DB2 10.5 for Linux, UNIX, and Windows
DB2 10.5 for Linux, UNIX, and Windows
When you try to read data protected by label-based access control (LBAC), your LBAC credentials for reading are compared to the security label that is protecting the data. If the protecting label does not block your credentials you are allowed to read the data.
In the case of a protected column the protecting security label is defined in the schema of the table. The protecting security label for that column is the same for every row in the table. In the case of a protected row the protecting security label is stored in the row in a column of type DB2SECURITYLABEL. It can be different for every row in the table.
The details of how your LBAC credentials are compared to a security label are given in the topic about how LBAC security labels are compared.
When you try to read from a protected column your LBAC credentials are compared with the security label protecting the column. Based on this comparison access will either be blocked or allowed. If access is blocked then an error is returned and the statement fails. Otherwise, the statement proceeds as usual.
Trying to read a column that your LBAC credentials do not allow you to read, causes the entire statement to fail.
Table T1 has two protected columns. The column C1 is protected by the security label L1. The column C2 is protected by the security label L2.
Assume that user Jyoti has LBAC credentials for reading that allow access to security label L1 but not to L2. If Jyoti issues the following SQL statement, the statement will fail:
SELECT * FROM T1The statement fails because column C2 is included in the SELECT clause as part of the wildcard (*).
If Jyoti issues the following SQL statement it will succeed:
SELECT C1 FROM T1The only protected column in the SELECT clause is C1, and Jyoti's LBAC credentials allow her to read that column.
If you do not have LBAC credentials that allow you to read a row it is as if that row does not exist for you.
When you read protected rows, only those rows to which your LBAC credentials allow read access are returned. This is true even if the column of type DB2SECURITYLABEL is not part of the SELECT clause.
Depending on their LBAC credentials, different users might see different rows in a table that has protected rows. For example, two users executing the statement SELECT COUNT(*) FROM T1 may get different results if T1 has protected rows and the users have different LBAC credentials.
Your LBAC credentials affect not only SELECT statements but also other SQL statements like UPDATE, and DELETE. If you do not have LBAC credentials that allow you to read a row, you cannot affect that row.
Table T1 has these rows and columns. The column ROWSECURITYLABEL has a data type of DB2SECURITYLABEL.
| LASTNAME | DEPTNO | ROWSECURITYLABEL |
|---|---|---|
| Rjaibi | 55 | L2 |
| Miller | 77 | L1 |
| Fielding | 11 | L3 |
| Bird | 55 | L2 |
Assume that user Dan has LBAC credentials that allow him to read data that is protected by security label L1 but not data protected by L2 or L3.
Dan issues the following SQL statement:
SELECT * FROM T1The SELECT statement returns only the row for Miller. No error messages or warning are returned.
Dan's view of table T1 is this:
| LASTNAME | DEPTNO | ROWSECURITYLABEL |
|---|---|---|
| Miller | 77 | L1 |
The rows for Rjaibi, Fielding, and Bird are not returned because read access is blocked by their security labels. Dan cannot delete or update these rows. They will also not be included in any aggregate functions. For Dan it is as if those rows do not exist.
Dan issues this SQL statement:
SELECT COUNT(*) FROM T1The statement returns a value of 1 because only the row for Miller can be read by the user Dan.
Column access is checked before row access. If your LBAC credentials for read access are blocked by the security label protecting one of the columns you are selecting then the entire statement fails. If not, the statement continues and only the rows protected by security labels to which your LBAC credentials allow read access are returned.
The column LASTNAME of table T1 is protected with the security label L1. The column DEPTNO is protected with security label L2. The column ROWSECURITYLABEL has a data type of DB2SECURITYLABEL. T1, including the data, looks like this:
| LASTNAME |
DEPTNO |
ROWSECURITYLABEL |
|---|---|---|
| Rjaibi | 55 | L2 |
| Miller | 77 | L1 |
| Fielding | 11 | L3 |
Assume that user Sakari has LBAC credentials that allow reading data protected by security label L1 but not L2 or L3.
Sakari issues this SQL statement:
SELECT * FROM T1The statement fails because the SELECT clause uses the wildcard (*) which includes the column DEPTNO. The column DEPTNO is protected by security label L2, which Sakari's LBAC credentials do not allow her to read.
Sakari next issues this SQL statement:
SELECT LASTNAME, ROWSECURITYLABEL FROM T1The select clause does not include any columns that Sakari is not able to read so the statement continues. Only one row is returned, however, because each of the other rows is protected by security label L2 or L3.
| LASTNAME | ROWSECURITYLABEL |
|---|---|
| Miller | L1 |