Operation | Example Rule |
---|---|
INSERT | The current session must have a security label (1 or more compartments). All compartments in the session label are entered as the row constraint column value. Purpose: Forces predictable row classification based on the user label. |
SELECT | The session security label must include all the compartments in the row label or the operation fails. Purpose: If a row is classified with several compartments, ensures that the accessing user is a member of all of the compartments. |
UPDATE | The row label must include all the compartments contained in the session label. Purpose: Prevents the user from inadvertently adding classifications to the row. |
DELETE | The row can be deleted only if the constraint column value is NULL. Purpose: Ensures that a row is reviewed and declassified before it can be deleted. You must have OVERRIDE UPDATE privileges to reclassify a row as NULL, so that it can be deleted.
|