Inserting Values into Protected Tables

In a database that uses label-based access control (LBAC), the INTO clause of the INSERT statement can reference a table that is protected by a security policy if the user holds sufficient credentials for the security policy of the label that protects the table, as well as holding the Insert privilege on the table.

A user who holds no security label, however, cannot insert data into a table that has LBAC row protection, even if the user has been granted the required exemptions from rules of the security policy, unless the row label of the protected table is specified in the VALUES clause of the INSERT statement. Data manipulation language statements can provide the row label of a protected table by calling any of three built-in functions whose first argument specifies the name of the security policy, and whose additional arguments are one of the following:

name of the security label
name of the IDSSECURITYLABEL column in the table.
names of the security policy components in the label and the values of their elements

For example, the following INSERT statement calls the built-in SECLABEL_BY_NAME function in order to insert a new row into a table called tab002 that is protected by a row label called Decca of the MegaCorp security policy:

INSERT INTO tab002 
   VALUES (SECLABEL_BY_NAME('Megacorp', 'Decca'), 45, 'A.C.Debussy');

Whether this INSERT operation succeeds depends on whether the security credentials of the user are sufficient, relative to the component values of the Decca label, to enable write access to the tab002 table.

For additional examples of INSERT statements that access protected tables by calling SECLABEL_BY_NAME or similar built-in functions, see Security Label Support Functions. For general information about LBAC security policies, security labels, read and write access rules, and exemptions from those rules, see your HCL OneDB™ Security Guide.