A security label component is a database object
that is part of label-based access control (LBAC). You use security
label components to model your organization's security structure.
A security label component can represent any criteria that you
might use to decide if a user should have access to a given piece
of data. Typical examples of such criteria include:
- How well trusted the user is
- What department the user is in
- Whether the user is involved in a particular project
Example: If you want the department
that a user is in to affect which data they can access, you could
create a component named dept and define elements for that component
that name the various departments in your company. You would then
include the component dept in your security policy.
An element of a security label component is one particular
"setting" that is allowed for that component.
Example: A security label component
that represents a level of trust might have the four elements: Top
Secret, Secret, Classified, and Unclassified.
Creating a security label component
You
must be a security administrator to create a security label component.
You create security label components with the SQL statement CREATE
SECURITY LABEL COMPONENT.
When you create a security label component
you must provide:
- A name for the component
- What type of component it is (ARRAY, TREE, or SET)
- A complete list of allowed elements
- For types ARRAY and TREE you must describe how each element fits
into the structure of the component
After creating your security label components, you can
create a security policy based on these components. From this security
policy, you can create security labels to protect your data.
Types of components
There are three types
of security label components:
- TREE: Each element represents a node in a tree structure
- ARRAY: Each element represents a point on a linear scale
- SET: Each element represents one member of a set
The types are used to model the different ways in which elements
can relate to each other. For example, if you are creating a component
to describe one or more departments in a company you would probably
want to use a component type of TREE because most business structures
are in the form of a tree. If you are creating a component to represent
the level of trust that a person has, you would probably use a component
of type ARRAY because for any two levels of trust, one will always
be higher than the other.
The details of each type, including
detailed descriptions of the relationships that the elements can have
with each other, are described in their own section.
Altering security label components
The security
administrator can use the ALTER SECURITY LABEL COMPONENT statement
to modify a security label component.
Dropping a security label component
You
must be a security administrator to drop a security label component.
You drop a security label component with the SQL statement DROP.