When a user without the OVERRIDE privilege performs an INSERT or UPDATE on an RLS table the system converts the session constraint value(s), defined as byte(n) in the assigned user constraint, to hex code and loads them into the table.
For example, assume that:
- A BYTE(1) non-hierarchical constraint named Countries is defined with these values:
- USA: 1
- UK: 2
- Canada: 3
- User U1 is assigned the constraint.
CONSTRAINT = Countries (USA, UK, Canada)
- User U1 defines a table to include the Countries constraint column:
CT rls_table (x INT, Countries CONSTRAINT);
- The security policy defined in the related INSERT UDF does not alter the session constraint for the user.
At logon, the session constraint value for user U1 is calculated by the system as follows:
| Constraint Value | Bit Position | Binary Value |
|---|---|---|
| USA:1 | 1 | 1 |
| UK:2 | 2 | 1 |
| Canada:3 | 3 | 1 |
| Not applicable | 4 | 0 |
| 5 | 0 | |
| 6 | 0 | |
| 7 | 0 | |
| 8 | 0 |
The system evaluates the assigned user constraints and calculates a binary string to represent each set of non-hierarchical values, in the example above, 11100000, which translates to the hex string ‘E0’xb.
If user U1 inserts a row into the table rls_tbl, the system automatically enters the calculated hex value ‘E0’xb in the Countries CONSTRAINT column for the table.