Using the UPDATE statement with multilevel security
When a user with a valid security label updates a table with row-level security enabled, Db2 compares the security label of the user to the security label of the row.
About this task
The
update to the table proceeds according to the following rules:
- If the security label of the user and the security label of the
row are equivalent, the row is updated and the value of the security
label is determined by whether the user has write-down privilege:
- If the user has write-down privilege or write-down control is not enabled, the user can set the security label of the row to any valid security label.
- If the user does not have write-down privilege and write-down control is enabled, the security label of the row is set to the value of the security label of the user.
- If the security label of the user dominates the security label
of the row, the result of the UPDATE statement is determined by whether
the user has write-down privilege:
- If the user has write-down privilege or write-down control is not enabled, the row is updated and the user can set the security label of the row to any valid security label.
- If the user does not have write-down privilege and write-down control is enabled, the row is not updated.
- If the security label of the row dominates the security label of the user, the row is not updated.
WHERE SECLABEL=GETVARIABLE('SYSIBM.SECLABEL')Using this predicate avoids failed updates because it ensures that the user's security label is equivalent to the security label of the rows that Db2 attempts to update.
Example
Suppose that Alan has a security label of HIGH, that Beth has a security label of MEDIUM and write-down privilege defined in RACF®, and that Carlos has a security label of LOW. Write-down control is enabled.
Suppose that DSN8910.EMP contains the data that is shown in the following table and that the SECURITY column has been declared with the AS SECURITY LABEL clause.
| EMPNO | LASTNAME | WORKDEPT | SECURITY |
|---|---|---|---|
| 000190 | BROWN | D11 | HIGH |
| 000200 | JONES | D11 | MEDIUM |
| 000210 | LUTZ | D11 | LOW |
Now, suppose that Alan, Beth, and Carlos each submit the following UPDATE statement:
UPDATE DSN8910.EMP
SET DEPTNO='X55', SECURITY='MEDIUM'
WHERE DEPTNO='D11';Because Alan has a security label that dominates the rows with security labels of MEDIUM and LOW, his write-down privilege determines whether these rows are updated. Alan does not have write-down privilege, so the update fails for these rows. Because Alan has a security label that is equivalent to the security label of the row with HIGH security, the update on that row succeeds. However, the security label for that row remains HIGH because Alan does not have the write-down privilege that is required to set the security label to any value. The results of Alan's update are shown in the following table:
| EMPNO | EMPNAME | DEPTNO | SECURITY |
|---|---|---|---|
| 000190 | BROWN | X55 | HIGH |
| 000200 | JONES | D11 | MEDIUM |
| 000210 | LUTZ | D11 | LOW |
Because Beth has a security label that dominates the row with a security label of LOW, her write-down privilege determines whether this row is updated. Beth has write-down privilege, so the update succeeds for this row and the security label for the row becomes MEDIUM. Because Beth has a security label that is equivalent to the security label of the row with MEDIUM security, the update succeeds for that row. Because the row with the security label of HIGH dominates Beth's security label, the update fails for that row. The results of Beth's update are shown in the following table:
| EMPNO | EMPNAME | DEPTNO | SECURITY |
|---|---|---|---|
| 000190 | BROWN | D11 | HIGH |
| 000200 | JONES | X55 | MEDIUM |
| 000210 | LUTZ | X55 | MEDIUM |
| EMPNO | EMPNAME | DEPTNO | SECURITY |
|---|---|---|---|
| 000190 | BROWN | D11 | HIGH |
| 000200 | JONES | D11 | MEDIUM |
| 000210 | LUTZ | X55 | LOW |
