The SECLABEL_BY_COMP function returns an IDSSECURITYLABEL
object, which is a security label in its internal encoded string format. This
function enables users to provide a security label directly by specifying
its component values.
If a security label component requires multiple values, then such
multiple values can be specified by putting those values between parenthesis
as in (value_1, value_2, ...). When a component in a particular
security label needs to be empty, it can be specified by putting nothing between
an opening and a closing parenthesis, as in (). Because the
blank space (ASCII 32) is a valid character in an element value for a security
component, any blank space appearing in the security label string is treated
as part of the element value for that component.
The security label string is limited to a maximum of 32 kilobytes.
An error is returned if the string length exceeds this limit.
The following INSERT statement inserts a row into table
T1 which
is protected by the security policy called ‘
MegaCorp’ that has three
components: '
level', '
compartments', and '
groups'. Here
the user provides a security label for the row to be inserted by specifying
the
SECLABEL_BY_COMP function. The security label in this example
has the value '
VP' for the
level component, the value '
Marketing'
for the
compartments component, and the value '
West' for the
groups component.
In the arguments to
SECLABEL_BY_COMP. colon symbols separate these
security component element values, and quotation marks delimit the list of
component values of the security label.
INSERT INTO T1
VALUES (SECLABEL_BY_COMP ('MegaCorp', 'VP:Marketing:West'), 1, 'xyz';
In the next example, the INSERT statement inserts a row in table
T1 which
is protected by the same
MegaCorp security policy, which has the same
three components as in the previous example:
level,
compartments,
and
groups. The user provides the security label for the row to be
inserted by specifying the policy name and a list of security component elements
as arguments to the
SECLABEL_BY_COMP function. Here the security label
has the value '
Director' for the
level component, the values
'
HR' and '
Finance' for the
compartments component, and
the value '
East' for the
groups component.
INSERT INTO T1
VALUES (SECLABEL_BY_COMP ('MegaCorp', 'Director:(HR,Finance):East'), 1, 'xyz');
The following example inserts a row into table
T1 which
is protected by the
MegaCorp security policy, whose three components
are
level,
compartments, and
groups. The
SECLABEL_BY_COMP function
specifies the security label for the row to be inserted. The security label
in this example has the value '
CEO' for level
component, the
empty set for the
compartments component, and the value '
EntireRegion'
for the
groups component.
INSERT INTO T1
VALUES (SECLABEL_BY_COMP ('MegaCorp', 'CEO:():EntireRegion'), 3, 'abc');
As in all of these examples, the success of the SECLABEL_BY_COMP function
call does not guarantee the success of the INSERT statement, because the security
credentials of the user are first compared to the security label that protects
table T1, using the IDSLBACRWRITE rules of the MegaCorp security
policy, before the database server allows or denies write access for inserting
the new row.