Types and Elements of Security Label Components

A security label component itself consists of one or more elements that the CREATE SECURITY LABEL COMPONENT statement declares as string constants. These elements define the set of values that are valid for the component,

When the CREATE SECURITY LABEL statement executes successfully, HCL OneDB™ updates the system catalog of the database with the following new entries:
  • It creates a new row in the sysseclabelcomponents table to register the new component.
  • For each element of the new component, it creates a new row in the sysseclabelcomponentelements table.
The security label component must be defined as one of the three component types. The ARRAY, SET, or TREE keyword that immediately follows the declaration of the component name specifies the component type, which must be followed by a list of the elements of the security component. These elements define the set of values that the component can have within a security policy. For all three types of security label components, the set of elements is under the following restrictions:
  • The security component can have no more than 64 elements.
  • Each element of a security component is a quoted string constant of no more than 32 bytes.
  • Characters in the quoted string constant cannot include the left ( ( ) or right ( ) ) parentheses, comma ( , ), or colon ( : ) symbols, but other symbols that the DB_LOCALE setting supports are valid, including the blank space (ASCII 32) character.
  • Each element must be unique among elements of the same security label component, but the same quoted string constant value can also be an element of other security label components.

The definition of each element within the component implies a level of data sensitivity that a security label associates with a database table or with an individual data row, and also affects the security credentials of users who hold a security label to read or write data that is protected by the same label or by a different label that specifies one or more elements of the component.

Like other database Data Definition Language statements of SQL that can define database objects, CREATE SECURITY LABEL COMPONENT must specify a literal value for each component element, rather than a placeholder. To change the definition of an existing security label component, DBSECADM can use the ALTER SECURITY LABEL COMPONENT to insert a new element into an ARRAY, SET, or TREE component. To drop or rename one or more individual elements of a component, however, DBSECADM must use the DROP SECURITY LABEL COMPONENT statement to destroy the existing component, and then reissue the CREATE SECURITY LABEL COMPONENT statement to create a new component that defines the required set of element values within an ARRAY, SET, or TREE component structure.