NOT AUTHORIZED WRITE SECURITY LABELRESTRICT NOT AUTHORIZED WRITE SECURITY LABEL

Description

security-policy-name
Names the security policy. This is a one-part name. The name must not identify an existing security policy at the current server (SQLSTATE 42710).
COMPONENTS component-name,...
Identifies a security label component. The name must identify a security label component that already exists at the current server (SQLSTATE 42704). The same security component must not be specified more than once for the security policy (SQLSTATE 42713). No more than 16 security label components can be specified for a security policy (SQLSTATE 54062).
WITH DB2LBACRULES
Indicates what rule set that will be used when comparing security labels that are part of this security policy. There is currently only one rule set: DB2LBACRULES.
OVERRIDE NOT AUTHORIZED WRITE SECURITY LABEL or RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL
Specifies the action that is to be taken when a user is not authorized to write the explicitly specified security label that is provided in the INSERT or UPDATE statement issued against a table that is protected with this security policy. A user's security label and exemption credentials determine the user's authorization to write an explicitly provided security label. The default is OVERRIDE NOT AUTHORIZED WRITE SECURITY LABEL.
OVERRIDE NOT AUTHORIZED WRITE SECURITY LABEL
Indicates that the value of the user's security label, rather than the explicitly specified security label, is to be used for write access during an insert or update operation.
RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL
Indicates that the insert or update operation will fail if the user is not authorized to write the explicitly specified security label that is provided in the INSERT or UPDATE statement (SQLSTATE 42519).

Notes

  • DB2LBACRULES rule set: DB2LBACRULES is a predefined set of rules that includes the following rules: DB2LBACREADARRAY, DB2LBACREADSET, DB2LBACREADTREE, DB2LBACWRITEARRAY, DB2LBACWRITESET, DB2LBACWRITETREE.
  • Group and role authorizations are not considered by default when a security policy is created. Use the ALTER SECURITY POLICY statement to change this behavior and have them considered.

Examples

  • Example 1: Create a security policy named DATA_ACCESS that uses the DB2LBACRULES rule set and has two components: LEVEL and COMPARTMENTS, in that order. Assume that both components already exist. 
       CREATE SECURITY POLICY DATA_ACCESS
     COMPONENTS LEVEL, COMPARTMENTS
     WITH DB2LBACRULES
  • Example 2: Create a security policy named CONTRIBUTIONS that has the components MEMBER and BADGE, which are assumed to already exist. 
       CREATE SECURITY POLICY CONTRIBUTIONS
     COMPONENTS MEMBER, BADGE
     WITH DB2LBACRULES