A security constraint UDF defines and enforces the rules that determine whether to allow or deny the execution of an INSERT, SELECT, UPDATE, or DELETE statement on a table row.
Each constraint UDF restricts an SQL operation based on a coded rule. UDF rules vary by SQL operation and whether the constraint system is a hierarchical (level) or non-hierarchical (compartment) labeling system.
Hierarchical and non-hierarchical constraints require different kinds of UDFs.
Each time a user accesses a row, the system invokes the UDF associated with the SQL operation (for example, INSERT) to determine if the user can perform the operation. If the requesting user does not have the access level required to perform the operation on the row, the UDF denies the request and request processing moves on to the next applicable row.
If the CONSTRAINT object does not specify a UDF for an SQL operation, the operation succeeds only if the user has the corresponding OVERRIDE privilege.
If a requesting user has the OVERRIDE privilege for an SQL operation, the request bypasses the UDF that restricts the operation.