Row-secure tables
A row-secure table (RST) looks like a normal database table, but returns different answers to queries, based upon the security label of the user. Only user tables can have row security, which can be specified when a table is created.
To create a row-secure table, you must have Create Table privilege.
Even a table owner might not have the rights to see all the table
rows. To create a row-secure table, use the following syntax:
create table rst ... row security;
The following are row-secure table permissions:
- LABEL ACCESS
- Allows visibility of the label column.
- LABEL RESTRICT
- Allows the user to update the label to a more restrictive value.
- LABEL EXPAND
- Allows the user to update the label to a less restrictive value.
The resulting created table has an extra column named “_sec_label” of type varchar, with a 4000 character limit and Latin9 support. To access the _sec_label column you must have LABEL ACCESS permission.
The following list provides additional RST information:
- Users can INSERT information they are not allowed to view if they have the LABEL RESTRICT permissions.
- UPDATE and DELETE can only be done on rows the user can select. Important: If there are RSTs in the system, you can rename objects and create new levels, categories, and cohorts, but you cannot drop levels, categories, or cohorts, and you cannot alter any level value.