The CREATE SECURITY LABEL COMPONENT statement defines
a component that is to be used as part of a security policy.
Invocation
This statement can be embedded
in an application program or issued interactively. It is an executable
statement that can be dynamically prepared only if DYNAMICRULES run
behavior is in effect for the package (SQLSTATE 42509).
Authorization
The privileges held by the
authorization ID of the statement must include SECADM authority.
Syntax
>>-CREATE SECURITY LABEL COMPONENT--component-name--+-| array-clause |-+-><
+-| set-clause |---+
'-| tree-clause |--'
array-clause
.-,---------------.
V |
|--ARRAY--[----string-constant-+--]-----------------------------|
set-clause
.-,---------------.
V |
|--SET--{----string-constant-+--}-------------------------------|
tree-clause
|--TREE--(--string-constant--ROOT--+------------------------------------------------+--)--|
| .--------------------------------------------. |
| V | |
'---,--string-constant--UNDER--string-constant-+-'
Description
- component-name
- Names the security label component. This is a one-part name. The
name must not identify an existing security label component at the
current server (SQLSTATE 42710).
- ARRAY
- Specifies an ordered set of elements.
- string-constant,...
- One or more string constant values that make up the set of valid
values for this security label component. The order in which the array
elements appear is important. The first element ranks higher than
the second element. The second element ranks higher than the third
element and so on.
- SET
- Specifies an unordered set of elements.
- string-constant,...
- One or more string constant values that make up the set of valid
values for this security label component. The order of the elements
is not important.
- TREE
- Specifies a tree structure of node elements.
- string-constant
- One or more string constant values that make up the set of valid
values for this security label component.
- ROOT
- Specifies that the string-constant that follows the keyword
is the root node element of the tree.
- UNDER
- Specifies that the string-constant before
the UNDER keyword is a child of the string-constant that
follows the UNDER keyword. An element must
be defined as either being the root element or as being the child
of another element before it can be used as a parent, otherwise an
error (SQLSTATE 42704) is returned.
Rules
These rules apply to all three types
of component (ARRAY, SET, and TREE):
- Element names cannot contain any of these characters:
- Opening parenthesis - (
- Closing parenthesis - )
- Comma - ,
- Colon - :
- An element name can have no more than 32 bytes (SQLSTATE 42622).
- If a security label component is a set or a tree, no more than
64 elements can be part of that component.
- A CREATE SECURITY LABEL COMPONENT statement can specify at most
65 535 elements for a security label component of type array.
- No element name can be used more than once in the same component
(SQLSTATE 42713).
Examples
Example 1: Create an ARRAY
type security label component named LEVEL. The component has the following
four elements, listed in order of decreasing rank: Top Secret, Secret,
Classified, and Unclassified.
CREATE SECURITY LABEL COMPONENT LEVEL
ARRAY ['Top Secret', 'Secret', 'Classified', 'Unclassified']
Example
2: Create a SET type security label component named COMPARTMENTS.
The component has the following three elements: Research, Analysis,
and Collection.
CREATE SECURITY LABEL COMPONENT COMPARTMENTS
SET {'Collection', 'Research', 'Analysis'}
Example
3: Create a TREE type security label component named GROUPS. GROUPS
has five elements: PROJECT, TEST, DEVELOPMENT, CURRENT, AND FIELD.
The following diagram shows the relationship of these elements to
one another:
PROJECT
________|________
| |
TEST DEVELOPMENT
______|______
| |
CURRENT FIELD
CREATE SECURITY LABEL COMPONENT GROUPS
TREE (
'PROJECT' ROOT,
'TEST' UNDER 'PROJECT',
'DEVELOPMENT' UNDER 'PROJECT',
'CURRENT' UNDER 'DEVELOPMENT',
'FIELD' UNDER 'DEVELOPMENT'
)