Permissions and masks

RCAC is a model in which a security administrator manages privacy and security policies.

RCAC permits all users to access the same table, as opposed to alternative views of a table. RCAC, however, restricts access to the data in the table based on individual user permissions or rules as specified by a policy that is associated with the table. There are two sets of rules. One set of rules operates on rows(permissions) and the other on columns(masks). In order to create permissions and masks the IBM® Advanced Data Security for i must be installed.

Row permission

  • A row permission defines a row access control rule for a specific table.
  • A row access control rule is an SQL search condition that describes what set of rows a user can access.
  • The definition of each row permission may reference the user or group in the search condition. If multiple row permissions are defined for a table and row access control is activated, the search condition in each row permission is connected by the logical OR operator to form the row access control search condition. This row access control search condition is applied whenever the table is accessed. It acts as a filter to the table before any other user-specified operations, such as predicates and ordering are processed. It acts like the WITH CHECK OPTION clause of a view to ensure that a row to be inserted or updated conforms to the definitions of the row permissions in an INSERT, UPDATE, or MERGE statement.

Column mask

  • A column mask defines a column access control rule for a specific column in a table.
  • A column access control rule is an SQL CASE expression that describes what column values a user is permitted to see and under what conditions.
  • The definition of each column mask may reference the user or group in the search conditions in the CASE WHEN clause. While multiple columns in a table may have column masks, only one column mask can be created for a single column. When column access control is activated for the table, the CASE expression in the column mask definition is applied to the output column to determine the masked values that are returned to an application. The application of column masks affects the final output only. It does not impact the operations, such as predicates and ordering in an SQL statement.

RCAC can be activated for a table before or after row permissions or column masks are created for the table. If row permissions or column masks exist, activating row and column access control simply makes the permissions or masks become effective. If row permissions do not yet exist, activating row access control for a table means that Db2® for i generates a default row permission that prevents any access to the data in the table.