Components and Elements of a Security Label

Like a security policy, a security label must have at least one component, but no more than 16. The CREATE SECURITY LABEL statement cannot list security label components that are not components of the specified security policy. The same component name cannot be specified more than once in the same CREATE SECURITY LABEL statement. These components must already exist in the database, where DBSECADM can register them with the CREATE SECURITY LABEL COMPONENT statement.

Security label components can be of type ARRAY, SET, or TREE, as described in CREATE SECURITY LABEL COMPONENT. For a component of type ARRAY, the element list can identify only a single element. For components of type SET or TREE, the element list can identify multiple component elements that were defined when the component was created (or when it was last altered). See the CREATE SECURITY LABEL COMPONENT statement for more information about the structure and semantics of security label components.

The following example creates a security label called label1 for a security policy called MegaCorp. The label uses two security label components, called levels and compartments, each with one element, called VP and Marketing respectively:
   COMPONENT levels 'VP', 
   COMPONENT compartments 'Marketing';

For this example to be valid, the levels and compartments components, and their security label components, VP and Marketing elements, must have been defined in previously executed CREATE SECURITY LABEL COMPONENT statements.

In the next example, DBSECADM creates a security label called label2 for the same MegaCorp security policy. This label uses three security label components, called levels, compartments, and groups, where two of these components have one element, and another has two:
   COMPONENT level 'Director', 
   COMPONENT compartments 'HR', 'Finance',
   COMPONENT groups 'EntireRegion';
These examples illustrate that the components of a security label can be a subset of the components of the security policy that the label supports, and that more than one security label can support the same security policy.