Security labels

The security label has three dimensions: level, category, and cohort.

You can apply one, two, or all three dimensions to a row.
Level
Levels are ordered, from a less secure lower level (such as “PUBLIC”), to a more secure higher level (such as “Top Secret”). Every table row and user has only one level.
Category
Categories are a set of all-of tag values associated with a table row. To access the object, the user security profile must match against the entire set of category tags. A table row can have a number of categories (the system limit is 64 K, and the size limit on the label string is 4000). A category is typically used to group a set of data.
Cohort
Cohorts are a set of any-of tag values associated with a table row. To access the object, the user security profile must match at least one of the cohort tags. A table row can have any number of cohorts. A cohort is typically used to group a set of users (like a SQL group).
All table rows require a security label, and if not defined, the system applies a default level of PUBLIC. The system provides the pre-defined values shown in the following table.
Table 1. Pre-defined security label system values
Security label dimension Value Meaning
Level PUBLIC Default level, the lowest possible. A user with this defined level (or no defined level, which defaults to this level) cannot see any other levels.

A table row with this defined level (or no defined level, which defaults to this level) can be accessed by every user.

OMNI Highest possible level. A user with this privilege can see all levels.

A table row with this privilege defined requires the highest privilege for access.

Category OMNI Set of all categories. A user with this privilege can see all categories.

A table row with this privilege defined requires the OMNI for access.

NONE A user with this privilege defined cannot see any defined categories.

A table row with this privilege defined allows all users.

Cohort OMNI Set of all cohorts. A user with this privilege can see all cohorts.

A table row with this privilege defined is visible to anyone.

NONE A user with this privilege defined cannot see any defined cohorts.

A table row with this privilege defined makes the row inaccessible.

A missing category or cohort is different from NONE because a missing category or cohort on a row does not filter, while NONE on a row means that no bits are set.