Use of multilevel security to control access

Db2 provides a powerful security scheme called multilevel security. Multilevel security is a security policy that classifies data and users according to a system of hierarchical security levels and nonhierarchical security categories.

Multilevel security prevents unauthorized users from accessing information at a higher classification than their authorization, and it prevents users from declassifying information.

Using multilevel security, you can define security for Db2 objects and perform other checks, including row-level security checks. Row-level security checks control which users have authorization to view, modify, or perform actions on table rows. With multilevel security, you do not need to use special views or database variables to control security at the row level.

You can create a security label for a table row by defining a column in the CREATE TABLE or ALTER TABLE statement as the security label. As each row is accessed, Db2 uses RACF® to compare the security label of the row and the user to determine if the user has appropriate authorization to access the row. Row-level security checks occur whenever a user issues a SELECT, INSERT, UPDATE, or DELETE statement to access a table with a security-label column or runs a utility request for data in a row that is protected by a security label.