Mandatory access checking

Mandatory access checking evaluates dominance relationships between user security labels and object security labels and determines whether to allow certain actions based on certain rules.

• If the security label of the user dominates the security label of the object, the user can read from the object.
• If the security label of a user and the security label of the object are equivalent, the user can read from and write to the object.
• If the security label of the user dominates the security label of the object, the user cannot write to the object unless the user has the write-down RACF® privilege.
• If the security label of the user is disjoint with the security label of the object, the user cannot read or write to that object.

Exception: IDs with the installation SYSADM authority bypass mandatory access checking at the Db2 object level because actions by installation SYSADM do not invoke the external access control exit routine (DSNX@XAC). However, multilevel security with row-level granularity is enforced for IDs with installation SYSADM authority.

After the user passes the mandatory access check, a discretionary check follows. The discretionary access check restricts access to objects based on the identity of a user, the user's role (if one exists), and the groups to which the user belongs. The discretionary access check ensures that the user is identified as having a “need to know” for the requested resource. The check is discretionary because a user with a certain access permission is capable of passing that permission to any other user.