Rules on Which Exemptions Are Granted

The keyword that follows the ON keyword specifies the predefined LBAC access rule of the security policy (whose identifier follows the FOR keyword) for which an exemption is granted. The access rule for which exemption is granted does not apply when a table that is protected by the specified security policy is accessed by a user to whom the exemption is granted. For descriptions of the predefined rules for read access and for write access that are associated with a security policy, see the section Rules Associated with a Security Policy.

The following keywords of the GRANT EXEMPTION statement identify specific IDSLBACRULES rules from which this statement can exempt users:
  • IDSLBACREADARRAY exempts the user from the IDSLBACREADARRAY rule for the specified security policy. That rule requires that each array component of the user security label must be greater than or equal to the corresponding array component of the data row security label.
  • IDSLBACREADSET exempts the user from the IDSLBACREADSET rule for the specified security policy. That rule requires that each set component of the user security label must include the set component of the data row security label
  • IDSLBACREADTREE exempts the user from the IDSLBACREADTREE rule for the specified security policy. That rule requires that each tree component of the user security label must include at least one of the elements in the tree component of the data row security label, or else the ancestor of one such element.
  • IDSLBACWRITEARRAY WRITEDOWN exempts the user from one aspect of the IDSLBACWRITEARRAY rule for the specified security policy. That rule requires that each array component of the user security label must be equal to the array component of the data row security label. The user who holds this exemption can write to a row whose array component level is below the level in the label of the user. The user cannot, however, write to a row in whose label the array component level is above the level in the label of the user.
  • IDSLBACWRITEARRAY WRITEUP exempts the user from one aspect of the IDSLBACWRITEARRAY rule for the specified security policy. The user who holds this exemption can write to a row whose array component level is above the level in the label of the user. The user cannot, however, write to a row in whose label the array component level is below the level in the label of the user.
  • IDSLBACWRITEARRAY (with no WRITEDOWN or WRITEUP keyword) exempts the user from the IDSLBACWRITEARRAY rule for the specified security policy. The user who holds this exemption can write to a row without regard to the corresponding array component level of the row label.
  • IDSLBACWRITESET exempts the user from the IDSLBACWRITESET rule for the specified security policy. That rule requires that each set component of the user security label must include the set component of the data row security label
  • IDSLBACWRITETREE exempts the user from the IDSLBACWRITETREE rule for the specified security policy. That rule requires that each tree component of the user security label must include at least one of the elements in the tree component of the data row security label, or an ancestor of one such element.
  • ALL exempts the user from all IDSLBACRULES rules for the specified security policy. This form of exemption is required to load data into a protected table.
In the following example, DBSECADM grants an exemption from all of the rules of the MegaCorp security policy to users manoj and sam: 
GRANT EXEMPTION ON RULE ALL FOR MegaCorp TO manoj, sam;