AWS Security ChangesHomeSearch

AWS AmazonRDS documentation change

Service: AmazonRDS · 2025-10-19 · Documentation medium

File: AmazonRDS/latest/UserGuide/db2-sp-managing-databases.md

Summary

Added documentation for rdsadmin.fgac_command stored procedure including syntax, parameters, usage notes, and examples for fine-grained access control (FGAC) commands related to row/column access control (RCAC) and label-based access control (LBAC)

Security assessment

The change introduces documentation for FGAC commands that enable security controls like creating security labels, masks, permissions, and policies. While these are security features, there is no evidence this addresses a specific vulnerability - rather it documents existing security capabilities.

Diff

diff --git a/AmazonRDS/latest/UserGuide/db2-sp-managing-databases.md b/AmazonRDS/latest/UserGuide/db2-sp-managing-databases.md
index 12fa832cc..5a4cd0179 100644
--- a//AmazonRDS/latest/UserGuide/db2-sp-managing-databases.md
+++ b//AmazonRDS/latest/UserGuide/db2-sp-managing-databases.md
@@ -5 +5 @@
-rdsadmin.create_databaserdsadmin.deactivate_databaserdsadmin.activate_databaserdsadmin.reactivate_databaserdsadmin.drop_databaserdsadmin.update_db_paramrdsadmin.set_configurationrdsadmin.show_configurationrdsadmin.backup_databaserdsadmin.restore_databaserdsadmin.rollforward_databaserdsadmin.rollforward_statusrdsadmin.complete_rollforwardrdsadmin.db2pd_commandrdsadmin.force_applicationrdsadmin.set_archive_log_retentionrdsadmin.show_archive_log_retentionrdsadmin.list_archive_log_information
+rdsadmin.create_databaserdsadmin.deactivate_databaserdsadmin.activate_databaserdsadmin.reactivate_databaserdsadmin.drop_databaserdsadmin.update_db_paramrdsadmin.set_configurationrdsadmin.show_configurationrdsadmin.backup_databaserdsadmin.restore_databaserdsadmin.rollforward_databaserdsadmin.rollforward_statusrdsadmin.complete_rollforwardrdsadmin.db2pd_commandrdsadmin.force_applicationrdsadmin.set_archive_log_retentionrdsadmin.show_archive_log_retentionrdsadmin.list_archive_log_informationrdsadmin.fgac_command
@@ -67,0 +68,2 @@ Refer to the following built-in stored procedures for information about their sy
+  * rdsadmin.fgac_command
+
@@ -527 +529 @@ The following example sets the `RESTORE_DATABASE_PARALLELISM` configuration to `
-**Example 3: Specifying number of paths or I/0 streams to use during restore**
+**Example 3: Specifying number of paths or I/O streams to use during restore**
@@ -570 +572 @@ The following configuration names are valid:
-  * `RESTORE_DATABASE_NUM_MULTI_PATHS` – The number of paths (or I/0 streams) to use during a restore from Amazon S3 operation.
+  * `RESTORE_DATABASE_NUM_MULTI_PATHS` – The number of paths (or I/O streams) to use during a restore from Amazon S3 operation.
@@ -1348 +1350 @@ The following example sets the archive log retention time for a database called
-****Example 2: Disabling retention time****
+**Example 2: Disabling retention time**
@@ -1429,0 +1432,143 @@ The following example returns archive log information for a database called `TES
+## rdsadmin.fgac_command
+
+Runs fine-grained access control (FGAC) commands.
+
+### Syntax
+    
+    
+    db2 "call rdsadmin.fgac_command(
+        ?,
+        'database_name',
+        'fgac_cmd')"
+
+### Parameters
+
+The following output parameter is required:
+
+?
+    
+
+A parameter marker that outputs an error message. This parameter only accepts `?`.
+
+The following input parameters are required:
+
+`database_name`
+    
+
+The name of the database that you want to run FGAC commands on. The data type is `varchar`.
+
+`fgac_cmd`
+    
+
+The fine-grained access control command that you want to run. The data type is `varchar`.
+
+The following commands are valid:
+
+  * `ALTER MASK` – Alters an existing column mask in row and column access control (RCAC).
+
+  * `ALTER PERMISSION` – Alters properties of an existing row permission in RCAC.
+
+  * `ALTER SECURITY POLICY` – Alters an existing security policy for RCAC.
+
+  * `ALTER SECURITY LABEL` – Alters properties of an existing security label in label-based access control (LBAC). 
+
+  * `ALTER TABLE` – Alters table structure, including adding RCAC or LBAC controls.
+
+  * `CREATE MASK` – Creates a new column mask for RCAC.
+
+  * `CREATE PERMISSION` – Creates a new row permission for RCAC.
+
+  * `CREATE SECURITY LABEL` – Creates a new security label for LBAC.
+
+  * `CREATE SECURITY POLICY` – Creates a new security policy for RCAC.
+
+  * `DROP MASK` – Drops an existing column mask.
+
+  * `DROP PERMISSION` – Drops an existing row permission.
+
+  * `DROP SECURITY LABEL` – Drops a security label from LBAC.
+
+  * `DROP SECURITY POLICY` – Drops an existing RCAC security policy.
+
+  * `GRANT EXEMPTION ON RULE` – Allows a user to bypass specific LBAC rules.
+
+  * `GRANT SECURITY LABEL` – Assigns an LBAC security label to a user.
+
+  * `REVOKE EXEMPTION ON RULE` – Removes a user's exemption from LBAC rules.
+
+  * `REVOKE SECURITY LABEL` – Removes an LBAC security label from a user.
+
+
+
+
+### Usage notes
+
+This stored procedure controls access at the row or column level to table data in your database on an RDS for Db2 DB instance. RDS for Db2 supports two types of FGAC on the database: 
+
+  * Label-based access control (LBAC)
+
+  * Row and column access control (RCAC)
+
+
+
+
+Before calling the stored procedure, review the following considerations: 
+
+  * To escape a single quote ('), use an additional single quote. The following examples show how to escape `'apple'`, `'banana'`, and `'fruit'`.
+    
+        db2 "call rdsadmin.fgac_command(
+        ?,
+        'testdb',
+        'CREATE SECURITY LABEL COMPONENT FRUITSET SET{''apple'',''banana''}')"
+    
+        db2 "call rdsadmin.fgac_command(
+        ?, 
+        'testdb', 
+        'CREATE SECURITY LABEL COMPONENT FRUITTREE TREE(''fruit'' ROOT, ''apple'' UNDER ''fruit'', ''banana'' UNDER ''fruit'')')"
+
+  * To escape brackets ([ ]), use a backslash (\\). The following example shows how to escape `[''apple'',''banana'']`. 
+    
+        db2 "call rdsadmin.fgac_command(
+        ?, '
+        testdb', 
+        'CREATE SECURITY LABEL COMPONENT FRUITARRAY ARRAY\[''apple'',''banana''\]')"
+
+
+
+
+### Examples
+
+The following examples all run FGAC commands on a database called `testdb`.
+
+**Example 1: Creating a new security label called`FRUITSET`**
+    
+    
+    db2 "call rdsadmin.fgac_command(
+        ?,
+        'testdb',
+        'CREATE SECURITY LABEL COMPONENT FRUITSET SET{''apple'',''banana''}')"
+
+**Example 2: Creating a new mask for the`EMP_ID` column that is enabled when `EMP_ID` is set to less than three**
+    
+    
+    db2 "call rdsadmin.fgac_command(
+        ?,
+        'testdb',
+        'CREATE MASK id_MASK ON EMPLOYEE FOR COLUMN EMP_ID RETURN CASE WHEN (EMP_ID < 3) THEN EMP_ID ELSE NULL END ENABLE')"
+
+**Example 3: Creating a new mask for the`DEPARTMENT` column that is enabled when `SESSION_USER` is set to `security_user`**
+    
+    
+    db2 "call rdsadmin.fgac_command(
+        ?,
+        'testdb',
+        'CREATE MASK DEPARTMENT_MASK ON EMPLOYEE FOR COLUMN DEPARTMENT RETURN CASE  WHEN SESSION_USER = ''security_user'' THEN DEPARTMENT ELSE NULL END ENABLE')"
+
+**Example 4: Creating a new security label called`treelabel`**
+    
+    
+    db2 "call rdsadmin.fgac_command(
+        ?,
+        'testdb',
+        'CREATE SECURITY LABEL COMPONENT treelabel  TREE(''COMPANY'' ROOT, ''HR'' UNDER ''COMPANY'', ''FINANCE'' UNDER ''COMPANY'', ''IT'' UNDER ''COMPANY'')')"
+