IBM PureData System for Analytics, Version 7.1

Security labels

The security label has three dimensions: level, category, and cohort.

You can apply one, two, or all three dimensions to a row.

Level: Levels are ordered, from a less secure lower level (such as “PUBLIC”), to a more secure higher level (such as “Top Secret”). Every table row and user has only one level.
Category: Categories are a set of all-of tag values associated with a table row. To access the object, the user security profile must match against the entire set of category tags. A table row can have a number of categories (the system limit is 64 K, and the size limit on the label string is 4000). A category is typically used to group a set of data.
Cohort: Cohorts are a set of any-of tag values associated with a table row. To access the object, the user security profile must match at least one of the cohort tags. A table row can have any number of cohorts. A cohort is typically used to group a set of users (like a SQL group).

All table rows require a security label, and if not defined, the system applies a default level of PUBLIC. The system provides the pre-defined values shown in the following table.

Table 1. Pre-defined security label system values
Security label dimension	Value	Meaning
Level	PUBLIC	Default level, the lowest possible. A user with this defined level (or no defined level, which defaults to this level) cannot see any other levels. A table row with this defined level (or no defined level, which defaults to this level) can be accessed by every user.
Level	OMNI	Highest possible level. A user with this privilege can see all levels. A table row with this privilege defined requires the highest privilege for access.
Category	OMNI	Set of all categories. A user with this privilege can see all categories. A table row with this privilege defined requires the OMNI for access.
Category	NONE	A user with this privilege defined cannot see any defined categories. A table row with this privilege defined allows all users.
Cohort	OMNI	Set of all cohorts. A user with this privilege can see all cohorts. A table row with this privilege defined is visible to anyone.
Cohort	NONE	A user with this privilege defined cannot see any defined cohorts. A table row with this privilege defined makes the row inaccessible.

A missing category or cohort is different from NONE because a missing category or cohort on a row does not filter, while NONE on a row means that no bits are set.