IBM Informix 11.

Informix Security -
Label-Based
Access Control
(LBAC)

Information Management Technology Ecosystems

Contents

1. INTRODUCTION ...........................................................................................3
2. SUGGESTED READING...............................................................................4
3. IMPLEMENTING COLUMN LEVEL SECURITY ...........................................4
3.1 PROBLEM IN HAND .....................................................................................5
3.2 ANALYZING THE DATA RESTRICTIONS ..........................................................7
3.3 DESIGNING THE SECURITY SOLUTION ..........................................................7
3.4 IMPLEMENTING THE SECURITY SOLUTION .....................................................9
3.5 WATCH THE LBAC SOLUTION IN ACTION....................................................18

2
1. Introduction
Label-based access control (LBAC) is an implementation of multi-level
security (MLS) that enables you to control who has read access and
who has write access to individual rows and columns of table data.
Label-Based Access Control (LBAC) controls access to table objects
by attaching security labels to them. Users attempting to access an
object must have its security label granted to them. When there's a
match, access is permitted; without a match, access is denied.
There are three types of security labels:
Row security labels: A security label associated with a data
row or record in a database table.
Column security labels: A security label associated with a
column in a database table.
User security labels: A security label granted to a user.
A security label is composed of one or more security label
components. There are three types of security label components that
you can use to build your security labels:
Sets: A set is a collection of elements where the order in which
those elements appear is not important. All elements are
deemed equal.
Arrays: An array is an ordered set that can be used to represent a
simple hierarchy. In an array, the order in which the
elements appear is important. For example, the first element
ranks higher than the second element, and the second
higher than the third.
Trees: A tree represents a more complex hierarchy that can have
multiple nodes and branches. For example, trees can be
used to represent organizational charts.
You use a security policy to define the security label components
that make up a particular security label.
The Informix Security Administrator (DBSECADM) is required to
create and manipulate LBAC objects. DBSECADM authority can only
be granted by the database manager (DBM). DBM does not have
DBSECADM role by default.

3
2. Suggested Reading

Informix Label-Based Access Control, a practical guide,

Part 1: Understand the basics of LBAC in Informix
This tutorial is based on the tutorials originally published about using
LBAC with DB2 entitled "DB2 Label-Based Access Control, a practical
guide" by Carmen Wong and Stan Musker. It was adapted for Informix
Dynamic Server by Manjula Pathangani and Joseph Baric.
It is available on the developerWorks website and this lab is based
on it. The original article can be obtained at:
www.ibm.com/developerworks/edu/dm-dw-dm-0708wong-i.html

IBM Informix Security Guide

This publication documents methods for keeping your data secure by
preventing unauthorized viewing and altering of data or database
objects.
www.ibm.com/support/docview.wss?uid=swg27010058

3. Implementing Column Level Security

This lab demonstrates how to use LBAC to control access to data at

the column level in a table.
You will learn how to:
¾ Analyze the required data restrictions
¾ Design the LBAC security solution
¾ Implement the LBAC security solution
¾ See your LBAC security solution in action

4
3.1 Problem in hand
The Human Resource department of Global Life Financial would like
to allow employees, managers, and HR staff to access data in the
EMP table. This table contains information with different levels of
sensitivity, and so some restrictions should be made with regards to
access:
¾ Name, gender, department, and phone number are considered
to be unclassified information and can be available to all
employees.
¾ Employee number, hire date, job, and education level are
confidential and should be restricted to managers and HR staff.
¾ Birth date, salary, bonus, and commission are highly
confidential information and should be restricted to HR staff.

Some of the users who access the table are summarized in the
following table:

NAME POSITION
Jen HR Staff
Noel Manager
Sunny Regular Employee

5
 The existing EMP table is tagged with security labels that indicate a
column's level of sensitivity.

COLUMN NAME DATA TYPE LENGTH SCALE NULL?

EMPNO (U) CHAR 6 0 NO
FIRSTNAME (U) VARCHAR 12 0 NO
MIDINIT (U) CHAR 1 0 YES
LASTNAME (U) VARCHAR 15 0 NO
WORKDEPT (U) CHAR 3 0 YES
PHONENO (U) CHAR 4 0 YES
GENDER (U) CHAR 1 0 YES
HIREDATE (C) DATE 4 0 YES
JOB (C) CHAR 8 0 YES
EDLEVEL (C) SMALLINT 2 0 YES
BIRTHDATE (H) DATE 4 0 YES
SALARY (H) DECIMAL 9 0 YES
BONUS (H) DECIMAL 9 0 YES
COMMISSION (H) DECIMAL 9 0 YES

Column Security Classes are:

U: UNCLASSIFIED
C: CONFIDENTIAL
H: HIGHLY CONFIDENTIAL

6
3.2 Analyzing the data restrictions
In this exercise, you need to determine how to manage access to the
columns of the EMP table. You need to enforce the following
restrictions:
¾ Anyone with access to the EMP table can read unclassified
columns.
¾ Managers can also read all confidential columns.
¾ HR staff has READ/WRITE access to all columns in the table.

Based on this scenario, you summarize your security requirements as

follows:

Next, you need to design an LBAC security solution based on your

analysis.

3.3 Designing the security solution

In this exercise, you are going to design the security labels that control
access to the columns in the EMP table. In designing security labels,
you need to consider the following:
¾ Column security labels that protect the different levels of
sensitivity.
¾ User security labels that grant users the appropriate access.
¾ Security label components that create the security labels.

7
3.3.1 Selecting the column security labels
From your analysis, you determine that each column requires a
security label based on its sensitivity. Therefore, three security labels
are needed: one for each level of sensitivity -- HIGHLY
CONFIDENTIAL, CONFIDENTIAL, and UNCLASSIFIED. This seems
to be a simple hierarchy, and you consider using an ARRAY for the
security label component.

3.3.2 Selecting the user security labels

User security labels for employees
Regular employees can only access unclassified information. If
unclassified columns are protected with a security label of
UNCLASSIFIED, then that label should be granted to regular
employees.
Since regular employees are not allowed to write to the EMP table,
some restriction should be imposed at the table level by revoking the
INSERT, UPDATE, and DELETE privileges from these users when
you GRANT the security label.

User security labels for managers

Mangers can access unclassified and confidential information. If
confidential columns are protected with a security label of
CONFIDENTIAL, then that label should be granted to managers. An
ARRAY still seems to be appropriate for the security label. If the order
of elements in the array is CONFIDENTIAL, UNCLASSIFIED, then
managers granted a CONFIDENTIAL security label would have
access to all information at the CONFIDENTIAL level and any levels
below (in this case UNCLASSIFIED).
Since managers are also not allowed to write to the EMP table, some
restriction should be imposed at the table level by revoking the
INSERT, UPDATE, and DELETE privileges from these users.

User security labels for human resources (HR)

HR has the highest level of access to the EMP table and can access
all information. If highly confidential columns are protected with a
security label of HIGHLY CONFIDENTIAL, then that label should be
granted to the HR staff.

8
 An ARRAY still seems to be appropriate for the security label. If the
order of elements in the array is HIGHLY CONFIDENTIAL,
CONFIDENTIAL, UNCLASSIFIED, then HR members granted a
HIGHLY CONFIDENTIAL security label would have access to all
information at the HIGHLY CONFIDENTIAL level and below (in this
case, CONFIDENTIAL and UNCLASSIFIED).
HR access to data in the EMP table should be READ/WRITE.

3.3.3 Selecting the security label components

Since data access is based on a linear hierarchy, the security label
component can be constructed with an ARRAY ordered as HIGHLY
CONFIDENTIAL, CONFIDENTIAL, and UNCLASSIFIED.
In the next section you are going to implement this solution using SQL
commands.

3.4 Implementing the security solution

The steps are:
¾ Bring up the database environment if it is not up.
¾ Grant DBSECADM authority to user informix
¾ Define the security policies and labels.
¾ Create the EMP table and load the sample data.
¾ Alter the EMP table to protect all columns with the security
labels and attach the security policy to the table.
¾ Grant the appropriate security labels to users.

3.4.1 Bring up the database server environment

Before you start working on implementing the security solution, you
need to bring up the database server environment.
¾ Login into the VMWare image as the informix user.

Note: Refer to the document entitled “VMWare Basics” for

information about how to start and login to the VMWare Image.

9
¾ Right click on the desktop area and choose Open Terminal.

¾ Set the environment for the database server by typing the

following command in the command terminal.
. setDemo

¾ Enter the following command in the command terminal to see if

the Informix Server is up and running.
onstat -
ƒ If the Informix server is NOT running then you will see
the following message.
Shared memory not initialized for INFORMIXSERVER
‘demo_on’

ƒ If the Informix Server is running then you will see a

message similar to the following.
IBM Informix Dynamic Server Version 11.70.UC1DE -- On-
Line -- Up 00:21:25 -- 177036 Kbytes

¾ Enter the following command to start the server ONLY if it is

NOT already running.
oninit
¾ Make sure you do not have DBDATE set (or if you have it set
for a reason make sure it is valid “echo $DBDATE”):

10
 unset DBDATE

3.4.2 Grant DBSECADM authority to user informix

Creating the policies and labels require DBSECADM authority. You
are going to use the Informix user as the administrator who does all
the policy administration work. Therefore, you must grant the
DBSECADM authority to the Informix user.

¾ Enter the following command in the terminal window to launch

DB-Access and connect to the STORES database:
dbaccess stores

¾ Select Query-language > New from the DB-Access menu and

type in the following statement to grants the DBSECADM
authority to the informix user:
grant dbsecadm to informix;

( press ESC, then select Run )

¾ If the command is executed successfully, you will see the

following messages.
DBSECADM granted.

¾ Choose the Exit option twice to go exit from the DB-Access

utility.

3.4.3 Define the Security Policies and Labels

This task is divided into three sub-tasks.
¾ Define the security label component
¾ Define the security policy
¾ Define the security labels

11
3.4.3.1 Define the Security Label Component
From your analysis, you decided that an array-type security label
component can be used for the following ordered set of elements:
HIGHLY CONFIDENTIAL, CONFIDENTIAL, and UNCLASSIFIED.
The following statement creates this security label component.

CREATE SECURITY LABEL COMPONENT slc_level ARRAY

['HIGHLY CONFIDENTIAL', 'CONFIDENTIAL',
'UNCLASSIFIED'];

This statement is stored in a file called create_slc.sql in the

/home/informix/scripts/sqls directory. Change to that
directory using the following command:
cd /home/informix/scripts/sqls

¾ Run the following command in the command terminal to

execute the statement in the file:
dbaccess stores create_slc.sql

¾ If the command is executed successfully, you will see the

following messages.
Database selected.
Security label component created.
Database closed.

12
3.4.3.2 Define the Security Policy
After the security label component is created, you need to create the
security policy. The following statements create a security policy called
access_employee_policy that uses the slc_level component you
previously created.
CREATE SECURITY POLICY access_employee_policy
COMPONENTS slc_level WITH IDSLBACRULES
RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL

This statement is stored in a file called create_sp.sql in the

/home/informix/scripts/sqls directory.

¾ Run the following command in the command terminal to

execute the statement in the file:
dbaccess stores create_sp.sql

¾ If the command is executed successfully, you will see the

following messages.
Database selected.
Security policy created.
Database closed.

3.4.3.3 Define the Security Labels

From your analysis, you have decided that a security label is required
for each classification type (three in total). Each security label is based
on the access_employee_policy security policy that you previously
created.

13
The following statements create the security labels:
CREATE SECURITY LABEL
access_employee_policy.HIGHCONFIDENTIAL
COMPONENT slc_level 'HIGHLY CONFIDENTIAL';
CREATE SECURITY LABEL
access_employee_policy.CONFIDENTIAL
COMPONENT slc_level 'CONFIDENTIAL';
CREATE SECURITY LABEL
access_employee_policy.UNCLASSIFIED
COMPONENT slc_level 'UNCLASSIFIED';

These statements are is stored in a file called create_sl.sql in the

/home/informix/scripts/sqls directory.

¾ Run the following command in the command terminal to

execute the statements in the file:
dbaccess stores create_sl.sql

¾ If the command is executed successfully, you will see the

following messages.
Database selected.
Security label created.
Security label created.
Security label created.
Database closed.

14
3.4.4 Create the EMP table and load the sample data
Following commands create the EMP table and insert a sample row
into the table.
CREATE TABLE EMP (EMPNO CHARACTER(6), FIRSTNAME VARCHAR(12),
MIDINIT CHARACTER(1), LASTNAME VARCHAR(15), WORKDEPT
CHARACTER(3), PHONENO CHARACTER(4), GENDER CHARACTER(1),
HIREDATE DATE, JOB CHARACTER(8), EDLEVEL SMALLINT, BIRTHDATE
DATE, SALARY DECIMAL(9), BONUS DECIMAL(9), COMMISSION
DECIMAL(9));

INSERT INTO EMP VALUES ('1001', 'Priyanka', '', 'Chopra',

'mkt', '1234', 'f', '1/3/08', 'manager', 10, '10/8/84', 89000,
10000, 20000);

These statements are is stored in a file called create_emp_table.sql

in the /home/informix/scripts/sqls directory.

¾ Run the following command in the command terminal to

execute the statements in the file:
dbaccess stores create_emp_table.sql

¾ If the command is executed successfully, you will see the

following messages.
Database selected.
Table created.
1 row(s) inserted.
Database closed.

15
3.4.5 Protect the EMP table
Now you need to alter the EMP table in order to protect the columns
with the security labels you defined and attach the security policy to
the table.
The following statement is used to accomplish this task:
ALTER TABLE EMP

MODIFY(EMPNO CHARACTER(6) COLUMN SECURED WITH CONFIDENTIAL),

MODIFY(FIRSTNAME VARCHAR(12) COLUMN SECURED WITH
UNCLASSIFIED), MODIFY(MIDINIT CHARACTER(1) COLUMN SECURED WITH
UNCLASSIFIED), MODIFY(LASTNAME VARCHAR(15) COLUMN SECURED WITH
UNCLASSIFIED), MODIFY(WORKDEPT CHARACTER(3) COLUMN SECURED
WITH UNCLASSIFIED), MODIFY(PHONENO CHARACTER(4) COLUMN SECURED
WITH UNCLASSIFIED), MODIFY(GENDER CHAR(1) COLUMN SECURED WITH
UNCLASSIFIED), MODIFY(HIREDATE DATE COLUMN SECURED WITH
CONFIDENTIAL), MODIFY(JOB CHARACTER(8) COLUMN SECURED WITH
CONFIDENTIAL), MODIFY(EDLEVEL SMALLINT COLUMN SECURED WITH
CONFIDENTIAL), MODIFY(BIRTHDATE DATE COLUMN SECURED WITH
HIGHCONFIDENTIAL), MODIFY(SALARY DECIMAL(9) COLUMN SECURED
WITH HIGHCONFIDENTIAL), MODIFY(BONUS DECIMAL(9) COLUMN SECURED
WITH HIGHCONFIDENTIAL), MODIFY(COMMISSION DECIMAL(9) COLUMN
SECURED WITH HIGHCONFIDENTIAL),

ADD SECURITY POLICY access_employee_policy;

This statement is stored in a file called alter_emp.sql in the

/home/informix/scripts/sqls directory.

¾ Run the following command in the command terminal to

execute the statement in the file:
dbaccess stores alter_emp.sql

16
 ¾ If the command is executed successfully, you will see the
following messages on the screen.
Database selected.
Table altered.
Database closed.

Upon successful completion of this task, the EMP table is protected.

3.4.6 Grant the Security Labels to users

After the EMP table has been protected, no users can access the
table until security labels are granted to them. The following
statements grant security labels to users.
GRANT SECURITY LABEL access_employee_policy.HIGHCONFIDENTIAL

TO USER jen FOR ALL ACCESS;

GRANT SECURITY LABEL access_employee_policy.CONFIDENTIAL

TO USER noel FOR READ ACCESS;

GRANT SECURITY LABEL access_employee_policy.UNCLASSIFIED

TO USER sunny FOR READ ACCESS;

These statements are stored in a file called grant_sl.sql in the

/home/informix/scripts/sqls directory.

¾ Run the following command in the command terminal to

execute the statement in the file:
dbaccess stores grant_sl.sql

17
 ¾ If the command is executed successfully, you will see the
following messages on the screen.
Database selected.
Security label granted.
Security label granted.
Security label granted.
Database closed.

Now you have successfully implemented the LBAC solution on the

EMP table. Let’s see what happens when users try to access this
table.

3.5 Watch the LBAC solution in action

If you recall the requirements, the following rules apply to data access:
¾ Jen, an HR employee, has read / write access to all the
columns.
¾ Noel, the manager, has read access to confidential and
unclassified columns. She has no write access on any data.
¾ Sunny, a regular employee, has read access to only
unclassified columns and has no write access on any data.
Note: Refer to the table in Section 3.1 for information about how the
columns in the EMP table are classified.

3.5.1 Login as Jen and try to access the EMP table

¾ Start the DB-Access utility in interactive mode. From the
terminal window, enter:
dbaccess - -

Result: DB-Access will open in interactive mode and you will

see the ‘>’ prompt on the screen.

18
¾ Connect to the demo_on instance as user jen at the DB-
Access prompt.
connect to ‘@demo_on’ user ‘jen’;
Enter jen as the password when prompted.

Result: Once you enter the password, you will see a message
saying that you are connected.

¾ Connect to the STORES database.

database stores;

Result: You will see a message saying that the database is

selected.

¾ Now enter the following SELECT statement.

select * from emp;

Result: You will see the entire table contents displayed. This is
because user Jen has full read access to all the columns in the
EMP table.

19
3.5.2 Login as Noel and try to access the EMP table
3.5.2.1 Try to access Highly Confidential columns
Try to access the highly confidential columns such as SALARY and
BONUS, that Noel doesn’t have access to.
¾ At the DB-Access interactive prompt, connect to the demo_on
instance as user Noel.
connect to ‘@demo_on’ user ‘noel’;
Enter noel as the password when prompted.

Result: Once you enter the password, you will see a message
saying that you are connected.

¾ Connect to the STORES database.

database stores;

Result: You will see a message saying that the database is

selected.

¾ Enter the following SELECT statement.

select empno, salary, bonus from emp;

Result: You will see an error message saying that the user
doesn’t have access to protected columns.

20
3.5.2.2 Trying to access Unclassified and Confidential columns
Try to access unclassified and confidential columns that Noel does
have access to.
¾ Enter the following SELECT statement.
select empno, firstname, job from emp;

Result: You will see the data successfully returned on the

screen because Noel has access to these columns.

3.5.3 Login as Sunny and try to access the EMP table

3.5.3.1 Try to access Highly Confidential and Confidential columns
¾ While at the dbaccess prompt, connect to the demo_on
instance as user Sunny.
connect to ‘@demo_on’ user ‘sunny’;

Enter sunny as the password when prompted.

Result: Once you enter the password, you will see a message
saying that you are connected.

¾ Connect to the STORES database.

database stores;

Result: You will see a message saying that the database is

selected.

21
 ¾ Enter the following SELECT statement.
select empno, hiredate, salary, bonus from
emp;

Result: You will see an error message saying that the user
doesn’t have access to protected columns.

3.5.3.2 Try to access Unclassified columns

¾ Enter the following SELECT statement.
select firstname, lastname, workdept from emp;

Result: You will see the data successfully returned on the

screen because Sunny has access to these columns.

This concludes the lab. If you have completed all the exercises and have
extra time, feel free to continue exploring with the utilities/functionality
described here – for example, try inserting, updating, and deleting
columns or implement LBAC at the row level. Otherwise, you can close
the open any open terminal and web browser windows.

22
© Copyright IBM Corporation 2011
All Rights Reserved.

IBM Canada
8200 Warden Avenue
Markham, ON
L6G 1C7
Canada

Printed in Canada
01/2011

IBM, IBM (logo), and Informix are trademarks or registered Information concerning non-IBM products was obtained from the
trademarks of International Business Machines Corporation in the suppliers of those products, their published announcements or
United States, other countries, or both. other publicly available sources. IBM has not tested those products
and cannot confirm the accuracy of performance, compatibility or
Linux is a trademark of Linus Torvalds in the United States, other any other claims related to non-IBM products. Questions on the
countries, or both capabilities of non-IBM products should be addressed to the
suppliers of those products.
UNIX is a registered trademark of The Open Group in the United
States, other countries, or both The information in this publication is provided AS IS without
warranty. Such information was obtained from publicly available
Windows is a trademark of Microsoft Corporation in the United sources, is current as of January 2010, and is subject to change.
States, other countries, or both. Any performance data included in the paper was obtained in the
specific operating environment and is provided as an illustration.
Other company, product, or service names may be trademarks or Performance in other operating environments may vary. More
service marks of others. specific information about the capabilities of products described
should be obtained from the suppliers of those products.
References in this publication to IBM products or services do not
imply that IBM intends to make them available in all countries in
which IBM operates. The following paragraph does not apply to the
United Kingdom or any other country where such provisions are
inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION

PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-
INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied

warranties in certain transactions, therefore, this statement may not
apply to you.

This information could include technical inaccuracies or

typographical errors. Changes are periodically made to the
information herein; these changes will be incorporated in new
editions of the publication. IBM may make improvements and/or
changes in the product(s) and/or the program(s) described in this
publication at any time without notice.

Any performance data contained herein was determined in a

controlled environment. Therefore, the results obtained in other
operating environments may vary significantly. Some
measurements may have been made on development-level
systems and there is no guarantee that these measurements will be
the same on generally available systems. Furthermore, some
measurement may have been estimated through extrapolation.
Actual results may vary. Users of this document should verify the
applicable data for their specific environment.

23