SECLABEL_TO_CHAR scalar function
The SECLABEL_TO_CHAR function accepts a security label and returns a string that contains all elements in the security label. The string is in the security label string format.
The schema is SYSIBM.
- security-policy-name
- A string that specifies a security policy that exists at the current server (SQLSTATE 42704). The string must be a character or graphic string constant or host variable.
- security-label
- An expression that returns a security label value that is valid for the security policy named by security-policy-name (SQLSTATE 4274I). The expression must return a value that is a built-in SYSPROC.DB2SECURITYLABEL distinct type.
Notes
- If the authorization ID of the statement executes this function
on a security label being read from a column with a data type of DB2SECURITYLABEL
then that authorization ID's LBAC credentials might affect the output
of the function. In such a case an element is not included in the
output if the authorization ID does not have read access to that element.
An authorization ID has read access to an element if its LBAC credentials
would allow it to read data that was protected by a security label
containing only that element, and no others.
For the rule set DB2LBACRULES only components of type TREE can contain elements that you do not have read access to. For other types of component, if any one of the elements block read access then you will not be able to read the row at all. So only components of type tree will have elements excluded in this way.
Example
PROJECT
________|________
| |
TEST DEVELOPMENT
______|______
| |
CURRENT FIELD
RECORDNUM LABEL
--------- ----------------
1 PROJECT
2 (TEST, FIELD)
3 (CURRENT, FIELD)
SELECT RECORDNUM, SECLABEL_TO_CHAR('DATA_ACCESSPOLICY', LABEL) FROM EMP
returns:
RECORDNUM LABEL
--------- ----------------
2 FIELD
3 (CURRENT, FIELD)
The row with a RECORDNUM value of 1 is not included in the output, because Djavan's LBAC credentials do not allow him to read that row. In the row with a RECORDNUM value of 2, element TEST is not included in the output, because Djavan does not have read access to that element; Djavan would not have been able to access the row at all if TEST were the only element in the security label. Because Djavan has read access to elements CURRENT and FIELD, both elements appear in the output.
RECORDNUM LABEL
--------- ----------------
1 PROJECT
2 (TEST, FIELD)
3 (CURRENT, FIELD)
This time the output includes
all rows and all elements, because the exemption gives Djavan read
access to all of the elements.