Assigning Row-level Security to Data Tables

Restricting Access to Rows › Assigning Row-level Security to Data Tables

Assigning Row-level Security to Data Tables

Row-level security is provided through system tables that keep track of the relationship between each security name, table, and user.

Three Tables Maintain Security

The $SECURITY-RUNTIME-TABLE$ (SRT) is a table through which you associate the security name with users and WHERE criteria. The figure below shows several rows that have been entered in an SRT.

┌-----------┬-------┬--------┬----------------┬---------┬----------------┐
│ GROUP    │ USER│ OWNER  │ SECURITY-NAME  │ STATUS  │ WHERE-CLAUSE   │
├-----------┼-------┼--------┼----------------┼---------┼----------------┤
│ DBA GROUP │ MON   │ IIZ    │ SECNAME        │ (V)     │ DEPTID EQ 'SLS'│
├-----------┼-------┼--------┼----------------┼---------┼----------------┤
│ SYS GROUP │ BRM   │ LPN    │ DOC            │ (V)     │ TECH EQ 'PUBS' │
├-----------┼-------┼--------┼----------------┼---------┼----------------┤
│ SYSTECH   │ DPW   │ JJM    │ AUD            │ (V)     │ TAX EQ 'IRS'   │
├-----------┼-------┼--------┼----------------┼---------┼----------------┤
│ TECHREV   │ LLM   │ BDR    │ RULE           │ (V)     │ ACT EQ 'AUD'   │
└-----------┴-------┴--------┴----------------┴---------┴----------------┘

The $OBJECT-SECURITY-NAME-TABLE$ (OST) is a table through which the table name, owner name, security name, and table-definition number of the table to which you are applying row-level security are registered. This information is maintained internally by ASF.
The $SRT-OST-CROSS-REFERENCE$ (SXRF) combines information from the SRT and the OST and allows you to review the security names and criteria you have associated with your own tables.

When you assign row-level security to a table, the information is stored in these tables. When a user tries to access a table protected by row-level security, ASF checks these tables to see if that user is allowed to access the table.

Assigning Security

The steps to assigning row-level security are:

Assign a security name to a table. Security names tell the system that row-level security is in effect.
Associate users and WHERE criteria with a security name. This limits access to data in tables associated with a specific security name.

With row-level security, you can also:

Assign security names at the group level, to associate security names and WHERE criteria with more than one user.
Assign generic names to columns that contain the same type of data in different tables. This enables you to create a single entry in the $SECURITY-RUNTIME-TABLE$ with the same restrictions that apply to two or more tables.

Regenerate the Table(s)

Assigning row-level security to a table changes the definition of that table. In order to access the stored data after applying row-level security, you must regenerate the table. You should, however, wait until you are finished assigning row-level security to the table; including assigning WHERE criteria and generic column names as described later in this section.

Note: This regeneration does not cause data conversion.