| Operation | Example Rule |
|---|---|
| INSERT | The current session must have a security label for the security constraint. The session label is entered as the constraint column value for the new row. Purpose: Allows any user with table level insert privileges to insert a new row. Assumes that the user security level is appropriate for the new data. |
| SELECT | The session security label must equal or exceed the row label or the operation fails. Purpose: Only users classified equal to or higher than a row can read row data. |
| UPDATE | The session security label must equal or exceed the row label or the operation fails. If the operation is allowed, the updated row uses the session security label for the constraint column value. Purpose: Restricts access to equivalent/higher level users. The row is automatically reclassified to the user level in case the user adds data with a higher classification. |
| DELETE | The row cannot be deleted unless the constraint column value is at the lowest security level. Purpose: Ensures that a row is reviewed and declassified before it can be deleted. |