8.5 Setting Labels & Privileges with SA_SESSION.SET_ACCESS_PROFILE → The SET_ACCESS_PROFILE procedure sets the Oracle Label Security authorizations and privileges of … . That user assumes only the authorizations and privileges of the specified user. By contrast, the … SA_SESSION.SET_ACCESS_PROFILE Parameter Meaning policy_name The name of an existing policy user_name Name of the user whose authorizations and privileges
3.4.2 The Oracle Label Security Algorithm for Read Access → or less than the current session level. No privileges (other than FULL) allow the user to write … special Oracle Label Security privileges. See Also: \"Privileges Defined by Oracle Label Security
3.5 Using Oracle Label Security Privileges → This section introduces the Oracle Label Security database and row label privileges: Privileges … Defined by Oracle Label Security Policies Special Access Privileges Special Row Label Privileges System Privileges, Object Privileges, and Policy Privileges
8.1 Introduction to User Label and Privilege Management → To manage user labels and privileges, you must have the EXECUTE privilege for the SA_USER_ADMIN
8.2.4 SA_USER_ADMIN.ALTER_COMPARTMENTS → The ALTER_COMPARTMENTS procedure changes the write access, the default label indicator, and the row label indicator for each of the compartments in the list. Syntax: PROCEDURE ALTER_COMPARTMENTS (policy_name IN VARCHAR2, user_name IN VARCHAR2, comps IN VARCHAR2, access_mode IN VARCHAR2 DEFAULT NULL, in_def IN VARCHAR2 DEFAULT NULL, in_row IN VARCHAR2 DEFAULT NULL); Table 8-4 Parameters for SA_USER_ADMIN.ALTER_COMPARTMENTS
8.3.2 SA_USER_ADMIN.SET_DEFAULT_LABEL → The SET_DEFAULT_LABEL procedure sets the user's initial session label to the one specified. Syntax: PROCEDURE SET_DEFAULT_LABELS ( policy_name IN VARCHAR2, user_name IN VARCHAR2, def_label IN VARCHAR2); Table 8-13 Parameters for SA_USER_ADMIN.SET_DEFAULT_LABEL Parameter Meaning policy_name Specifies the policy user_name Specifies the user name def_label Specifies the label string to be used to initialize
3.2.1 The Session Label → Each Oracle Label Security user has a set of authorizations that include: A maximum and minimum level A set of authorized compartments A set of authorized groups For each compartment and group, a specification of read-only access, or read/write access The administrator also specifies the user's initial session label when setting up these authorizations for the user. The session label is the particular
3.3 Understanding User Authorizations → There are two types of user authorizations: Authorizations Set by the Administrator Computed Session Labels
3.4.1 Introducing Read/Write Access → Although data labels are stored in a column within data records, information about user authorizations is stored in relational tables. When a user logs on, the tables are used to dynamically generate user labels for use during the session. 188.8.131.52 Difference Between Read and Write Operations Two fundamental types of access mediation on Data Manipulation language (DML) operations exist, within protected
8.2.10 SA_USER_ADMIN.DROP_GROUPS → The DROP_GROUPS procedure drops the specified groups from a user's authorizations. Syntax: PROCEDURE DROP_GROUPS (policy_name IN VARCHAR2, user_name IN VARCHAR2, groups IN VARCHAR2); Table 8-10 Parameters for SA_USER_ADMIN.DROP_GROUPS Parameter Meaning policy_name Specifies the policy user_name Specifies the user name groups A comma-delimited list of groups to drop
3.4 Evaluating Labels for Access Mediation → When a table is protected by an Oracle Label Security policy, the user's label components are compared to the row's label components to determine whether the user can access the data. In this way, Oracle Label Security evaluates whether the user is authorized to perform the requested operation on the data in the row. This section explains the rules and options by which user access is mediated. It
3.5.7 Access Mediation and Policy Enforcement Options → An administrator can choose from among a set of policy enforcement options when applying an Oracle Label Security policy to individual tables. These options enable enforcement to be tailored differently for each database table. In addition to the access controls based on the labels, a SQL predicate can also be associated with each table. The predicate can further define which rows in the table are
8.2.5 SA_USER_ADMIN.ADD_COMPARTMENTS → 8.2.5 SA_USER_ADMIN. ADD_COMPARTMENTS This procedure adds compartments to a user's authorizations, indicating whether the compartments are authorized for write as well as read. Syntax: PROCEDURE ADD_COMPARTMENTS (policy_name IN VARCHAR2, user_name IN VARCHAR2, comps IN VARCHAR2, access_model IN VARCHAR2 DEFAULT NULL, in_def IN VARCHAR2 DEFAULT NULL, in_row IN VARCHAR2 DEFAULT NULL); Table 8-5 Parameters
8.2.9 SA_USER_ADMIN.ALTER_GROUPS → The ALTER_GROUPS procedure changes the write access, the default label indicator, and the row label indicator for each of the groups in the list. Syntax: PROCEDURE ALTER_GROUPS (policy_name IN VARCHAR2, user_name IN VARCHAR2, groups IN VARCHAR2, access_mode IN VARCHAR2 DEFAULT NULL, in_def IN VARCHAR2 DEFAULT NULL, in_row IN VARCHAR2 DEFAULT NULL); Table 8-9 Parameters for SA_USER_ADMIN.ALTER_GROUPS
8.3.1 SA_USER_ADMIN.SET_USER_LABELS → … See Also: \"Managing Program Unit Privileges with SET_PROG_PRIVS\"
8.4 Managing User Privileges with SA_USER_ADMIN.SET_USER_PRIVS → The SET_USER_PRIVS procedure sets policy-specific privileges for users. These privileges do not … . The new set of privileges replaces any existing privileges. A NULL value for the privileges … parameter removes the user's privileges for the policy. To assign policy privileges
3 Understanding Access Controls and Privileges → label and the user's label. This chapter examines the access controls and privileges that determine … Evaluating Labels for Access Mediation Using Oracle Label Security Privileges Working with Multiple Oracle Label Security Policies
3.2 Understanding Session Label and Row Label → This section introduces the basic user labels. The Session Label The Row Label Session Label Example
3.4.3 The Oracle Label Security Algorithm for Write Access → In the context of Oracle Label Security, WRITE_CONTROL enforcement determines the ability to insert, update, or delete data in a row. WRITE_CONTROL enables you to control data access with ever finer granularity. Granularity increases when compartments are added to levels. It increases again when groups are added to compartments. Access control becomes even more fine grained when you can manage the
8.2.7 SA_USER_ADMIN.DROP_ALL_COMPARTMENTS → The DROP_ALL_COMPARTMENTS procedure drops all compartments from a user's authorizations. Syntax: PROCEDURE DROP_ALL_COMPARTMENTS (policy_name IN VARCHAR2, user_name IN VARCHAR2); Table 8-7 Parameters for SA_USER_ADMIN.DROP_ALL_COMPARTMENTS Parameter Meaning policy_name Specifies the policy user_name Specifies the user name
8.3.3 SA_USER_ADMIN.SET_ROW_LABEL → Use the SET_ROW_LABEL procedure to set the user's initial row label to the one specified. Syntax: PROCEDURE SET_ROW_LABEL ( policy_name IN VARCHAR2, user_name IN VARCHAR2, row_label IN VARCHAR2); Table 8-14 Parameters for SA_USER_ADMIN.SET_ROW_LABEL Parameter Meaning policy_name Specifies the policy user_name Specifies the user name row_label Specifies the label string to be used to initialize the
8.7 Using Oracle Label Security Views → This section describes views you can use to see the user authorization and privilege assignments made by the administrator. View to Display All User Security Attributes: DBA_SA_USERS Views to Display User Authorizations by Component
3.1 Introducing Access Mediation → To access data protected by an Oracle Label Security policy, a user must have authorizations based on the labels defined for the policy. Figure 3-1, \"Relationships Between Users, Data, and Labels\" illustrates the relationships between users, data, and labels. Data labels specify the sensitivity of data rows. User labels provide the appropriate authorizations to users. Access mediation between users
3.5.1 Privileges Defined by Oracle Label Security Policies → Oracle Label Security supports special privileges that allow authorized users to bypass certain … parts of the policy. Table 3-3 summarizes the full set of privileges that can be granted to users or … Label Security Privileges Security Privilege Explanation READ Allows read access to all data … groups PROFILE_ACCESS Allows a session
3.5.5 Access Mediation and Views → privileges on the view. If the underlying table (on which the view is based) is protected by Oracle Label
3.5.6 Access Mediation and Program Unit Execution → User2's system and object privileges. However, any procedure executed by User1 runs with User1's own … Oracle Label Security labels and privileges. This is true even when User1 executes stored program … : Stored program units run with the DAC privileges of the procedure's owner (User2). In addition, stored … on the label attached
3.6 Working with Multiple Oracle Label Security Policies → This section describes aspects of using multiple policies.
3.6.2 Multiple Oracle Label Security Policies in a Distributed Environment → If you work in a distributed environment, where multiple databases may be protected by the same or different Oracle Label Security policies, your remote connections will also be controlled by Oracle Label Security. See Also: Chapter 13, \"Using Oracle Label Security with a Distributed Database\"
8.2.3 SA_USER_ADMIN.SET_GROUPS → The SET_GROUPS procedure assigns groups to a user and identifies default values for the user's session label and row label. If the write_groups are NULL, they are set to the read_groups. If the def_groups are NULL, they are set to the read_groups. If the row_groups are NULL, they are set to the groups in def_groups that are authorized for write access. All users must have their levels set before their
8.3 Managing User Labels by Label String, with SA_USER_ADMIN → The following SA_USER_ADMIN procedures enable you to manage user labels by specifying the complete character label string: SA_USER_ADMIN.SET_USER_LABELS SA_USER_ADMIN.SET_DEFAULT_LABEL SA_USER_ADMIN.SET_ROW_LABEL SA_USER_ADMIN.SET_DEFAULT_LABEL
8.6 Returning User Name with SA_SESSION.SA_USER_NAME → The SA_USER_NAME function returns the name of the current Oracle Label Security user, as set by the SET_ACCESS_PROFILE procedure (or as established at login). This is how you can determine the identity of the current user in relation to Oracle Label Security, rather than in relation to your Oracle login name. Syntax: FUNCTION SA_USER_NAME (policy_name IN VARCHAR2) RETURN VARCHAR2; Table 8-18 Parameters
8.7.2 Views to Display User Authorizations by Component → The following views individually display each component of the label: Table 8-19 Oracle Label Security Views View Contents DBA_SA_USER_LEVELS Displays the levels assigned to the user: minimum level, maximum level, default level, and level for the row label DBA_SA_USER_COMPARTMENTS Displays the compartments assigned to the user DBA_SA_USER_GROUPS Displays the groups assigned to the user
3.2.2 The Row Label → When a user writes data without specifying its label, a row label is assigned automatically, using the user's session label. However, the user can set the label for the written row, within certain restrictions on the components of the label he specifies. The level of this label can be set to any level within the range specified by the administrator. For example, it can be set to the level of the user's
8.2 Managing User Labels by Component, with SA_USER_ADMIN → The following SA_USER_ADMIN procedures enable you to manage user labels by label component: SA_USER_ADMIN.SET_LEVELS SA_USER_ADMIN.SET_COMPARTMENTS SA_USER_ADMIN.SET_GROUPS SA_USER_ADMIN.ADD_COMPARTMENTS SA_USER_ADMIN.ALTER_COMPARTMENTS SA_USER_ADMIN.DROP_COMPARTMENTS SA_USER_ADMIN.DROP_ALL_COMPARTMENTS SA_USER_ADMIN.ADD_GROUPS SA_USER_ADMIN.ALTER_GROUPS SA_USER_ADMIN.DROP_GROUPS SA_USER_ADMIN.DROP_ALL_GROUPS
Why Is It Important to Restrict System Privileges? → Because system privileges are so powerful, by default the database is configured to prevent typical … (non-administrative) users from exercising the ANY system privileges (such as UPDATE ANY TABLE ) on … the data dictionary. See \"Guidelines for Securing User Accounts and Privileges\" for additional … guidelines about restricting
Securing Role Privileges by Using Secure Application Roles → directly from the application when the user logs in, before the user exercises the privileges granted … framework of the application privileges that they have been granted. See Also: \"Creating Secure Application
Using Default Auditing for Security-Relevant SQL Statements and Privileges → , Oracle Database audits the most commonly used security-relevant SQL statements and privileges. It also … do that: Oracle Database continues to audit the privileges that are audited by default. If you … Database audits the AUDIT ROLE SQL statement by default. The privileges that are audited by default are as … statements and
Table 5-2 How Privileges Relate to Schema Objects → Object Privilege Applies to Table? Applies to View? Applies to Sequence? Applies to Procedure? Foot 1 ALTER Yes No Yes No DELETE Yes Yes No No EXECUTE No No No Yes INDEX Yes Foot 2 No No No INSERT Yes Yes No No REFERENCES Yes No No No SELECT Yes Yes Foot 3 Yes No UPDATE Yes Yes No No See also \"Auditing Schema Objects\" for detailed information about how schema objects can be audited.
Auditing SQL Statements and Privileges in a Multitier Environment → You can use the AUDIT statement to audit the activities of a client in a multitier environment. In a multitier environment, Oracle Database preserves the identity of a client through all tiers. Thus, you can audit actions taken on behalf of the client by a middle-tier application. To do so, use the BY user clause in your AUDIT statement. This audit includes the user session as well as proxy sessions.
What Application Developers Need to Know About Object Privileges → End users are typically granted object privileges. An object privilege allows a user to perform a … summarizes the object privileges available for each type of object.