Implementing multilevel security with row-level granularity

You can implement multilevel security with row-level granularity with or without implementing multilevel security on the object level. If you implement multilevel security on the object level, you must define security labels in RACF for all Db2 objects and install the external security access control authorization exit routine. If you do not use the access control authorization exit routine or RACF access control, you can use Db2 native authorization control.

You can implement multilevel security with row-level granularity with or without implementing multilevel security on the object level.

Recommendation: Use multilevel security at the object level with multilevel security with row-level granularity. Using RACF with multilevel security provides an independent check at run time and always checks the authorization of a user to the data.

Db2 performs multilevel security with row-level granularity by comparing the security label of the user to the security label of the row that is accessed. Because security labels can be equivalent without being identical, Db2 uses the RACROUTE REQUEST=DIRAUTH macro to make this comparison when the two security labels are not the same. For read operations, such as SELECT, Db2 uses ACCESS=READ. For update operations, Db2 uses ACCESS=READWRITE.

The write-down privilege for multilevel security with row-level granularity has the following properties:

• A user with the write-down privilege can update the security label of a row to any valid value. The user can make this update independent of the user's dominance relationship with the row.
• Db2 requires that a user have the write-down privilege to perform certain utilities.
• If write-down control is not enabled, all users with valid security labels are equivalent to users with the write-down privilege.