A method and apparatus to provide security for data in a database system includes providing a secure user-defined data type (UDT) that has security features. The secure UDT defines security information, which in one arrangement is in the form of a list of identifiers of authorized users or other entities. Each data instance according to the secure UDT stored in tables of the database system is associated with such an access list. Thus, in response to a query, the security information is accessed to determine whether the user or other entity that issued the query has rights to access the data. Access is then allowed or denied based on the security information.