Configuring label-based access control

The general procedure involves a few SQL-based tasks that define precise but flexible database security objects.

Before you begin

Before you implement label-based access control (LBAC), you must identify the data that must to be protected, who can access that data, and what tables cannot be protected.

About this task

The following list outlines the major tasks in setting up a basic implementation with HCL® OneDB®:

Procedure

  1. The database server administrator (DBSA) grants the DBSECADM role.
  2. The DBSECADM defines the security objects:
    1. Creates security label components to define the attributes of sensitive data and the corresponding attributes of users who can have read access or write access to this data.
    2. Creates security policies to reflect the organization's restrictions about who can access protected data.
    3. Creates security labels for the security policies.
    4. Grants security labels to users who must have access to the protected data.
    5. To protect new tables: Uses the CREATE TABLE statement with the SECURITY POLICY clause and specifies how security objects protect data at the row level, column level, or at both levels.
    6. To protect existing tables: Uses the ALTER TABLE statement with the ADD SECURITY POLICY clause and specifies how security objects protect data at the row level, column level, or at both levels.

Tables to exclude from LBAC protection

What to do next

LBAC does not protect the following categories of tables:
  • virtual-table interface (VTI) tables
  • tables with virtual-index interface (VII)
  • temporary (TEMP) tables
  • typed tables
  • hierarchical tables