There is a limit of 6 hierarchical constraints and 2 non-hierarchical constraints that can be assigned per profile.
If the constraint is already assigned to the user, the level or category names you specify for the constraint replace all existing specifications.
Changes take effect at the next user logon after the user definition is modified.
For more information about row-level security constraints, see CREATE CONSTRAINT.
- Name of an existing row-level security constraint followed by the list of the hierarchical levels or non-hierarchical categories, valid for the constraint, which are being assigned to the user_name.
- List of the hierarchical levels.
- List of non-hierarchical categories
- DEFAULT can be specified for 1 classification level from the specified list of levels for a hierarchical constraint. The specified level becomes the default value for the constraint when a session is established for the user to which the profile is assigned.
- If you do not specify DEFAULT for any of the listed classification levels, then the first level listed becomes the default for the profile.
- DEFAULT is not valid for non-hierarchical constraints.
- If you specify NULL for a constraint previously assigned to the user, the constraint is dropped from the user definition.
Example: Adding or Dropping Security Constraint Assignments in a MODIFY USER Statement
You can change security constraint assignments for a user in a MODIFY USER statement. When you specify a security constraint that is:
- Not currently assigned to the user, the constraint is added to any existing constraints.
- Already assigned to the user, the new specifications replace the existing specifications.
- Already assigned to the user, followed by the keyword NULL, the constraint assignment is dropped from the user.
MODIFY USER Joe_Smith AS CONSTRAINT = Classification_Level (TopSecret, Unclassified DEFAULT), CONSTRAINT = Classification_Country (NULL) CONSTRAINT = Classification_Job (Analyst) ;
|Classification_Level(TopSecret, Unclassified DEFAULT)||Raises the user classification level by replacing a previously assigned Secret clearance with TopSecret, while retaining the DEFAULT Unclassified level.|
|Classification_Country (NULL)||Drops the Classification_Country constraint assignment that was previously assigned to the user.|
|Classification_Job (Analyst)||Adds the new hierarchical category Classification_Job, and assigns the Analyst classification level.|