Label-based access control (LBAC) and federated systems

Ensure that only users who have the appropriate authority can see the data in a table.

With label-based access control, you can apply security policies to the rows and columns of a table. Each security policy specifies the credentials that are granted to each user ID and session ID. For example, the table Prices has columns Wholesale, Retail, and Sale. If the user Alice is entitled to access columns Retail and Sale, then the query SELECT RETAIL, SALE FROM PRICES succeeds. But the query SELECT * WHOLESALE fails.

When you create a nickname on an object, the federated server automatically detects whether the data source uses label-based access control. If label-based access control is being used, the nickname is not cached. For nicknames that were created before label-based access control was available, use the ALTER NICKNAME statement to allow or disallow caching. For example, if you created a nickname on a data source object before federated support for label-based access control was available, you can alter the nickname to disallow caching.

Each security policy has a unique label that is stored in the Label column of the table. A database administrator can hide the column that contains the labels to prevent users from knowing that the column exists. Nicknames that have hidden label columns are not cached.