Security label syntax
Security labels are represented as a text string, with the following
syntax:
<label> ::= <level> : <categories> : <cohorts>
<level> ::= [ <level-string> ]
<categories> ::= [ <category-string> [ , <categories> ]
<cohorts> ::= [ <cohort-string> [ , <cohorts> ]
For example, if the security label is defined with a level of Top
Secret, a category of Alpha, and a cohort of UK, it would look like
the following example:
TOP_SECRET: Alpha: UK
Each component of the label is treated like a SQL identifier. Security
labels are handled as character strings, and in SQL must be presented
as string literals. If you have any character separation within the
string, connect characters with underscores or enclose the string
in quotation marks.
"For Your Eyes Only" : AUDIT : Finance_Management, HR
The label is set to the system case unless encased with quotation
marks, so the previous example would appear as follows:
"For Your Eyes Only" : AUDIT : FINANCE_MANAGEMENT, HR
Spaces before and after the colon are ignored by the system. The
label example can be described in any of the following ways:
TOP_SECRET: Alpha: UK
TOP_SECRET : Alpha : UK
TOP_SECRET:Alpha:UK
The NONE identifier can be used for category and cohort, and explicitly
indicates the empty set:
CONFIDENTIAL : Alpha, Beta, Gamma: NONE
The following label is assigned to the Admin user, with access
to all rows.
OMNI:OMNI:OMNI
The following is the PUBLIC level, with missing categories and
cohorts:
::
Strings are restricted to 7-bit ASCII characters, with a maximum length of 4000 characters. While any user can create a label, you must have Manage Security privileges to define the parts.
Important: Never change the letter case of a database
that contains row-secure tables. Using nzconvertsyscase on
row-secure tables can cause serious problems and possible data loss.