Skip Headers
Oracle® Label Security Administrator's Guide
12c Release 1 (12.1)

E17730-12
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

F Oracle Label Security Reference

This appendix provides the following reference information:

Oracle Label Security Data Dictionary Tables and Views

Oracle Database Data Dictionary Tables

Oracle Label Security does not label the Oracle data dictionary tables. Access is controlled by standard Oracle Database system and object privileges. For a description of all data dictionary tables and views, refer to the Oracle Database Reference.

Oracle Label Security Data Dictionary Views

Oracle Label Security maintains an independent set of data dictionary tables. These tables are exempt from any policy enforcement. This section lists the views that can display information related to Oracle Label Security.

Note that access to the DBA views is granted by default to the SELECT_CATALOG_ROLE, a standard Oracle Database role that lets you examine the Oracle Database data dictionary.

ALL_SA_AUDIT_OPTIONS View

The ALL_SA_AUDIT_OPTIONS data dictionary view shows the Oracle Label Security auditing options for the current user, configured using SA_AUDIT_ADMIN.AUDIT procedure. (See "SA_AUDIT_ADMIN.AUDIT Procedure".) The view displays whether auditing is configured to generate audit records per session (BY SESSION) or per access (BY ACCESS) and for successful or unsuccessful operations. Possible values are as follows:

  • A dash (-) indicates that the audit option is not set.

  • The S character indicates that the audit option is set BY SESSION.

  • The A character indicates that the audit option is set BY ACCESS.

  • Each audit option has two possible settings, WHENEVER SUCCESSFUL and WHENEVER NOT SUCCESSFUL, separated by a slash (/).

For example, in the following output, user jjones is audited with the BY ACCESS audit type for successful actions involving policy-specific privileges. User rlayton is audited with the BY SESSION audit type: audit records are written for failed attempts to remove policies and for successful attempts at setting user authorizations.

SELECT * FROM DBA_SA_AUDIT_OPTIONS;

POLICY_NAME      USER_NAME     APY  REM   SET_  PRV
-----------      ------------  ---  ----  ----  ---
HR_OLS_POL       JJONES        -/-   -/-  -/-   A/-
HR_OLS_POL       RLAYTON       -/-  -/S   S/-   -/-
Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
USER_NAME VARCHAR2(128) NOT NULL Name of the user associated with the policy
APY VARCHAR2(3)   Audit option; refers to the application of specified Oracle Label Security policies to tables and schemas
REM VARCHAR2(3)   Audit option; refers to the removal of specified Oracle Label Security policies from tables and schemas
SET_ VARCHAR2(3)   Audit option; refers to the setting of user authorizations, and user and program privileges
PRV VARCHAR2(3)   Audit option; refers to the use of all policy-specific privileges

ALL_SA_COMPARTMENTS View

The ALL_SA_COMPARTMENTS data dictionary view shows for the current user information about Oracle Label Security policy compartments, based on the settings used in the SA_COMPONENTS.CREATE_COMPARTMENT procedure. (See "SA_COMPONENTS.CREATE_COMPARTMENT Procedure".)

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
COMP_NUM NUMBER(4) NOT NULL Compartment number in the range of (0-9999)
SHORT_NAME VARCHAR2(30) NOT NULL Short name for the compartment
LONG_NAME VARCHAR2(80) NOT NULL Long name for the compartment

ALL_SA_DATA_LABELS View

The ALL_SA_DATA_LABELS data dictionary view shows for the current user the label and label tag for the specified Oracle Label Security policy, based on settings from the SA_LABEL_ADMIN.CREATE_LABEL procedure. (See "SA_LABEL_ADMIN.CREATE_LABEL Procedure".)

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
LABEL VARCHAR2(4000)   Short name of the level, compartment, or group that was specified as the label value
LABEL_TAG NUMBER   Integer that represents the sort order of the label, relative to other policy labels (0-99999999)

ALL_SA_GROUPS View

The ALL_SA_GROUPS data dictionary view shows for the current user information about Oracle Label Security policy groups, based on the SA_COMPONENTS.CREATE_GROUP and SA_COMPONENTS.ALTER_GROUP_PARENT procedures. (See"SA_COMPONENTS.CREATE_GROUP Procedure" and "SA_COMPONENTS.ALTER_GROUP_PARENT Procedure".)

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
GROUP_NUM NUMBER(4) NOT NULL Group number (0-9999)
SHORT_NAME VARCHAR2(30) NOT NULL Short name of the group
LONG_NAME VARCHAR2(80) NOT NULL Long name of the group
PARENT_NUM NUMBER(4)   Numerical ID for the associated parent group
PARENT_NAME VARCHAR2(30)   Name of the group assigned as the parent for the group

ALL_SA_LABELS View

The ALL_SA_LABELS data dictionary view shows for the current user information about the tags and types of labels, based on the SA_LABEL_ADMIN.CREATE_LABEL and SA_LABEL_ADMIN.ALTER_LABEL procedures. (See "SA_LABEL_ADMIN.CREATE_LABEL Procedure" and "SA_LABEL_ADMIN.ALTER_LABEL Procedure".) Access to ALL_SA_LABELS is PUBLIC. However, only the labels authorized for read access by the session are visible.

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
LABEL VARCHAR2(4000) NOT NULL Short name of the level associated with this label
LABEL_TAG NUMBER(30) NOT NULL Integer tag assigned to the label
LABEL_TYPE VARCHAR2(15)   Type of label

ALL_SA_LEVELS View

The ALL_SA_LEVELS data dictionary view shows for the current user information about levels, based on the SA_COMPONENTS.CREATE_LEVEL procedure. (See "SA_COMPONENTS.CREATE_LEVEL Procedure".)

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
LEVEL_NUM NUMBER(4) NOT NULL Level number (0-9999)
SHORT_NAME VARCHAR2(30) NOT NULL Short name for the level
LONG_NAME VARCHAR2(80) NOT NULL Long name for the level

ALL_SA_POLICIES View

The ALL_SA_POLICIES data dictionary view shows for the current user information about Oracle Label Security policies, based on the SA_SYSDBA.CREATE_POLICY procedure, and whether the policy has been enabled or disabled. (See "SA_SYSDBA.CREATE_POLICY Procedure".)

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
COLUMN_NAME VARCHAR2(128) NOT NULL Name of the column that was added to tables protected by the policy
STATUS VARCHAR2(8)   Whether the policy has been enabled or disabled
POLICY_OPTIONS VARCHAR2(4000)   Options that were set for this policy.

See Table 8-2 for a listing of the possible enforcement options.


ALL_SA_PROG_PRIVS View

The ALL_SA_PROG_PRIVS data dictionary view shows for the current user information about the policy-specific privileges for program units, based on the SA_USER_ADMIN.SET_PROG_PRIVS procedure. (See "SA_USER_ADMIN.SET_PROG_PRIVS Procedure".)

Column Datatype Null Description
SCHEMA_NAME VARCHAR2(128) NOT NULL Name of the schema that contains the program unit
PROGRAM_NAME VARCHAR(128) NOT NULL Program unit that was granted privileges
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
PROGRAM_PRIVILEGES VARCHAR2(4000)   Policy-specific privileges.

See "About Granting Privileges to Users and Trusted Program Units for the Policy" for list of possible privileges.


ALL_SA_SCHEMA_POLICIES View

The ALL_SA_SCHEMA_POLICIES data dictionary view shows for the current user information about policies that have been applied to all tables in the schema, based on the SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY procedure. (See "SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY Procedure".) It also indicates if the schema enforcement options have been enabled or disabled.

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
SCHEMA_NAME VARCHAR2(128) NOT NULL Name of the schema associated with this policy
STATUS VARCHAR2(8)   Whether the policy has been enabled or disabled for the schema (by the SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY or SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY for procedure)
SCHEMA_OPTIONS VARCHAR2(4000)   Options that have been applied.

See Table 8-2 for a listing of the default enforcement options.


ALL_SA_TABLE_POLICIES View

The ALL_SA_TABLE_POLICIES data dictionary view shows for the current user information about a policy that has been added to a specific database table, based on the settings from the SA_POLICY_ADMIN.APPLY_TABLE_POLICY procedure. (See "SA_POLICY_ADMIN.APPLY_TABLE_POLICY Procedure".)

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
SCHEMA_NAME VARCHAR2(128) NOT NULL Schema that contains the table that the policy protects
TABLE_NAME VARCHAR2(128) NOT NULL Table to be protected by the policy
STATUS VARCHAR2(8)   Whether the policy has been enabled or disabled for the table (by the SA_POLICY_ADMIN.APPLY_TABLE_POLICY or SA_POLICY_ADMIN.DISABLE_TABLE_POLICY for procedure)
TABLE_OPTIONS VARCHAR2(4000)   Policy enforcement options to be used for the table

See Table 8-2 for a listing of the default enforcement options.

FUNCTION VARCHAR2(1024)   Name of the function to return a label value to use as the default
PREDICATE VARCHAR2(256)   Predicate to combine (using AND or OR) with the label-based predicate for READ_CONTROL

ALL_SA_USERS View

The ALL_SA_USERS data dictionary view shows for the current user information about the privileges that Oracle Label Security users have, based on the SA_USER_ADMIN.SET_USER_LABELS and SA_USER_ADMIN.SET_USER_PRIVS procedure procedures. (See "SA_USER_ADMIN.SET_USER_LABELS Procedure" and "SA_USER_ADMIN.SET_USER_PRIVS Procedure".)

Column Type Null Description
USER_NAME VARCHAR2(1024) NOT NULL Name of the user
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
USER_PRIVILEGES VARCHAR2(4000)   Policy-specific privileges granted to the user.

See "About Granting Privileges to Users and Trusted Program Units for the Policy" for list of possible privileges.

MAX_READ_LABEL VARCHAR2(4000)   Label string to initialize the user's maximum authorized read label
MAX_WRITE_LABEL VARCHAR2(4000)   Label string to initialize the user's maximum authorized write label
MIN_WRITE_LABEL VARCHAR2(4000)   Label string to initialize the user's minimum authorized write label
DEFAULT_READ_LABEL VARCHAR2(4000)   Label string to initialize the user's session label, including level, compartments, and groups, for read access
DEFAULT_WRITE_LABEL VARCHAR2(4000)   Label string to initialize the user's session label, including level, compartments, and groups, for write access
DEFAULT_ROW_LABEL VARCHAR2(4000)   Label string to initialize the program's row label; includes level, components, and groups
USER_LABELS VARCHAR2(4000)   Retained solely for backward compatibility and will be removed in the next release

ALL_SA_USER_LABELS View

The ALL_SA_USER_LABELS data dictionary view shows for the current user label-specific information about users, based on the the SA_USER_ADMIN.SET_USER_LABELS. (See "SA_USER_ADMIN.SET_USER_LABELS Procedure".)

Column Datatype Null Description
USER_NAME VARCHAR2(1024) NOT NULL Name of the user
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
LABELS VARCHAR2(4000)   Retained solely for backward compatibility and will be removed in the next release
MAX_READ_LABEL VARCHAR2(4000) NOT NULL Label string to initialize the user's maximum authorized read label
MAX_WRITE_LABEL VARCHAR2(4000)   Label string to initialize the user's maximum authorized write label
MIN_WRITE_LABEL VARCHAR2(4000)   Label string to initialize the user's minimum authorized write label
DEFAULT_READ_LABEL VARCHAR2(4000)   Label string to initialize the user's session label, including level, compartments, and groups, for read access
DEFAULT_WRITE_LABEL VARCHAR2(4000)   Label string to initialize the user's session label, including level, compartments, and groups, for write access
DEFAULT_ROW_LABEL VARCHAR2(4000)   Label string to initialize the program's row label; includes level, components, and groups

ALL_SA_USER_LEVELS View

The ALL_SA_USER_LEVELS data dictionary view shows for the current user the minimum and maximum levels that have been assigned to users and lists the default values for the user's session label and row label, based on the SA_USER_ADMIN.SET_LEVELS procedure. (See "SA_USER_ADMIN.SET_LEVELS Procedure".)

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
USER_NAME VARCHAR2(1024) NOT NULL Name of the user
MAX_LEVEL VARCHAR2(30) NOT NULL Short name of the highest level for read and write access
MIN_LEVEL VARCHAR2(30) NOT NULL Short name of the lowest level for read and write access
DEF_LEVEL VARCHAR2(30) NOT NULL Short name of the default level
ROW_LEVEL VARCHAR2(30) NOT NULL Short name of the row level

ALL_SA_USER_PRIVS View

The ALL_SA_USER_PRIVS data dictionary view shows for the current user the policy-specific privileges that have been granted to users, based on the SA_USER_ADMIN.SET_USER_PRIVS procedure. (See "SA_USER_ADMIN.SET_USER_PRIVS Procedure".)

Column Datatype Null Description
USER_NAME VARCHAR2(1024) NOT NULL Name of the user
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
USER_PRIVILEGES VARCHAR2(4000)   Policy-specific privileges granted to the user

See "About Granting Privileges to Users and Trusted Program Units for the Policy" for available privileges


DBA_SA_AUDIT_OPTIONS View

The DBA_SA_AUDIT_OPTIONS data dictionary view data dictionary view shows for the entire database the Oracle Label Security audit options. Its columns are the same as ALL_SA_AUDIT_OPTIONS.

DBA_SA_COMPARTMENTS View

The ALL_SA_COMPARTMENTS data dictionary view shows for the entire database information about Oracle Label Security policy compartments. Its columns are the same as ALL_SA_COMPARTMENTS.

DBA_SA_DATA_LABELS View

The ALL_SA_DATA_LABELS data dictionary view shows for the entire database the label and label tag for the specified Oracle Label Security policy. Its columns are the same as ALL_SA_DATA_LABELS.

DBA_SA_GROUPS View

The ALL_SA_GROUPS data dictionary view shows for the entire database information about Oracle Label Security policy groups. Its columns are the same as ALL_SA_GROUPS.

DBA_SA_GROUP_HIERARCHY View

The DBA_SA_GROUP_HIERARCHY data dictionary view shows the hierarchy of groups (that is, parent-child relationships) in a policy.

Column Type Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
HIERARCHY_LEVEL NUMBER   Indicates the level of a particular group in a group hierarchy. A group with no parent group will have HIERARCHY_LEVEL 1. Its child group will have HIERARCHY_LEVEL 2 and so on.

For example, consider these groups in the following order:

  1. G1, G4

  2. G2, G5

  3. G3

Here, G1 and G4 have HIERARCHY_LEVEL 1; G2 and G5 have HIERARCHY_LEVEL 2, and G3 has HIERARCHY_LEVEL 3.

The parent-child relationships are:

  • G3 is the child group of G2, and G2 is the child group of G1.

  • G5 is the child group of G4.

GROUP_NAME VARCHAR2(4000)   Short name of the group intended to indicate the hierarchy level

DBA_SA_LABELS View

The ALL_SA_LABELS data dictionary view shows for the entire database information about the tags and types of labels for a policy. Its columns are the same as ALL_SA_LABELS.

DBA_SA_LEVELS View

The ALL_SA_LEVELS data dictionary view shows for the entire database information about levels associated with a policy. Its columns are the same as ALL_SA_LEVELS.

DBA_SA_POLICIES View

The DBA_SA_POLICIES data dictionary view shows for the entire database information about Oracle Label Security policies, based on the SA_SYSDBA.CREATE_POLICY procedure, and whether the policy has been enabled or disabled and its subscription status.

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
COLUMN_NAME VARCHAR2(128) NOT NULL Name of the column that was added to tables protected by the policy
STATUS VARCHAR2(8)   Whether the policy has been enabled or disabled
POLICY_OPTIONS VARCHAR2(4000)   Options that were set for this policy.

See Table 8-2 for a listing of the possible enforcement options.

POLICY_SUBSCRIBED VARCHAR2(5)   Indicates the policy's subscription status, based on the SA_POLICY_ADMIN.POLICY_SUBSCRIBE or SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE procedure

DBA_SA_PROG_PRIVS View

The DBA_SA_PROG_PRIVS data dictionary view shows for the entire database information about the policy-specific privileges for program units. Its columns are the same as ALL_SA_PROG_PRIVS.

DBA_SA_SCHEMA_POLICIES View

The DBA_SA_SCHEMA_POLICIES data dictionary view shows for the entire database information about policies that have been applied to all tables in the schema. Its colums are the same as ALL_SA_SCHEMA_POLICIES.

DBA_SA_TABLE_POLICIES View

The DBA_SA_TABLE_POLICIES data dictionary view shows for the entire database information about a policy that has been added to a specific database table. Its columns are the same as ALL_SA_TABLE_POLICIES.

DBA_SA_USERS View

The DBA_SA_USERS data dictionary view shows for the entire database information about the privileges that Oracle Label Security users have. Its columns are the same as ALL_SA_USERS.

DBA_SA_USER_COMPARTMENTS View

The DBA_SA_USER_COMPARTMENTS data dictionary view shows for the entire database the user authorizations, indicating whether the compartments are authorized for write and read privileges, based on the SA_USER_ADMIN.ADD_COMPARTMENTS procedure. (See "SA_USER_ADMIN.ADD_COMPARTMENTS Procedure".)

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
USER_NAME VARCHAR2(1024) NOT NULL Name of the user
COMP VARCHAR2(30) NOT NULL Short name of compartments that were added
RW_ACCESS VARCHAR2(5)   Access mode. Possible values are:
  • SA_UTL.READ_ONLY indicates no write access

  • SA_UTL.READ_WRITE indicates that write is authorized

DEF_COMP VARCHAR2(1) NOT NULL Whether the compartments are in the default compartments
ROW_COMP VARCHAR2(1) NOT NULL whether the compartments are in the row label

DBA_SA_USER_GROUPS View

The DBA_SA_USER_GROUPS data dictionary view shows for the entire database the groups that are associated with users, based on the SA_USER_ADMIN.ADD_GROUPS procedure. (See "SA_USER_ADMIN.ADD_GROUPS Procedure".)

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
USER_NAME VARCHAR2(1024) NOT NULL Name of the user
GRP VARCHAR2(30) NOT NULL Short name of groups that wer added
RW_ACCESS VARCHAR2(5)   Access mode. Possible values are:
  • SA_UTL.READ_ONLY indicates read-only access

  • SA_UTL.READ_WRITE indicates read and write access

DEF_GROUP VARCHAR2(1) NOT NULL Whether the group is in a default group
ROW_GROUP VARCHAR2(1) NOT NULL Whether the group is in a label

DBA_SA_USER_LABELS View

The DBA_SA_USER_LABELS data dictionary view shows for the entire database label-specific information about users. Its columns are the same as ALL_SA_USER_LABELS.

DBA_SA_USER_LEVELS View

The DBA_SA_USER_LEVELS data dictionary view shows, for the entire database, the minimum and maximum levels that have been assigned to users and lists the default values for the user's session label and row label. Its columns are the same as ALL_SA_USER_LEVELS.

DBA_SA_USER_PRIVS View

The DBA_SA_USER_PRIVS data dictionary view shows for the current user the policy-specific privileges that have been granted to users. Its columns are the same as ALL_SA_USER_PRIVS.

DBA_OLS_STATUS View

The DBA_OLS_STATUS data dictionary view describes the configuration status of Oracle Label Security in the database.

Column Null Datatype Description
NAME   VARCHAR2(20) Name of the status. Values are:
  • OLS_CONFIGURE_STATUS

  • OLS_DIRECTORY_STATUS

  • OLS_ENABLE_STATUS

STATUS   VARCHAR2(5) Indicates the status of the feature mentioned in the corresponding name column. For example, a TRUE value for the OLS_CONFIGURE_STATUS status says that Oracle Label Security has been configured.
DESCRIPTION   VARCHAR2(4000) Description of the status:
  • OLS_CONFIGURE_STATUS:Determines if Oracle Label Security is configured.

  • OLS_DIRECTORY_STATUS: Determines if Oracle Internet Directory is enabled with Oracle Label Security.

  • OLS_ENABLE_STATUS: Determines if Oracle Label Security is enabled.


USER_SA_SESSION View

The USER_SA_SESSION data dictionary view shows the security attribute values for the current database session. Access to this view is PUBLIC.

Column Datatype Null Description
POLICY_NAME VARCHAR2(30) NOT NULL Name of the Oracle Label Security policy
SA_USER_NAME VARCHAR2(4000)   Name of the current session user
PRIVS VARCHAR2(4000)   Current session privileges
MAX_READ_LABEL VARCHAR2(4000)   Label string that initialized the user's maximum authorized read label
MAX_WRITE_LABEL VARCHAR2(4000)   Label string that initialized the user's maximum authorized write label
MIN_LEVEL VARCHAR2(4000)   Minimum Oracle Label Security level authorized for the session
LABEL VARCHAR2(4000)   Label for the current database session
COMP_WRITE VARCHAR2(4000)   Compartments to which the user is authorized to write
GROUP_WRITE VARCHAR2(4000)   Groups to which the user is authorized to write
ROW_LABEL VARCHAR2(4000)   Row label that is associated with the policy for the current session

Oracle Label Security User-Created Auditing View

Using the SA_AUDIT_ADMIN.CREATE_VIEW procedure, you can create an audit trail view for a specific policy. By default, this view is named DBA_policyname_AUDIT_TRAIL.

Column Datatype Null Description
USERNAME VARCHAR2(128)   Name of the user whose actions were audited
USERHOST VARCHAR2(128)   Client host machine name
TERMINAL VARCHAR2(255)   Identifier of the user's terminal
TIMESTAMP DATE   Date and time of the creation of the audit trail entry (date and time of user login for entries created by AUDIT SESSION) in the local database session time zone
OWNER VARCHAR2(128)   Creator of the object affected by the action
OBJ_NAME VARCHAR2(128)   Name of the object affected by the action
ACTION NUMBER NOT NULL Numeric action type code. The corresponding name of the action type is in the ACTION_NAME column.
ACTION_NAME VARCHAR2(47)   Name of the action type corresponding to the numeric code in the ACTION column
COMMENT_TEXT VARCHAR2(4000)   Text comment on the audit trail entry, providing more information about the statement audited

Also indicates how the user was authenticated. The method can be one of the following:

  • DATABASE: Authentication was done by password

  • NETWORK: Authentication was done by Oracle Net Services or by strong authentication

SESSIONID NUMBER NOT NULL Numeric ID for each Oracle session
ENTRYID NUMBER NOT NULL Numeric ID for each audit trail entry in the session
STATEMENTID NUMBER NOT NULL Numeric ID for each statement run
RETURNCODE NUMBER NOT NULL Oracle error code generated by the action. Some useful values:
  • 0: Action succeeded

  • 2004: Security violation

EXTENDED_TIMESTAMP TIMESTAMP (6) WITH TIME ZONE   Timestamp of the creation of the audit trail entry (timestamp of user login for entries created by AUDIT SESSION) in UTC (Coordinated Universal Time) time zone
OLS_COL VARCHAR2(4000)   Name of the column that was added to the tables that Oracle Label Security protects

Restrictions in Oracle Label Security

The following restrictions exist in this Oracle Label Security release:

CREATE TABLE AS SELECT Restriction in Oracle Label Security

If you attempt to perform CREATE TABLE AS SELECT in a schema that is protected by an Oracle Label Security policy, then the statement will fail.

Label Tag Restriction

Label tags must be unique across the policies in the database. When you use multiple policies in a database, you cannot use the same numeric label tag in different policies.

Export Restriction in Oracle Label Security

Before Oracle Databas 12c Release 1 (12.1), the LBACSYS schema could not be exported due to the use of opaque types in Oracle Label Security. An export of the entire database (parameter FULL=Y) with Oracle Label Security installed can be done, except that the LBACSYS schema would not be exported. From Oracle Database Release 12c on, this restriction has been removed. See "Full Database Export" for additional details on the database versions that the export can be supported from.

Oracle Label Security Removal Restriction

Do not perform a DROP USER CASCADE on the LBACSYS account.

Connect to the database as user SYS, using the AS SYSDBA syntax, and run the file $ORACLE_HOME/rdbms/admin/catnools.sql to remove Oracle Label Security.

See Also:

Your platform-specific Oracle installation documentation

Shared Schema Support

User accounts defined in the Oracle Internet Directory cannot be given individual Oracle Label Security authorizations. However, authorizations can be given to the shared schema to which the directory users are mapped.

The Oracle Label Security function SET_ACCESS_PROFILE can be used programmatically to set the label authorization profile to use after a user has been authenticated and mapped to a shared schema. Oracle Label Security does not enforce a mapping between users who are given label authorizations in Oracle Label Security and actual database users.

Hidden Columns Restriction

PL/SQL does not recognize references to hidden columns in tables. A compiler error will be generated.