6 Oracle Label Security Using Oracle Internet Directory

Managing Oracle Label Security metadata in a centralized LDAP repository provides many benefits. Policies and user label authorizations can be easily provisioned and distributed throughout the enterprise. In addition, when employees are terminated, their label authorizations can be revoked in one place and the change automatically propagated throughout the enterprise. This chapter describes the integration between Oracle Label Security and Oracle Internet Directory, in the following sections:

6.1 Introducing Label Management on Oracle Internet Directory

Previous releases of Oracle Label Security have relied on the Oracle Database as the central repository for policy and user label authorizations. This architecture leveraged the scalability and high availability of the Oracle Database, but did not leverage the identity management infrastructure, which includes the Oracle Internet Directory. This directory is part of Oracle Identity Management Platform. Integrating your installation of Oracle Label Security with Oracle Internet Directory allows label authorizations to be part of your standard provisioning process.

These advantages accrue also to directory-stored information about policies, user labels, and privileges that Oracle Label Security assigns to users. These labels and privileges are specific to the installation's policies defining access control on tables and schemas.If a site is not using Oracle Internet Directory, then such information is stored locally in the database.

The following Oracle Label Security information is stored in the directory:

  • Policy information, namely policy name, column name, policy enforcement options, and audit options

  • User profiles identifying their labels and privileges

  • Policy label components: levels, compartments, groups

  • Policy data labels

Database-specific metadata is not stored in the directory. Examples include

  • Lists of schemas or tables, with associated policy information, and

  • Program units, with associated policy privileges

The following three notes identify important aspects of integrating your installation of Oracle Label Security with Oracle Internet Directory:

Note:

Oracle will continue to support both the database and directory-based architectures for Oracle Label Security. However, a single database environment cannot host both architectures. Administrators must decide whether to use the centralized LDAP administration model or the database-centric model.

Note:

Managing Oracle Label Security policies directly in the directory is done using a new command-line tool, the Oracle Label Security administration tool (olsadmintool), described in Appendix B, "Command-line Tools for Label Security Using Oracle Internet Directory".

Starting this release, you can also use the graphical user interface provided by Oracle Enterprise Manager Database Control or Grid Control to manage Oracle Label Security. Detailed documentation can be found in Oracle Enterprise Manager help.

For sites that use Oracle Internet Directory, databases retrieve Oracle Label Security policy information from the directory. Administrators use the olsadmintool policy administration tool or the Enterprise Manager graphical user interface to operate directly on the directory to insert, alter, or remove metadata as needed. Because enterprise users can log in to multiple databases using the credentials stored in Oracle Internet Directory, it is logical to store their Oracle Label Security policy authorizations and privileges there as well. An administrator can then modify these authorizations and privileges by updating such metadata in the directory.

For distributed databases, centralized policy management removes the need for replicating policies, because the appropriate policy information is available in the directory. Changes are effective without further effort, synchronized with policy information in the databases by means of the Directory Integration Platform.

See Also:

Synchronization using the Directory Integration Platform is described in the Oracle Internet Directory Administrator's Guide.

Figure 6-1, "Diagram of Oracle Label Security Metadata Storage in Oracle Internet Directory" illustrates the structure of metadata storage in Oracle Internet Directory.

Figure 6-2, "Oracle Label Security Policies Applied through Oracle Internet Directory" illustrates applying different policies stored in Oracle Internet Directory to the databases accessed by different enterprise users. Determining the policy to be applied is controlled by the directory entries corresponding to the user and the accessed database.

Figure 6-1 Diagram of Oracle Label Security Metadata Storage in Oracle Internet Directory

This illustration is described in the text.

Figure 6-2 Oracle Label Security Policies Applied through Oracle Internet Directory

This illustration is described in the text.

In this example, the directory has information about two Oracle Label Security policies, Alpha, applying to database DB1, and Beta, applying to database DB2 Although both policies are known to each database, only the appropriate one is applied in each case. In addition, enterprise users who are to access rows protected by Oracle Label Security are listed in profiles within the Oracle Label Security attributes in Oracle Internet Directory.

As Figure 6-2, "Oracle Label Security Policies Applied through Oracle Internet Directory" shows, the connections between different databases and the directory are established over either SSL or SASL. The database always binds to the directory as a known identity using password-based authentication. Links between databases and their clients (such as a sqlplus session, any PL/SQL programs , and so on) can use either SSL or non-SSL connections. The example of Figure 6-2, "Oracle Label Security Policies Applied through Oracle Internet Directory" assumes that users are logged on through password authentication. The choice of connection type depends on the enterprise user model.

The Oracle Label Security policy administration tool operates directly on metadata in Oracle Internet Directory. Changes in the directory are then propagated to the Oracle Directory Integration and Provisioning server, which is configured to send changes to the databases at specific time intervals.

The databases update the policy information in Oracle Internet Directory only when policies are being applied to tables or schemas. These updates ensure that policies that are in use will not be dropped from the directory.

See Also:

6.2 Configuring Oracle Internet Directory-Enabled Label Security

You can configure a database for Oracle Internet Directory-enabled Label Security at any time after database creation or during custom database creation. Oracle Internet Directory-enabled label security relies on the Entrerprise User security feature.

See Also:

6.2.1 Granting Permissions for Configuring Oracle Internet Directory enabled Oracle Label Security

Users who perform Oracle Internet Directory enabled Oracle Label Security using the Database Configuration Assistant (DBCA) need additional privileges. The following steps describe what permissions are needed, and how to grant them:

  • Use Enterprise Manager to add the user to the OracleDBCreators group.

    See Also:

    "Managing Identity Management Realm Administrators" in the Oracle Database Enterprise User Security Administrator's Guide for more information on adding a user to an administrative group
  • Add the user to the Provisioning Admins group. This is necessary because DBCA creates a DIP provisioning profile for Oracle Label Security. Use ldapmodify command with the following .ldif file to add a user to the Provisioning Admins group:

    dn: cn=Provisioning Admins,cn=changelog subscriber, cn=oracle internet directory
    changetype: modify
    add: uniquemember
    uniquemember: DN of the user who is to be added
    
  • Add the user to the policyCreators group using the olsadmintool command line tool . DBCA bootstraps the database with the Oracle Label Security policy information from Oracle Internet Directory, and only policyCreators can perform this bootstrap.

  • If the database is already registered with the Oracle Internet Directory using DBCA, use Enterprise Manager to add the user to the OracleDBAdmins group of that database.

Note that the permissions specified earlier are also needed by the administrator who unregisters the database that has Oracle Internet Directory enabled Oracle Label Security configuration.

6.2.2 Registering a Database and Configuring Oracle Internet Directory enabled Oracle Label Security

To achieve this goal, do the following major tasks:

6.2.2.1 Task 1 Configure Your Oracle Home for Directory Usage.

6.2.2.2 Task 2 Configure the Database for Oracle Internet Directory enabled Oracle Label Security

  1. Register your database in the directory using DBCA (Database Configuration Assistant).

    See Also:

    "Registering Your Database with the Directory" in the Oracle Database Enterprise User Security Administrator's Guide
  2. After your database is registered in the directory, configure Label Security:

    1. Start DBCA, select Configure database options in a database, and click Next.

    2. Select a database and click Next.

    3. Regarding the option of unregistering the database or keeping it registered, select Keep the database registered.

    4. If the database is registered with Oracle Internet Directory, the Database options screen shows a customize button beside the Label Security check box. Select the Label Security option and click Customize.

    5. This customize dialog has two configuration options, for standalone Oracle Label Security or for Oracle Internet Directory-enabled Oracle Label Security. Click OID-enabled Label security configuration and enter the Oracle Internet Directory credentials of an appropriate administrator. Click Ok.

    6. Continue with the remaining DBCA steps and click Finish when it appears.

      Note:

      You can configure a standalone Oracle Label Security on a database that is registered with Oracle Internet Directory. Select the standalone option in step e.

When configuring for Oracle Internet Directory-enabled Oracle Label Security, DBCA also does the following things in addition to registering the database:

  1. Creates a provisioning profile for propagating Label Security policy changes to to the database. This Directory Integration Platform (DIP) provisioning profile is enabled by default.

  2. Installs the required packages on the database side for Oracle Internet Directory-enabled Oracle Label Security.

  3. Bootstraps the database with all the existing Label Security policy information in the Oracle Internet Directory.

    See Also:

    Bootstrapping Databases for more information.

6.2.2.3 Alternate Method for Task 2, Configuring Database for Oracle Internet Directory enabled Oracle Label Security

Registering the database and configuring Oracle Label Security can be done in one invocation of DBCA.

  1. Start DBCA.

  2. Select Configure database options in a database and click Next.

  3. Select a database and click Next.

  4. Click Register the database.

  5. Enter the Oracle Internet Directory credentials of an appropriate administrator, and the corresponding password for the database wallet that will be created.

  6. The Database options screen shows a Customize button beside the Label Security check box. Select the Label Security option and click Customize.

    The Customize dialog box is displayed, showing two configuration options, for standalone Oracle Label Security or for Oracle Internet Directory-enabled Oracle Label Security.

  7. Click OID-enabled Label Security Configuration.

  8. Continue with the remaining DBCA steps and click Finish.

6.2.2.4 Task3: Set the DIP Password and Connect Data

  1. Use the command line tool oidprovtool to set the password for the DIP user and update the interface connect information in the DIP provisioning profile for that database with the new password.

  2. Upon creation, the DIP profile uses a schedule value of 3600 seconds by default, meaning that Oracle Label Security changes are propagated to the database every hour. You can use oidprovtool to change this value if deployment considerations require that.

Once the the database is configured for Oracle Internet Directory-enabled Oracle Label Security, further considerations regarding enterprise user security may apply.

See Also:

Oracle Database Enterprise User Security Administrator's Guide for further concepts, tools, steps, and procedures

6.2.3 Unregistering a Database with Oracle Internet Directory enabled OLS

To perform this task, you use DBCA, which does the following things:

  1. Deletes the DIP provisioning profile for the database created for Oracle Label Security.

  2. Installs the required packages for standalone Oracle Label Security, so that at the end of unregistration, Oracle Internet Directory enabled Oracle Label Security becomes standalone Oracle Label Security.

    Note:

    Specific instructions for DB unregistration appear in the Oracle Database Enterprise User Security Administrator's Guide. No special steps are required when Oracle Internet Directory-enabled Oracle Label Security is configured.

    Note:

    If a database has standalone Oracle Label Security, it cannot be converted to Oracle Internet Directory-enabled Oracle Label Security. You need to drop Oracle Label Security from the database and then use DBCA again to configure Oracle Internet Directory-enabled Oracle Label Security.

6.3 Removing Directory-enabled Oracle Label Security from Database

To remove Oracle Internet Directory-enabled Oracle Label Security from a database, first unregister the database using DBCA, and then run the following script:

$ORACLE_HOME/rdbms/admin/catnools.sql

6.4 Oracle Label Security Profiles

A user profile is a set of user authorizations and privileges. Profiles are maintained as part of each Oracle Label Security policy stored in the Directory.

If a user is added to a profile, then the authorizations and privileges defined in that profile for that particular policy are aquired by the user, which include the following attributes:

An enterprise user can belong to only one profile, or none.

6.5 Integrated Capabilities When Label Security Uses the Directory

The integration of Oracle Label Security and Oracle Internet Directory enables the following capabilities:

  • User/administrator actions

    • Storing multiple Oracle Label Security policies in Oracle Internet Directory

    • Managing Oracle Label Security policies and options in the directory, including

      • creating or dropping a policy

      • changing policy options

      • changing audit settings

    • Creating label components for any Oracle Label Security policies by

      • creating or removing levels, compartments, or groups

      • assigning numeric values to levels, compartments, or groups

      • changing long names of levels, compartments, or groups

      • creating children groups

    • Managing enterprise users configured as users of any Oracle Label Security policies, including

      • assigning or removing enterprise users to/from profiles within policies

      • assigning policy-specific privileges to enterprise users, or removing them

      • changing policy label authorizations assigned to enterprise users

    • Managing all user/administrator actions and capabilities by means of an integrated set of command line tools that monitor and manage Oracle Label Security policies in Oracle Internet Directory.

  • Automatic results of Oracle Label Security

    • Limiting database policy usage to directory-defined policies only (no local policies defined or applied)

    • Synchronizing changes to policies in the directory with the databases using Oracle Label Security (to apply after enterprise users reconnect)

    • After changes are propagated by the Directory Integration Platform, having immediate access to enterprise users' Oracle Label Security attributes when these users log on to any database using Oracle Label Security, assuming they are configured within any Oracle Label Security policies. These attributes include users' label authorizations and users' privileges.

6.6 Oracle Label Security Policy Attributes in Oracle Internet Directory

In Oracle Internet Directory, Oracle-related metadata is stored under cn=OracleContext. Within Label Security, each policy holds the information and parameters shown in Figure 6-1, "Diagram of Oracle Label Security Metadata Storage in Oracle Internet Directory":

When Oracle Label Security is used without Oracle Internet Directory, it supports automatic creation of data labels by means of a label function. However, when Oracle Label Security is used with Oracle Internet Directory, such functions can create labels only using data labels that are already defined in the directory.

Table 6-1 Contents of Each Policy

Type of Entry Contents Meaning/Sample Usage/References

Policy Name

The name assigned to this policy at its creation

Used in olsadmintool commands such as olsadmintool createpolicy (refer to Appendix B, "Command-line Tools for Label Security Using Oracle Internet Directory")

Column Name

The name of the column that will hold the label values relevant to this policy

Column is added to database. Refer to "The Policy Label Column and Label Tags"

"Inserting Labeled Data"

"The HIDE Policy Column Option"

Appendix E, "Reference".

Used in

olsadmintool createpolicy

Enforcement Options

Any combination of the following entries:

LABEL_DEFAULT, LABEL_UPDATE, CHECK_CONTROL, READ_CONTROL, WRITE_CONTROL, INSERT_CONTROL, DELETE_CONTROL, UPDATE_CONTROL, ALL_CONTROL, or NO_CONTROL

Refer to the discussions in Chapter 9, "Implementing Policy Enforcement Options and Labeling Functions" and Appendix E, "Reference".

Used in

olsadmintool createpolicy

and olsadmintool alterpolicy

Options

Enabled: TRUE or FALSE, Type: ACCESS or SESSION, Success: SUCCESSFUL, UNSUCCESSFUL, or BOTH.

Used in

olsadmintool audit

Levels

Name and number for each level

Used in olsadmintool create/alter/droplevel

Compartments

Name and number for each compartment

Used in olsadmintool create/alter/drop compartment

Groups

Name, number, and parent for each group

Used in olsadmintool create/alter/dropgroup

Profiles

Maximum and default read labels, maximum and minimum write labels, default row label, list of users, and a set of privileges from this list:

READ, FULL,

WRITEUP, WRITEDOWN, WRITEACROSS,

PROFILE_ACCESS, or COMPACCESS

Policies can have one or more profiles, each of which can be assigned to many users. Profiles reduce the need to set up label authorizations for individual users.

All users with the same set of labels and privileges are grouped in a single profile. Each profile represents a different set of labels, privileges, and users. Each profile in a policy is unique.

Data Labels

Full name and number for each valid data label

Refer to Restrictions on New Data Label Creation.

Administrators

Name of each administrator authorized to modify the parameters within this policy.

Policy administrators can modify parameters within a policy. They are not necessarily also policy creators, who have the right to create or remove policies or policy administrators. Refer to Security Roles and Permitted Actions.


6.7 Restrictions on New Data Label Creation

When Oracle Label Security is used with Oracle Internet Directory, data labels must be pre-defined in the directory.

They cannot be created dynamically by a label function, as is possible when label security is not integrated with the directory.

6.8 Two Types of Administrators

Administrators listed within a policy are those individuals authorized to do the following policy-specific administrative tasks:

  • Modify existing policy options and audit settings.

  • Enable or disable auditing for a policy.

  • Create or remove levels, compartments, groups or children groups.

  • Modify full/long names for levels, compartment, or groups.

  • Define or modify enterprise user settings, in this policy, for:

    • Privileges

    • Maximum or minimum levels

    • Read, write, or row access for levels, compartments, or groups

    • Label profiles

  • Remove enterprise users from a policy.

There is a higher level of administrators, called policy creators, who can create and remove Oracle Label Security policies and the policy administrators named within them.

6.9 Bootstrapping Databases

After a new database is registered with Oracle Internet Directory, the administrator can install Oracle Internet Directory enabled Oracle Label Security on that database. This installation process automatically creates a Directory Integration Platform (DIP) provisioning profile enabling policy information to be periodically refreshed in the future by downloading it to the database. Refer to Oracle Directory Integration and Provisioning (DIP) Provisioning Profiles.

When configuring the database for Oracle Internet Directory enabled Oracle Label Security, the DBCA tool puts all the policy information in Oracle Internet Directory into the database. At any point, the administrator can decide to bootstrap the database with the policy information again, using the bootstrap utility script at $ORACLE_HOME/bin/olsoidsync. The parameters it requires are as follows:

olsoidsync --dbconnectstring <"database connect string in host:port:sid format"> --dbuser <database user> --dbuserpassword <database user password> [-c] [-r]  [-b <admin context>] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

For example, 
olsoidsync --dbconnectstring yippee:1521:ora101 --dbuser lbacsys  --dbuserpassword lbacsys -c  -b "ou=Americas,o=Oracle,c=US" -h yippee -D cn=policycreator -w welcome1

The olsoidsync command pulls policy information from Oracle Internet Directory and populates the information in the database. Users must provide the database TNS name, the database user name, the database user's password, the administrative context (if any), the Oracle Internet Directory host name, the bind DN and bind password, and optionally the Oracle Internet Directory port number.

The optional -c switch causes the command to drop all the existing policies in the database and refresh it with policy information from Oracle Internet Directory.

The optional -r switch causes the command to drop all the policy metadata (without dropping the policies themselves) and refresh the policies with new metadata from Oracle Internet Directory.

Without these two switches, the command will only create new policies from Oracle Internet Directory, and will halt on any errors encountered during the refresh.

6.10 Synchronizing the Database and Oracle Internet Directory

Oracle Label Security metadata in the directory is synchronized with the databases using the Oracle Directory Provisioning Integration Service of the Directory Integration Platform.

Changes to the label security data in the directory are conveyed by the provisioning integration service in the form of provisioning events. A software agent receives these events and generates appropriate SQL or PL/SQL statements to update the database. After these statements are processed, Oracle Label Security data dictionaries are updated to match the changes already made in the directory.

Oracle Label Security subscribes itself to the Provisioning Integration Service automatically during installation. The provisioning service stores the information associated with each database in the form of a provisioning profile. The software agent uses the identity of the user "DIP" to connect to the database, and the password "DIP", when synchronizing the changes in Oracle Internet Directory with the database.

If the password for the user DIP is changed, that information must be updated in the provisioning profile of the provisioning integration service.

The steps to change the database connection information in the DIP profile are as follows:

  1. Disable the provisioning profile. This temporarily stops the propagation of label security changes in the directory to the database, but no data is lost. Once the profile is enabled, any label security changes that happened in the directory since the profile was disabled are synchronized with the database.

  2. Update the database connection information in the profile.

  3. Enable the profile.

    Note:

    The database character set must be compatible with Oracle Internet Directory for Oracle Internet Directory-enabled Oracle Label Security to work correctly. Only then can there be successful synchronization of the Label Security metadata in Oracle Internet Directory with the Database.

    Please refer to Chapters 2 and 3 of Oracle Database Globalization Support Guide for more information about Character sets and Globalization Support parameters.

    See Also:

6.10.1 Oracle Directory Integration and Provisioning (DIP) Provisioning Profiles

The DIP server synchronizes policy changes in the directory with the connected databases, using a separate DIP provisioning profile created for each database. This profile is created automatically as part of the installation process for Oracle Internet Directory-enabled Oracle Label Security. The administrator can use the provisioning tool oidprovtool to modify the password for a database profile, using the script $ORACLE_HOME/bin/oidprovtool. Each such profile contains the following information:

Table 6-2 Elements in a DIP Provisioning Profile

Element Name for This Element When Invoking oidprovtool

The LDAP host name

ldap_host

The LDAP port number

ldap_port

The user DN and password to bind to Oracle Internet Directory to retrieve policy information

ldap_user

ldap_user_password

The database DN

application_dn

The organization DN, that is, the administrative context in which changes are being made

organization_dn

The callback function to be invoked, that is, LBACSYS.OLS_DIP_NTFY

interface_name

The database connect information, which is the hostname of the database, the port number used to connect to the database, the database SID, the database user name and password

interface_connect_info

Event subscriptions, including all MODIFY, ADD and DELETE events under cn=LabelSecurity in Oracle Internet Directory

operation

The time interval between synchronizations

schedule


Here is an example of using oidprovtool, followed by an explanation of the parameters in this example:

oidprovtool operation=modify ldap_host=yippee ldap_port=389  ldap_user=cn=defense_admin ldap_user_password=welcome1  application_dn="cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US"  organization_dn="ou=Americas,o=Oracle,c=US" interface_name=LBACSYS.OLS_DIP_NTFY interface_type=PLSQL interface_connect_info=yippee:1521:db1:dip:newdip schedule=60 event_subscription= "ENTRY:cn=LabelSecurity,cn=Products,cn=OracleContext, ou=Americas,o=Oracle,c=US:ADD(*)" event_subscription= "ENTRY:cn=LabelSecurity,cn=Products, cn=OracleContext,ou=Americas, o=Oracle,c=US:MODIFY(*)" event_subscription="ENTRY:cn=LabelSecurity,cn=Products, cn=OracleContext, ou=Americas,o=Oracle,c=US:DELETE"

This sample oidprovtool command creates and enables a new DIP provisioning profile with the following attributes:

  • Oracle Internet Directory in host yippee using port 389

  • Oracle Internet Directory user bind DN: cn=defense_admin with password welcome1

  • Database DN: cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US

  • Organization DN (administrative context): ou=Americas,o=Oracle,c=US

  • Database on host yippee, listening on port 1521

  • Oracle SID: db1

  • Database user: dip with new password newdip

  • Interval to synchronize directory with connected databases : 60 seconds

  • All the ADD, MODIFY and DELETE events under cn=LabelSecurity to be sent to DIP

To start the DIP server, use $ORACLE_HOME/bin/oidctl. For example:

oidctl server=odisrv connect=db2 config=0 instance=0 start

This command will start the DIP server by connecting to db2 (the Oracle Internet Directory database) with config set 0 and instance number 0.

See also:

Oracle Internet Directory Administrator's Guide for more information on DIP provisioning profiles

6.10.2 Disabling, Changing, and Enabling a Provisioning Profile

You can change the password for the interface_connect_info, which is the database password, by using the oidprovtool modify command, but first you must disable the profile. After changing the password, you then reenable the profile.

You can disable the Oracle Label Security provisioning profile using oidprovtool, specifying the disable operation and the first six original parameters shown here. (The other original parameters are not needed.) The command form is:

oidprovtool operation=disable ldap_host=< > ldap_port=< > ldap_user_dn=< >  
   ldap_user_password=< > application_dn=< >  organization_dn=< >

Using parameters from the example given in the previous section, this command would look like this:

oidprovtool operation=disable ldap_host=yippee ldap_port=389
ldap_user=cn=defense_admin ldap_user_password=welcome1 
application_dn="cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US"
organization_dn="ou=Americas,o=Oracle,c=US"

To modify the password in the connection information, use the oidprovtool command, specifying the modify operation, the first six original parameters, and the new DIPuser password given in the connection info. The command form is:

oidprovtool operation=modify  ldap_host=< > ldap_port=< >
ldap_user_dn=< >  ldap_user_password=< > application_dn=< >
organization_dn=< >   interface_connect_info=< new_connect _info >

Using parameters from the example given in the previous section, this command would look like this:

oidprovtool operation=modify ldap_host=yippee ldap_port=389
ldap_user=cn=defense_admin ldap_user_password=welcome1
application_dn="cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US" 
organization_dn="ou=Americas,o=Oracle,c=US" 
interface_connect_info=yippee:1521:db1:dip:NewestDIPpassword 

Similarly, you can re-enable the Directory Integration Platform provisioning profile using oidprovtool as follows, again specifying the desired operation and the first six original parameters. (The other original parameters are not needed.) The command form is:

oidprovtool operation=enable  ldap_host=< > ldap_port=< >  ldap_user_dn=< >  
ldap_user_password=< > application_dn=< >   organization_dn=< >

Again using parameters from the example given in the previous section, this command would look like this:

oidprovtool operation=enable ldap_host=yippee ldap_port=389 
ldap_user=cn=defense_admin ldap_user_password=welcome1 
application_dn="cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US" 
organization_dn="ou=Americas,o=Oracle,c=US"

6.11 Security Roles and Permitted Actions

To manage Oracle Label Security policies in Oracle Internet Directory, certain entities are given access control rights in the directory. The access control mechanisms are provided by Oracle Internet Directory.

Table 6-3 describes, in abstract terms, these entities and the tasks they are enabled to perform.

Table 6-4, "Access Levels Allowed by Users in OID", lists the specific access level operations permitted or disallowed for policy creators, policy administrators, and label security users.

Table 6-3 Tasks That Certain Entities Can Perform

Entity Tasks This Entity Can Perform

Policy creators

Create new (or delete existing) policies, create new (or remove existing) policy administrators.

Policy administrators

For Policies: modify existing policy options and audit settings, enable or disable auditing for a policy.

For Label components: create, modify, or remove levels, compartments and groups, such as by changing their full or long names or (for groups) by creating or deleting their children groups.

For enterprise users: remove enterprise users from a policy, modify enterprise users' maximum or minimum levels, their read, write, and row access for compartments or groups, their privileges for a policy, and their label profiles.


Table 6-4 Access Levels Allowed by Users in OID

Entries Policy Creators Policy Administrators Databases

cn=Policies

can modify

no access

no access

cn=Admins,cn=Policy1

can modify

no access

no access

uniqueMember: cn=Policy1

can browse

can browse

can modify

cn=PolicyCreators

no accessFoot 1 

no access

no access

cn=Levels,cn=Policy1

can browse and delete

can modify

no access

cn=Compartments,cn=Policy1

can browse and delete

can modify

no access

cn=Groups,cn=Policy1

can browse and delete

can modify

no access

cn=AuditOptions,cn=Policy1

can browse and delete

can modify

no access

cn=Profiles,cn=Policy1

can browse and delete

can modify

no access

cn=Labels,cn=Policy1

can browse and delete

can modify

no access

cn=DBServers

no accessFoot 2 

no access

no access


Footnote 1 The group cn=OracleContextAdmins is the owner of the group cn=PolicyCreators, so members in cn=OracleContextAdmins can modify cn=PolicyCreators.

Footnote 2 The group cn=OracleDBCreators is the owner of the group cn=DBServers, so members in cn=OracleDBCreators can modify cn=DBServers.

6.11.1 Restriction on Policy Creators for Directory-enabled Oracle Label Security

A member of the Policy Creators group can only create, browse, and delete Oracle Label Security policies.

This user cannot perform policy administrative tasks, such as creating label components and adding users, even if explicitly added to the Policy Admins group of that policy. In short, a policy creator cannot be the administrator of any policy.

6.12 Superseded PL/SQL Statements

When Oracle Internet Directory is enabled with Oracle Label Security, the procedures listed in the following table are superseded. Only LBACSYS is allowed to run these procedures.

For some of the procedures listed in the table, the functionality they provided is replaced by the olsadmintool command named in the second column (and explained in Appendix E, "Reference").

Table 6-5 Procedures Superseded by olsadmintool When Using Oracle Internet Directory

Disabled Procedure Replaced by olsadmintool Command

SA_SYSDBA.CREATE_POLICY

olsadmintool createpolicy

SA_SYSDBA.ALTER_POLICY

olsadmintool alterpolicy

SA_SYSDBA.DROP_POLICY

olsadmintool droppolicy

SA_COMPONENTS.CREATE_LEVEL

olsadmintool createlevel

SA_COMPONENTS.ALTER_LEVEL

olsadmintool alterlevel

SA_COMPONENTS.DROP_LEVEL

olsadmintool droplevel

SA_COMPONENTS.CREATE_COMPARTMENT

olsadmintool createcompartment

SA_COMPONENTS.ALTER_COMPARTMENT

olsadmintool altercompartment

SA_COMPONENTS.DROP_COMPARTMENT

olsadmintool dropcompartment

SA_COMPONENTS.CREATE_GROUP

olsadmintool creategroup

SA_COMPONENTS.ALTER_GROUP

olsadmintool altergroup

SA_COMPONENTS.ALTER_GROUP_PARENT

olsadmintool altergroup

SA_COMPONENTS.DROP_GROUP

olsadmintool dropgroup

SA_USER_ADMIN.SET_LEVELS

None

SA_USER_ADMIN.SET_COMPARTMENTS

None

SA_USER_ADMIN.SET_GROUPS

None

SA_USER_ADMIN.ADD_COMPARTMENTS

None

SA_USER_ADMIN.ALTER_COMPARTMENTS

None

SA_USER_ADMIN.DROP_COMPARTMENTS

None

SA_USER_ADMIN.DROP_ALL_COMPARTMENTS

None

SA_USER_ADMIN.ADD_GROUPS

None

SA_USER_ADMIN.ALTER_GROUPS

None

SA_USER_ADMIN.DROP_GROUPS

None

SA_USER_ADMIN.DROP_ALL_GROUPS

None

SA_USER_ADMIN.SET_USER_LABELS

olsadmintool createprofile; olsadmintool adduser; olsadmintool dropprofile; olsadmintool dropuser;

SA_USER_ADMIN.SET_DEFAULT_LABEL

None

SA_USER_ADMIN.SET_ROW_LABEL

None

SA_USER_ADMIN.DROP_USER_ACCESS

olsadmintool dropuser

SA_USER_ADMIN.SET_USER_PRIVS

olsadmintool createprofile; olsadmintool adduser;olsadmintool dropprofile; olsadmintool dropuser;

SA_AUDIT_ADMIN.AUDIT

olsadmintool audit

SA_AUDIT_ADMIN.NOAUDIT

olsadmintool noaudit

SA_AUDIT_ADMIN.AUDIT_LABEL

None

SA_AUDIT_ADMIN.NOAUDIT_LABEL

None


6.13 Procedures for Policy Administrators Only

The following procedures are allowed to be run only by policy administrators (enterprise users defined in Oracle Internet Directory):

  • SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY

  • SA_POLICY_ADMIN.APPLY_TABLE_POLICY

  • SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY

  • SA_POLICY_ADMIN.DISABLE_TABLE_POLICY

  • SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY

  • SA_POLICY_ADMIN.ENABLE_TABLE_POLICY

  • SA_POLICY_ADMIN.GRANT_PROG_PRIVS

  • SA_POLICY_ADMIN.POLICY_SUBSCRIBE

  • SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE

  • SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY

  • SA_POLICY_ADMIN.REMOVE_TABLE_POLICY

  • SA_POLICY_ADMIN.SET_PROG_PRIVS

  • SA_POLICY_ADMIN.REVOKE_PROG_PRIVS