D Frequently Asked Questions on Oracle Label Security

This appendix attempts to answer some of the most common and frequently asked questions on Oracle Label Security.

Who uses Oracle Label Security?

Sensitivity labels are used to categorize data in virtually every industry. These industries include health care, law enforcement, energy, retail, national security, and defense industries. The following list gives some examples of sensitivity labels:

  • Internal

  • ConfidentialPhysician OnlyHighly SensitiveWidget CorporationConfidential : Chicago OperationSensitive : Finance : EuropeTop SecretUnclassified

How can Oracle Label Security address my security needs?

Oracle Label Security can be used to label data and restrict access with a high degree of granularity. This is especially useful when multiple organizations or companies share a single application. Sensitivity labels can be used to restrict application users to an organization or to a subset of data within an organization.

Data privacy is important to consumers and regulatory measures continue to be announced. Oracle Label Security can be used to implement privacy policies on data, restricting access to only those who have a need-to-know.

Should I use Oracle Label Security to protect all my tables?

No. The traditional Oracle discretionary access control (DAC) object privileges such as SELECT, INSERT, UPDATE, and DELETE combined with database roles and stored procedures are sufficient in most cases.

What is the difference between Oracle Virtual Private Database and Oracle Label Security?

Oracle Virtual Private Database (VPD) is provided at no additional cost with the Enterprise Edition of Oracle Database. Oracle Label Security is an add-on security option for the Oracle Database Enterprise Edition.

Oracle VPD is a term used for several powerful security features like, fine grained access control (FGAC), application context and global application context. VPD policies are written using PL/SQL, and can be assigned to an individual table or view. An information request, that accesses a table or view protected by VPD, is modified according to the policy assigned to the table or view.

VPD policies can be as simple as enforcing access during business hours. VPD policies can restrict access by comparing the value of an attribute in an individual row with an application context value. Global application context allows an application context to be accessed across multiple database sessions, reducing or eliminating the need to create a separate application context for each user session.

Oracle Label Security is an out-of-the-box solution for row level security. No coding or software development is required, allowing the administrator to focus completely on the policy. Oracle Label Security provides an interface for creating policies, specifying enforcement options, defining data sensitivity labels, establishing user label authorizations, and protecting individual tables or schemes.

Data sensitivity labels provide a powerful and flexible method of restricting access to data. For example, data belonging to different organizations or companies can be separated using data sensitivity labels and selectively shared between companies by changing the data sensitivity label.

Depending on the complexity of the security policy, Oracle Virtual Private Database may be the preferred method for implementing your security policy. Oracle Label Security is best suited for situations where access control decisions need to be based on the sensitivity of the information.

Can I combine Virtual Private Database and Oracle Label Security?

Yes. The following scenarios are possible:

  • A WHERE clause can be appended to an OLS policy, which provides one more level of granularity. An example would be that users, regardless of their label authorizations, are only allowed to connect from a specific IP address or subnet, and during business hours only.

  • A VPD policy, whether column sensitive or not, can evaluate user labels and determine access to columns and rows without the need to apply data labels.

Can I use Oracle Label Security with the Oracle E-Business Suite?

Oracle Applications are using Oracle VPD to provide new functionality and security protections.

Can I use Oracle Label Security with Oracle Database Vault?

You can protect Oracle Database Vault tables using Oracle Label Security just as you would do for an Oracle Database table.

In addition, Oracle Label Security can be used together with Database Vault features. You can assign Oracle Label Security labels to Database Vault Factors. These labels are then merged with the user clearance labels, following the algorithms documented in chapter 4.4.5 of the OLS admin guide: "Merging Labels with the MERGE_LABEL Function", before access control decisions are being made by comparing the merged user labels with the row labels.

The following example on the Oracle Technology Network Web site also discusses using Oracle Label security alongwith Oracle Database Vault features:


Does Oracle Label Security provide column-level access control?

No, Oracle Label Security is not column aware. This behavior is available with Virtual Private Database (VPD). A VPD policy can be written so that it only becomes active when a certain column is part of a SQL statement against a protected table. If the column sensitivity switch is on, then VPD either returns only those rows for which the sensitive column values are accessible to the user, or it returns all rows with all cells in the sensitive column being empty, except those values that the user is allowed to see.

The following link on the Oracle Technology Network Web site contains an example:


A column-sensitive VPD policy can determine access to a specific column by evaluating OLS user labels.

Can I base Secure Application Roles on Oracle Label Security?

Yes. The procedure that determines if the SET ROLE command is executed can evaluate OLS user labels. In this case, the OLS policy does not need to be applied to a table, since row labels are not part of this solution.

What are Trusted Stored Program Units?

Stored procedures, functions and packages execute with the system and object privileges (DAC) of the definer. If the invoker is a user with Oracle Label Security user clearances (labels), the procedure executes with a combination of the definer's DAC privileges and the invoker's security clearances.

Trusted stored procedures are procedures that are either granted the OLS privilege FULL or READ. When a trusted stored program unit is run, the policy privileges in force are a combination of the invoking user's privileges and the program unit's privileges.

Does VPD or OLS add an additional column to the protected table?

When you apply an Oracle Label Security (OLS) policy to a table, the policy adds an additional column to the table. The name of this column needs to be specified when the policy is initially created.

An existing column can be used to store the OLS row labels. This column must have the NUMBER(10) datatype.

Virtual Private Database (VPD) does not add an additional column to the protected table.

Why should the additional OLS row label column be hidden?

Most applications were not designed with access control mechanisms in mind, so Oracle Label Security (OLS) needs to do this transparently.

When an application queries a table with a SELECT FROM tablename statement, it returns all columns, including the unhidden label column. Existing applications may not be designed to display an additional column, and malfunction. However, if the label column is hidden, then it is displayed only when it's name is included in the SQL statement. A SELECT FROM tablename would return all columns as expected by the application, excluding the hidden OLS column.

Where can I find Oracle Label Security?

Oracle Label Security ships with the Oracle Database Enterprise Edition CD. Oracle Label Security is not installed as part of the default Oracle installation. You need to perform a custom installation to add Oracle Label Security to the database.