Security labels
The security label has three dimensions: level, category, and cohort.
- Level
- Levels are ordered, from a less secure lower level (such as “PUBLIC”), to a more secure higher level (such as “Top Secret”). Every table row and user has only one level.
- Category
- Categories are a set of all-of tag values associated with a table row. To access the object, the user security profile must match against the entire set of category tags. A table row can have a number of categories (the system limit is 64 K, and the size limit on the label string is 4000). A category is typically used to group a set of data.
- Cohort
- Cohorts are a set of any-of tag values associated with a table row. To access the object, the user security profile must match at least one of the cohort tags. A table row can have any number of cohorts. A cohort is typically used to group a set of users (like a SQL group).
Security label dimension | Value | Meaning |
---|---|---|
Level | PUBLIC | Default level, the lowest possible. A user with this defined
level (or no defined level, which defaults to this level) cannot see
any other levels. A table row with this defined level (or no defined level, which defaults to this level) can be accessed by every user. |
OMNI | Highest possible level. A user with this privilege can see
all levels. A table row with this privilege defined requires the highest privilege for access. |
|
Category | OMNI | Set of all categories. A user with this privilege can see all
categories. A table row with this privilege defined requires the OMNI for access. |
NONE | A user with this privilege defined cannot see any defined categories. A table row with this privilege defined allows all users. |
|
Cohort | OMNI | Set of all cohorts. A user with this privilege can see all
cohorts. A table row with this privilege defined is visible to anyone. |
NONE | A user with this privilege defined cannot see any defined cohorts. A table row with this privilege defined makes the row inaccessible. |
A missing category or cohort is different from NONE because a missing category or cohort on a row does not filter, while NONE on a row means that no bits are set.