CREATE SECURITY POLICY statement
The CREATE SECURITY POLICY statement defines a security policy.
Invocation
This statement can be embedded in an application program or issued interactively. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).
Authorization
The privileges held by the authorization ID of the statement must include SECADM authority.
Syntax
Description
- security-policy-name
- Names the security policy. This is a one-part name. The name must not identify an existing security policy at the current server (SQLSTATE 42710).
- COMPONENTS component-name,...
- Identifies a security label component. The name must identify a security label component that already exists at the current server (SQLSTATE 42704). The same security component must not be specified more than once for the security policy (SQLSTATE 42713). No more than 16 security label components can be specified for a security policy (SQLSTATE 54062).
- WITH DB2LBACRULES
- Indicates what rule set that will be used when comparing security labels that are part of this security policy. There is currently only one rule set: DB2LBACRULES.
- OVERRIDE NOT AUTHORIZED WRITE SECURITY LABEL or RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL
- Specifies the action that is to be taken when a user is not authorized
to write the explicitly specified security label that is provided
in the INSERT or UPDATE statement issued against a table that is protected
with this security policy. A user's security label and exemption credentials
determine the user's authorization to write an explicitly provided
security label. The default is OVERRIDE NOT AUTHORIZED WRITE SECURITY
LABEL.
- OVERRIDE NOT AUTHORIZED WRITE SECURITY LABEL
- Indicates that the value of the user's security label, rather than the explicitly specified security label, is to be used for write access during an insert or update operation.
- RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL
- Indicates that the insert or update operation will fail if the user is not authorized to write the explicitly specified security label that is provided in the INSERT or UPDATE statement (SQLSTATE 42519).
Notes
- DB2LBACRULES rule set: DB2LBACRULES is a predefined set of rules that includes the following rules: DB2LBACREADARRAY, DB2LBACREADSET, DB2LBACREADTREE, DB2LBACWRITEARRAY, DB2LBACWRITESET, DB2LBACWRITETREE.
- Group and role authorizations are not considered by default when a security policy is created. Use the ALTER SECURITY POLICY statement to change this behavior and have them considered.
Examples
- Example 1: Create a security policy named DATA_ACCESS that
uses the DB2LBACRULES rule set and has two components: LEVEL and COMPARTMENTS,
in that order. Assume that both components already exist.
CREATE SECURITY POLICY DATA_ACCESS COMPONENTS LEVEL, COMPARTMENTS WITH DB2LBACRULES
- Example 2: Create a security policy named CONTRIBUTIONS
that has the components MEMBER and BADGE, which are assumed to already
exist.
CREATE SECURITY POLICY CONTRIBUTIONS COMPONENTS MEMBER, BADGE WITH DB2LBACRULES