Feb 23, To check if LBAC is enabled for your database, you can firstly check if you have any security policy defined in the database: db2 “select count(*). May 1, DB2 9’s newest data security control combats threats from the inside. LBAC is a new security feature that uses one or more security labels to. Dec 9, I’m focusing on LBAC at the row level in this post. db2 “create security label component reg_sec_comp tree (‘UNRESTRICTED’ ROOT.

Author: Kazrarisar Zolokus
Country: Cyprus
Language: English (Spanish)
Genre: Software
Published (Last): 28 May 2009
Pages: 55
PDF File Size: 15.56 Mb
ePub File Size: 13.72 Mb
ISBN: 900-9-80656-610-6
Downloads: 71283
Price: Free* [*Free Regsitration Required]
Uploader: Vull

Label-based access control LBAC greatly increases the control you have over who can access your data. LBAC lets you decide exactly who has write access and who has read access to individual rows and individual columns.

The LBAC capability is very configurable and can be tailored to match your particular security environment. A security administrator configures the LBAC system by creating security label components. A security label component is a database object that represents a criterion you want to use to determine if a user should access a piece of data.

For example, the criterion can be whether the user is in a certain department, or whether they are working on a certain project. A security policy describes the criteria that will be used to decide who has access to what data.

A security policy contains one or more security label components. Only one security policy can be used to protect any one table but different tables can be protected by different security policies. After creating a security policy, a security administrator creates objects, called security labels that are part of that policy. Security labels contain security label components.

Exactly what makes up a security label is determined by the security policy and can be configured to represent the criteria that your organization uses to decide who should have access to particular data items. If you decide, for instance, that you want to look at lbbac person’s position in the company and what projects they are part of to decide what data they should see, then you can configure your security labels so that each label can include that information.

LBAC is flexible dh2 to let you set up anything from very complicated criteria, to a very simple system where each label represents either a “high” or a “low” level of trust. Once created, a security label can be associated with individual columns and rows in a table to protect the data held there.


Data that is protected by a security label is called protected data. A security administrator allows users access to protected data by granting them security labels.

When a user tries to access protected data, that user’s security label is compared to the security label protecting the data. The protecting label will block some security labels and not block others.

A user, a role, or a group is allowed to hold security labels for multiple security policies at once. For any given security policy, however, a use, a role, or a group can hold at most one label for read access and one label for write access. A security administrator can also grant exemptions to users.

Understanding Label-Based Access Control, Part 1 | Dr Dobb’s

An exemption allows you to access protected data that your security labels might otherwise prevent you from accessing. Together cb2 security labels and exemptions are called your LBAC credentials. If you try to access a protected column that your LBAC credentials do not allow you to access then the access will fail and you will get an error message.

Even the aggregate lvac ignore rows that your LBAC credentials do not allow you to read. You can define a view on a protected table the same way you can define one on a non-protected table. When such a view is accessed the LBAC llbac on the underlying table is enforced. Two users accessing the same view might see different rows depending on their LBAC credentials.

When you use LBAC to protect a table at the row level, the additional storage cost is the cost of the row security label column. This cost depends on the type of security label chosen.

For example, if you create a security policy with two components to protect a table, a security label from lbax security policy will occupy 16 bytes 8 bytes for each component. Because the row security label column is treated as a not nullable VARCHAR column, the total cost in this case would be 20 bytes per row.

Mark as Duplicate

This meta-data is simply the ID of the security label protecting the column. The user table does not incur any storage overhead in this case. A tutorial leading you fb2 the basics of using LBAC is lbwc online. Views and LBAC You can define a view on a protected table the same way you can define one on a non-protected table. This is to avoid having orphan children. For example, If a user deletes a parent, but cannot delete any of the children because of an LBAC write rule violation, then the delete should be rolled-back and an error db.


If you do not have permission to read from a table then you will not be allowed to read data from that table–even the rows and columns to which LBAC would otherwise allow you access.

DB2 LUW: How to check if LBAC is enabled for my database? (Thoughts from Support)

LBAC security policies The security administrator uses a security policy to define criteria that determine who has write access and who has read access to individual rows and individual columns of tables. You use security label components to model your organization’s security structure. Security labels are applied to data in order to protect the data. They are granted to users to allow them to access protected data.

Your LBAC credentials are any security labels you hold plus any exemptions that you hold. When the values of a two security labels are being compared, one or more of the rules in the rule set will be used to determine if one value blocks another. LBAC rule exemptions When you hold an LBAC rule exemption on a particular rule of a particular security policy, that rule is not enforced when you try to access data protected by that security policy.

Data in a table can only be protected by security labels that are part of the security policy protecting the table. Data protection, including adding a security policy, can be done when creating the table or later by altering the table. If the protecting label does not block your credentials you are allowed to read the data.

In the case of updating a protected row, your LBAC credentials must also allow read access to the row. Deleting or dropping of LBAC protected data If your LBAC credentials do not allow you to read a row then it is as if that row does not exist for you so there is no way for you to delete it.

To delete a row that you are able to read, your LBAC credentials must also allow you to write to the row. To delete any row in a table that has protected columns you must have LBAC credentials that allow you to write to all protected columns in the table. This also automatically removes protection from all rows and all columns of the table.

Securing information management systems.