ALTER SECURITY LEVEL

Use the ALTER SECURITY LEVEL command to change the name or value of a security level.

Synopsis

Syntax for altering a security level:
ALTER SECURITY LEVEL <level-name> 
      { RENAME TO <new-level-name> | VALUE <level-number> }

Inputs

The ALTER SECURITY LEVEL command has the following inputs:
Table 1. ALTER SECURITY LEVEL inputs
Input Description
<level_name> The identifier of an existing level name.
<new-level-name> An identifier to be the new name of the level. The name must be unique among security level names. Due to the total size limitation of the system security label field, use short level names. For compatibility with other vendors, do not use delimited identifiers, use only ASCII characters, and limit name length to 30 characters.
<level_number> A positive integer level value 1 - 32766. Higher levels are more secure; lower values are less secure.

Outputs

The ALTER SECURITY LEVEL command has the following output:
Table 2. ALTER SECURITY LEVEL output
Output Description
ALTER SECURITY LEVEL The message that the system returns if the command is successful.
ERROR: permission denied. You must have Manage Security privilege to alter a security level.
ERROR: level number <number> already exists. The specified level number exists. A level number can only have one name.
ERROR: level number <number> is out of range. The level number must be 1 - 32766. Level number 0 is predefined by the system as level PUBLIC. Level number 32767 is predefined by the system as level OMNI. Negative level numbers are not allowed.
ERROR: object <new-level-name> already exists. The new level name must be different from all other security level names.
ERROR: object <level-name> not found. The level name must exist.
ERROR: label security in use. You cannot change the value of a security level after there is user data that might reference that level.

Description

The ALTER SECURITY LEVEL command either renames a security level or changes the value of the security level. You can rename a security level at any time. However, you can only change the value of the level if there are no ROW SECURITY tables defined in any database in the system.

Develop and review your label security configuration before you create any ROW SECURITY tables. After tables are defined, you can add levels to the system or rename levels, but you cannot change the value of or remove levels.

Privileges required
You must have Manage Security privilege to alter security levels.
Common tasks
Use the ALTER SECURITY LEVEL command to update the system catalog to add the new object, and update the security level name to value mapping.

Usage

The following provides sample usage:
ALTER SECURITY LEVEL SECRET { RENAME TO CONFIDENTIAL VALUE 22 };