Security Policies (DB2)

Security policies define criteria that determine who has write and/or read access to individual rows and columns of tables.

Every protected table must have exactly one security policy associated with it. Rows and columns in that table can only be protected with security labels that are part of that security policy and all access of protected data follows the rules of that policy. You can have multiple security policies in a single database but you cannot have more than one security policy protecting any given table.

Security policies are supported for DB2 for Common Server v9.5 and higher. PowerDesigner models security policies as extended objects with a stereotype of <<SecurityPolicy>>.

Creating a Security Policy

You can create a security policy in any of the following ways:

Select Model Security Policies to access the List of Security Policies, and click the Add a Row tool.
Right-click the model (or a package) in the Browser, and select New Security Policy .

Security Policy Properties

You can modify an object's properties from its property sheet. To open a security policy property sheet, double-click its Browser entry in the Security Policies folder.

The following extended attributes are available on the General tab:

Property	Description
Use group authorization	Specifies that security labels and exemptions granted directly or indirectly to groups are considered for any access attempt. Scripting name: `GroupAuthorization`
Use role authorization	Specifies that security labels and exemptions granted directly or indirectly to roles are considered for any access attempt. Scripting name: `RoleAuthorization`
Restrict Not Authorized Write Security Label	Specifies the action that is to be taken when a user is not authorized to write the explicitly specified security label that is provided in the INSERT or UPDATE statement issued against a table that is protected with this security policy. A user's security label and exemption credentials determine the user's authorization to write an explicitly provided security label. Scripting name: `Restrict`

Property

Description

Use group authorization

Specifies that security labels and exemptions granted directly or indirectly to groups are considered for any access attempt.

Scripting name: GroupAuthorization

Use role authorization

Specifies that security labels and exemptions granted directly or indirectly to roles are considered for any access attempt.

Scripting name: RoleAuthorization

Restrict Not Authorized Write Security Label

Specifies the action that is to be taken when a user is not authorized to write the explicitly specified security label that is provided in the INSERT or UPDATE statement issued against a table that is protected with this security policy. A user's security label and exemption credentials determine the user's authorization to write an explicitly provided security label.

Scripting name: Restrict

The following tabs are also available:

Components - lists the security label components associated with the security policy