DB2 Row and Column Access Control Overview
By Tom Nonmacher
Today we are going to discuss DB2 Row and Column Access Control, a security feature that allows for a fine-grained control over the data in your tables. This feature, available in DB2 11.5, is designed to provide enhanced data privacy and security. It enables you to restrict the rows that a user can retrieve or modify, and the columns that they can view or change.
Row and Column Access Control (RCAC) in DB2 is a flexible and powerful feature that allows for the enforcement of security policies at the database level. This means that the security policies are applied to all applications that access the data, regardless of the path used by the user or application to access the data.
The RCAC feature introduces two new security controls: row permissions and column masks. Row permissions define the conditions under which a user can access a row of data. Column masks define the conditions under which a user can see the data in a column. These features are applied dynamically, based on user attributes or session context variables.
Setting up row permissions and column masks in DB2 is relatively straightforward. Here is an example of a row permission:
-- DB2 code
CREATE PERMISSION RowPermission1 ON Employee
FOR ROWS WHERE VERIFY_GROUP_FOR_USER(SESSION_USER, 'HR') = 1
ENFORCED FOR ALL ACCESS
ENABLE;
In the above example, the row permission allows only users who are part of the 'HR' group to access rows in the Employee table. The permission is enforced for all types of access.
Here is an example of a column mask:
-- DB2 code
CREATE MASK SalaryMask ON Employee
FOR COLUMN Salary RETURN
CASE
WHEN VERIFY_GROUP_FOR_USER(SESSION_USER, 'HR') = 1 THEN Salary
ELSE NULL
END
ENABLE;
In this example, the column mask allows only users who are part of the 'HR' group to see the Salary column in the Employee table. If a user is not part of the 'HR' group, they will see NULL instead of the actual salary.
It's worth noting that while similar controls can be achieved in other databases like SQL Server 2019, MySQL 8.0, Azure SQL, and Azure Synapse, DB2’s implementation of RCAC is particularly robust and integrated, allowing for easy and effective database-level security enforcement. The RCAC feature of DB2 is a powerful tool to protect your data and ensure only authorized users can access it.
Check out the latest articles from all our sites:
- How to Take Advantage of Flash Sales at Grocery Stores [https://www.ethrift.net]
- A brief history of the Galveston Hurricane of 1900 [https://www.galvestonbeachy.com]
- How to Plant and Maintain Chokeberry Bushes [https://www.gardenhomes.org]
- New Query Store Enhancements in SQL Server 2022 [https://www.sqlsupport.org]
- Heat: Why My Laptop Is Cooking My Lap [https://www.SupportMyPC.com]
- The Best Months to Visit South Korea for Cherry Blossoms and Fall Colors [https://www.treasureholidays.com]
Privacy Policy for sqlsupport.org
Last updated: Feb 03, 2026
sqlsupport.org respects your privacy and is committed to protecting any personal information you may provide while using this website.
This Privacy Policy document outlines the types of information that are collected and recorded by sqlsupport.org and how we use it.
Information We Collect
- Internet Protocol (IP) addresses
- Browser type and version
- Pages visited
- Time and date of visits
- Referring URLs
- Device type
Cookies and Web Beacons
sqlsupport.org uses cookies to store information about visitors preferences and to optimize the users experience.
How We Use Your Information
- Operate and maintain our website
- Improve user experience
- Analyze traffic patterns
- Prevent fraudulent activity
Contact
Email: admin@sqlsupport.org