The built-in functions SECLABEL, SECLABEL_BY_NAME, and SECLABEL_TO_CHAR are provided for managing label-based access control (LBAC) security labels.
Each is described briefly here and in detail in the SQL Reference
This built-in function is used to build a security label by specifying a security policy and values for each of the components in the label. The returned value has a data type of DB2SECURITYLABEL and is a security label that is part of the indicated security policy and has the indicated values for the components. It is not necessary that a security label with the indicated values already exists.
INSERT INTO T1 VALUES
( SECLABEL( 'P1', 'UNCLASSIFIED:(ALPHA,SIGMA):G2' ), 22 )
This built-in function accepts the name of a security policy and the name of a security label that is part of that security policy. It then returns the indicated security label as a DB2SECURITYLABEL. You must use this function when inserting an existing security label into a column that has a data type of DB2SECURITYLABEL.
INSERT INTO T1 VALUES ( SECLABEL_BY_NAME( 'P1', 'L1' ), 22 )
This
SQL statement does not work:
INSERT INTO T1 VALUES ( P1.L1, 22 ) // Syntax Error!
This built-in function returns a string representation of the values that make up a security label.
Component | Elements |
---|---|
level | SECRET |
departments | DELTA and SIGMA |
groups | G3 |
A user that has LBAC credentials that allow reading the row executes this SQL statement:
SELECT SECLABEL_TO_CHAR( 'P1', C1 ) AS C1 FROM T1
The output looks like this:
C1
'SECRET:(DELTA,SIGMA):G3'