Use the CREATE SECURITY LABEL statement to define a new security label for a specified security policy in the current database and to identify its components and the elements of its components.

This statement is an extension to the ANSI/ISO standard for SQL.


1  CREATE SECURITY LABEL? IF NOT EXISTS policy . label + , COMPONENT component + , element

Element Description Restrictions Syntax
component A security label component Must already exist in the database as a component of the specified policy, and be unique among names of components of this label. Identifier
label Name you declare here for this label Must be unique among security label names for this security policy Identifier
element An element of the specified component Must have been defined when its component was defined or was last altered. If component is an array, only a single element can be specified. Quoted String
policy The security policy of this label Must already exist in the database Identifier


A security label is a named database object that supports a specified security policy. A security label can be applied to a user, or to a row or to a column (or to both a row and a column) of a table in the database. When a user who holds a security label attempts to access data that has a security label, the database server takes into account the security label of the column or row and the security label of the user in determining whether to allow the user to access the data.

Every security label stores the following categories of information:
  • It identifies an existing security policy that the label supports.
  • It identifies at least one, but no more than 16 existing components of the security policy that the label supports.
  • It identifies one or more existing elements of each component of the security label. (Only security label components of type SET or TREE can include more than one element in the same security label.)

Only DBSECADM can issue this statement. When the CREATE SECURITY LABEL statement executes successfully, it registers the specified label name, the numeric identifier of the associated security policy, and the cardinality of its security label components in the sysseclabels system catalog table.

If you include the optional IF NOT EXISTS keywords, the database server takes no action (rather than sending an exception to the application) if a security label of the specified name is already registered in the current database.