Your ability to delete data in tables protected by LBAC depend on your LBAC credentials.
If your LBAC credentials do not allow you to read a row, it is as if that row does not exist for you so there is no way for you to delete it. To delete a row that you are able to read, your LBAC credentials must also allow you to write to the row. To delete any row in a table that has protected columns you must have LBAC credentials that allow you to write to all protected columns in the table.
When you try to delete a row, your LBAC credentials for writing are compared to the security label protecting the row. If the protecting security label blocks write access by your LBAC credentials, the DELETE statement fails, an error is returned, and no rows are deleted.
Protected table T1 has these rows:
LASTNAME | DEPTNO | LABEL |
---|---|---|
Rjaibi | 55 | L2 |
Miller | 77 | L1 |
Bird | 55 | L2 |
Fielding | 77 | L3 |
Assume that user Pat has LBAC credentials such that her access is as summarized in this table:
Security label | Read access? | Write access? |
---|---|---|
L1 | Yes | Yes |
L2 | Yes | No |
L3 | No | No |
The exact details of her LBAC credentials and of the security labels are unimportant for this example.
Pat issues the following SQL statement:
SELECT * FROM T1 WHERE DEPTNO != 999
The statement executes and returns this result set:
LASTNAME | DEPTNO | LABEL |
---|---|---|
Rjaibi | 55 | L2 |
Miller | 77 | L1 |
Bird | 55 | L2 |
The last row of T1 is not included in the results because Pat does not have read access to that row. It is as if that row does not exist for Pat.
Pat issues this SQL statement:
DELETE FROM T1 WHERE DEPTNO != 999
Pat does not have write access to the first or third row, both of which are protected by L2. So even though she can read the rows she cannot delete them. The DELETE statement fails and no rows are deleted.
Pat issues this SQL statement:
DELETE FROM T1 WHERE DEPTNO = 77;
This statement succeeds because Pat is able to write to the row with Miller in the LASTNAME column. That is the only row selected by the statement. The row with Fielding in the LASTNAME column is not selected because Pat's LBAC credentials do not allow her to read that row. That row is never considered for the delete so no error occurs.
The actual rows of the table now look like this:
LASTNAME | DEPTNO | LABEL |
---|---|---|
Rjaibi | 55 | L2 |
Bird | 55 | L2 |
Fielding | 77 | L3 |
To delete any row in a table that has protected columns you must have LBAC credentials that allow you to write to all protected columns in the table. If there is any row in the table that your LBAC credentials do not allow you to write to then the delete will fail and an error will be returned.
If the table has both protected columns and protected rows then to delete a particular row you must have LBAC credentials that allow you to write to every protected column in the table and also to read from and write to the row that you want to delete.
In protected table T1, the column DEPTNO is protected by the security label L2. T1 contains these rows:
LASTNAME | DEPTNO |
LABEL |
---|---|---|
Rjaibi | 55 | L2 |
Miller | 77 | L1 |
Bird | 55 | L2 |
Fielding | 77 | L3 |
Assume that user Benny has LBAC credentials that allow him the access summarized in this table:
Security label | Read access? | Write access? |
---|---|---|
L1 | Yes | Yes |
L2 | Yes | No |
L3 | No | No |
The exact details of his LBAC credentials and of the security labels are unimportant for this example.
Benny issues the following SQL statement:
DELETE FROM T1 WHERE DEPTNO = 77
The statement fails because Benny does not have write access to the column DEPTNO.
Now Benny's LBAC credentials are changed so that he has access as summarized in this table:
Security label | Read access? | Write access? |
---|---|---|
L1 | Yes | Yes |
L2 | Yes | Yes |
L3 | Yes | No |
Benny issues this SQL statement again:
DELETE FROM T1 WHERE DEPTNO = 77
This time Benny has write access to the column DEPTNO so the delete continues. The delete statement selects only the row that has a value of Miller in the LASTNAME column. The row that has a value of Fielding in the LASTNAME column is not selected because Benny's LBAC credentials do not allow him to read that row. Because the row is not selected for deletion by the statement it does not matter that Benny is unable to write to the row.
The one row selected is protected by the security label L1. Benny's LBAC credentials allow him to write to data protected by L1 so the delete is successful.
The actual rows in table T1 now look like this:
LASTNAME | DEPTNO |
LABEL |
---|---|---|
Rjaibi | 55 | L2 |
Bird | 55 | L2 |
Fielding | 77 | L3 |
You cannot drop a column that is protected by a security label unless your LBAC credentials allow you to write to that column.
A column with a data type of DB2SECURITYLABEL cannot be dropped from a table. To remove it you must first drop the security policy from the table. When you drop the security policy the table is no longer protected with LBAC and the data type of the column is automatically changed from DB2SECURITYLABEL to VARCHAR(128) FOR BIT DATA. The column can then be dropped.
Your LBAC credentials do not prevent you from dropping entire tables or databases that contain protected data. If you would normally have permission to drop a table or a database you do not need any LBAC credentials to do so, even if the database contains protected data.