When a user without the OVERRIDE privilege performs an INSERT or UPDATE on an RLS table the system converts the session constraint value(s), defined as byte(n) in the assigned user constraint, to hex code and loads them into the table.
For example, assume that:
A BYTE(1) non-hierarchical constraint named Countries is defined with these values:
- USA: 1
- UK: 2
- Canada: 3
User U1 is assigned the constraint.
CONSTRAINT = Countries (USA, UK, Canada)
User U1 defines a table to include the Countries constraint column:
CT rls_table (x INT, Countries CONSTRAINT);
- The security policy defined in the related INSERT UDF does not alter the session constraint for the user.
At logon, the session constraint value for user U1 is calculated by the system as follows:
|Constraint Value||Bit Position||Binary Value|
The system evaluates the assigned user constraints and calculates a binary string to represent each set of non-hierarchical values, in the example above, 11100000, which translates to the hex string ‘E0’xb.
If user U1 inserts a row into the table rls_tbl, the system automatically enters the calculated hex value ‘E0’xb in the Countries CONSTRAINT column for the table.
Resetting the Session Constraint
Users have the option to change the default constraint values available for a session using the SET SESSION CONSTRAINT statement.
Based on the previous example, U1 might reset the session default Countries constraint:
SET SESSION CONSTRAINT = Countries (UK, Canada);
The session constraint value is changed from the ‘E0’xb shown above to '60'xb (hex representation of 01100000). Subsequent inserts during the session default to '60'xb for the Countries constraint column.