Online Documentation for SQL Manager for DB2

Label-Based Access Control


Label-Based Access Control (LBAC) greatly increases the control you have over those who can access your data. LBAC lets you decide exactly who has WRITE access and who has READ access to individual rows and individual columns.

 

The LBAC capability is highly configurable and can be tailored to match your particular security environment. All LBAC configuration is performed by a security administrator, which is a user that has been granted the SECADM authority by the system administrator.

 

A security administrator configures the LBAC system by creating security label components. A security label component is a database object that represents a criterion you want to use to determine if a user should access a piece of data. For example, the criterion can be whether the user is in a certain department, or whether they are working on a certain project. A security policy describes the criteria that will be used to decide who has access to what data. A security policy contains one or more security label components. Only one security policy can be used to protect any one table, but different tables can be protected by different security policies.

 

After creating a security policy, a security administrator creates objects, called security labels that are part of that policy. Security labels contain security label components. Exactly what makes up a security label is determined by the security policy and can be configured to represent the criteria that your organization uses to decide who should have access to particular data items.

 

If you decide, for instance, that you want to look at a person's position in the company and what projects they are part of to decide what data they should see, then you can configure your security labels so that each label can include that information. LBAC is flexible enough to let you set up anything from very complicated criteria, to a very simple system where each label represents either a "high" or a "low" level of trust.