SECURITY POLICY Clause
The optional Security Policy clause can use the following syntax to specify the name of an existing security policy that is thereby associated with the table.
This syntax fragment is part of the CREATE TABLE statement.
SECURITY POLICY Clause
| Element | Description | Restrictions | Syntax |
|---|---|---|---|
| policy | Name of a security policy | Must exist in the database | Identifier |
Usage
Only DBSECADM can create a table that includes the Security Policy clause to specify a security policy for the table.
Restrictions on adding a security policy
The
following guidelines apply to tables that can be protected by including
a valid SECURITY POLICY clause in the CREATE TABLE statement, and
that also include a column of data type IDSSECURITYLABEL that stores
an LBAC label component of the same security policy.
- A
table is not protected unless it has a security policy associated
with it and has either rows secured, or has at least one column secured.
- Having rows secured indicates that the table is a protected table with row-level granularity.
- Having at least one column secured indicates that the table is a protected table with column-level granularity.
- Securing rows with the IDSSECURITYLABEL column clause fails if the table does not have a security policy associated with it.
- Securing a column with the COLUMN SECURED WITH clause fails if the table does not have a security policy associated with it.
- A table can have at most one security policy.
- A table can have any number of protected columns. Each protected column can have a different security label, or several protected columns can share the same security label, but all labels must have the same security policy.
- A security policy cannot be associated with a temporary table, nor with a typed table in a table hierarchy.