row level security

"robert" <gn*****@rcn.com> wrote in message
news:da**************************@posting.google.c om...

well, talk about timely. i'm tasked to implement a security feature,
and would rather do so in the database than the application code. the
application is generally Oracle, but sometimes DB2. Oracle has what
it calls package DBMS_RLS, which implements application ignorant
row level security.

scanning this group yielded "you can't do that; use views". then i
dug out DB2Mag qtr 1 2004, and there is MLS for v8/390. from this
article, it sounds like Oracle's RLS.

when i try to download the referenced pdf, it fails. hmmm.

so, has anyone who has implemented RLS on Oracle and knows more about
MLS on DB2 say whether, i) they are functionally equivalent and
ii) really works on DB2.

thanks,
robert

Here is text from the What's New for DB2 z/OS V8:

Multilevel security with row-level granularity

Multilevel security is a security policy that lets you classify data and
users based on a system of hierarchical security levels that is combined
with a system of nonhierarchical security categories. The goals of
multilevel security are twofold: To prevent individuals from accessing
information that is classified at a level that is higher than their
authorization allows, and to prevent individuals from declassifying
information. Version 8 of DB2 UDB for z/OS supports multilevel security with
row-level granularity, which lets you restrict individual user access to a
specific set of rows in a table. Multilevel security with row-level
granularity offers several advantages over current authorization techniques:
v Security enforcement is mandatory and automatic; a user is checked at run
time. This technique complements existing discretionary checks. v You can
perform security checks that are difficult to express through traditional
SQL views or queries. v Multilevel security does not rely on special views
or database variables to provide row-level security control. v Security
controls are consistent and integrated across the system so that you can
avoid defining users, objects, access, and security labels more than once.
Access to files, database, printers, terminals, and other resources can have
a single security control point.

You can download PDF versions of all the manuals here to get more details on
this functionality:
http://www-306.ibm.com/software/data...s/v8books.html

"robert" <gn*****@rcn.com> wrote in message
news:da**************************@posting.google.c om...

well, talk about timely. i'm tasked to implement a security feature,
and would rather do so in the database than the application code. the
application is generally Oracle, but sometimes DB2. Oracle has what
it calls package DBMS_RLS, which implements application ignorant
row level security.

scanning this group yielded "you can't do that; use views". then i
dug out DB2Mag qtr 1 2004, and there is MLS for v8/390. from this
article, it sounds like Oracle's RLS.

when i try to download the referenced pdf, it fails. hmmm.

so, has anyone who has implemented RLS on Oracle and knows more about
MLS on DB2 say whether, i) they are functionally equivalent and
ii) really works on DB2.

thanks,
robert

Here is text from the What's New for DB2 z/OS V8:

Multilevel security with row-level granularity

Multilevel security is a security policy that lets you classify data and
users based on a system of hierarchical security levels that is combined
with a system of nonhierarchical security categories. The goals of
multilevel security are twofold: To prevent individuals from accessing
information that is classified at a level that is higher than their
authorization allows, and to prevent individuals from declassifying
information. Version 8 of DB2 UDB for z/OS supports multilevel security with
row-level granularity, which lets you restrict individual user access to a
specific set of rows in a table. Multilevel security with row-level
granularity offers several advantages over current authorization techniques:
v Security enforcement is mandatory and automatic; a user is checked at run
time. This technique complements existing discretionary checks. v You can
perform security checks that are difficult to express through traditional
SQL views or queries. v Multilevel security does not rely on special views
or database variables to provide row-level security control. v Security
controls are consistent and integrated across the system so that you can
avoid defining users, objects, access, and security labels more than once.
Access to files, database, printers, terminals, and other resources can have
a single security control point.

You can download PDF versions of all the manuals here to get more details on
this functionality:
http://www-306.ibm.com/software/data...s/v8books.html