The sw2 role

This example shows the use of the sw2 role.

MLSSAMPLE.SCH(ENGMGR)=> \c mlssample sw2 swsw
You are now connected to database mlssample as user sw2.
MLSSAMPLE.SCH(SW2)=> INSERT INTO projstatus VALUES (5, 'SW2 RED', 196); 
INSERT 0 1
MLSSAMPLE.SCH(SW2)=> SELECT *, _SEC_LABEL FROM projstatus;
 ID |  NAME   | METRIC |     _SEC_LABEL
----+---------+--------+---------------------
  5 | SW2 Red |    196 | CONFIDENTIAL:RED:SW
(1 row)

The user has Label Access permission, and can see the label. In the following example, the user does not have Label Expand permission to change from confidential to public.

MLSSAMPLE.SCH(SW2)=> UPDATE projstatus SET _SEC_LABEL = 'public:red:sw' 
WHERE NAME = 'SW2 Red'; 
ERROR:  Security Label : Permission denied.

Now change to engmgr to try the example again. With Label Expand permission, it now works. The rule to expand is relative to the existing row label, not the security label of the user, and is independent of the ability to create the label.

MLSSAMPLE.SCH(SW2)=> \c mlssample engmgr emem
You are now connected to database mlssample as user engmgr.
MLSSAMPLE.SCH(ENGMGR)=> UPDATE projstatus SET _SEC_LABEL = 'public:red:sw' 
WHERE NAME = 'SW2 Red'; 
Update 1

The following example fails due to an improper security label.

MLSSAMPLE.SCH(ENGMGR)=> INSERT INTO projstatus (id, name, metric, 
_SEC_LABEL) VALUES (10, 'Ten', 10, 'public:red:sw'); 
ERROR: Security Label : Permission denied.