Index
A
B
C
D
E
F
G
H
I
L
M
N
O
P
R
S
T
U
V
W
A
- access control
- discretionary, 1-4, 1-5, 3-22
- fine-grained, 1-4, 1-6
- label-based, 1-5, 1-7, 1-12
- policies, 1-3
- understanding, 3-1
- access mediation
- and views, 3-22
- enforcement options, 3-24
- introduction, 3-2
- label evaluation, 3-10
- program units, 3-23
- ADD_COMPARTMENTS function, 6-8
- ADD_GROUPS procedure, 6-9
- ALL_CONTROL option, 7-3, 7-7
- ALL_SA_AUDIT_OPTIONS view, B-2
- ALL_SA_COMPARTMENTS view, B-3
- ALL_SA_DATA_LABELS view, B-3
- ALL_SA_GROUPS view, B-3
- ALL_SA_LABELS view, B-4
- ALL_SA_LEVELS view, B-4
- ALL_SA_POLICIES view, B-4
- ALL_SA_PROG_PRIVS view, B-5
- ALL_SA_SCHEMA_POLICIES view, B-5
- ALL_SA_TABLE_POLICIES view, B-5
- ALL_SA_USER_LABELS view, B-6
- ALL_SA_USER_LEVELS view, B-6
- ALL_SA_USER_PRIVS view, B-7
- ALL_SA_USERS view, B-6
- ALTER_COMPARTMENT procedure, 5-17
- ALTER_COMPARTMENTS procedure, 6-7
- ALTER_GROUP procedure, 5-20
- ALTER_GROUP_PARENT procedure, 5-21
- ALTER_GROUPS function, 6-10
- ALTER_LABEL function, 5-24
- ALTER_LEVEL procedure, 5-13, 5-15
- ALTER_POLICY procedure, 5-10
- ALTER_SCHEMA_POLICY procedure, 8-3, 8-9
- ANALYZE command, 12-8
- APPLY_SCHEMA_POLICY procedure, 8-3, 8-8
- APPLY_TABLE_POLICY procedure, 8-3, 8-4
- architecture, Oracle Label Security, 1-8
- AS SYSDBA clause, 12-13
- AUDIT procedure, 10-5
- AUDIT_LABEL procedure, 10-10
- AUDIT_LABEL_ENABLED function, 10-10
- AUDIT_TRAIL parameter, 10-3
- auditing
- audit trails, 1-12, 10-2, 10-3, 10-11
- options for Oracle Label Security, 10-4
- Oracle Label Security, 1-12, 10-1, 10-2
- security and, 10-5
- strategy, 10-12
- systemwide, 10-3
- types of, 5-4
- views, 10-11
B
- B-tree indexes, 12-8
C
- CHAR_TO_LABEL function, 4-7, 4-16, 4-18
- characters, valid, 2-3, 5-9
- CHECK_CONTROL option
- and label update, 7-15, 7-16
- and labeling functions, 7-13
- and READ_CONTROL, 7-5
- definition, 7-3
- with other options, 7-8
- child rows
- deleting, 7-17
- inserting, 7-14
- updating, 7-16
- COMP_READ function, 4-24
- COMP_WRITE function, 4-24
- COMPACCESS privilege, 3-17, 3-19
- compartments
- definition, 2-6
- example, 2-7
- setting authorizations, 3-7
- COMPATIBLE parameter, 12-13
- components. See label components
- CREATE FUNCTION statement, 9-5
- CREATE PACKAGE BODY statement, 9-5
- CREATE PACKAGE statement, 9-5
- Create Policy icon, 5-2, 5-8
- CREATE PROCEDURE statement, 9-5
- CREATE TABLE AS SELECT statement, B-14
- CREATE_COMPARTMENT procedure, 5-16
- CREATE_GROUP procedure, 5-19
- CREATE_LABEL procedure, 5-23
- CREATE_LEVEL procedure, 5-14
- CREATE_POLICY procedure, 5-2, 5-9
- CREATE_VIEW procedure, 10-11, B-13
- creating databases, 12-13
D
- DAC. See discretionary access control (DAC)
- data
- access rules, 1-9
- label-based access, 2-2
- restricting access, 1-4
- sensitivity, 1-10, 5-24
- data dictionary tables, 6-2, 6-17, 12-8, 12-13, B-2
- DATA_LABEL function, 9-7
- database links, 11-4
- databases, creating additional, 12-13
- DBA_policyname_AUDIT_TRAIL view, B-13
- DBA_SA_AUDIT_OPTIONS view, 10-9, B-7, B-13
- DBA_SA_COMPARTMENTS view, 12-4, B-7
- DBA_SA_DATA_LABELS view, B-8
- DBA_SA_GROUP_HIERARCHY view, B-8
- DBA_SA_GROUPS view, 12-4, B-8
- DBA_SA_LABELS view, 12-4, B-9
- DBA_SA_LEVELS view, 12-4, B-9
- DBA_SA_POLICIES view, B-9
- DBA_SA_PROG_PRIVS view, B-10
- DBA_SA_SCHEMA_POLICIES view, 7-10, B-10
- DBA_SA_TABLE_POLICIES view, 7-10, B-10
- DBA_SA_USER_COMPARTMENTS view, 6-18, B-11
- DBA_SA_USER_GROUPS view, 6-18, B-11
- DBA_SA_USER_LABELS view, B-12
- DBA_SA_USER_LEVELS view, 6-18, B-12
- DBA_SA_USER_PRIVS view, B-12
- DBA_SA_USERS view, 6-17, B-11
- DELETE_CONTROL option, 7-3, 7-17
- DELETE_RESTRICT option, 7-17
- deleting labeled data, 7-17
- demobld.sql file, 5-6
- DISABLE_POLICY procedure, 5-10
- DISABLE_SCHEMA_POLICY procedure, 8-3, 8-10
- DISABLE_TABLE_POLICY procedure, 8-3, 8-6
- discretionary access control (DAC), 1-4, 3-22
- distributed databases
- connecting to, 11-4
- multiple policies, 3-25
- Oracle Label Security configuration, 11-2
- remote session label, 11-5
- dominance
- definition, 3-12, 3-13
- functions, A-3
- greatest lower bound, 4-13
- least upper bound, 4-12
- overview, A-2
- DOMINATED_BY function, A-3, A-4, A-5
- DOMINATES function, A-2, A-3, A-4, A-5
- DROP USER CASCADE restriction, B-14
- DROP_ALL_COMPARTMENTS procedure, 6-9
- DROP_ALL_GROUPS procedure, 6-11
- DROP_COMPARTMENT procedure, 5-18
- DROP_COMPARTMENTS function, 6-8
- DROP_GROUP procedure, 5-22
- DROP_GROUPS procedure, 6-10
- DROP_LABEL function, 5-25
- DROP_LEVEL procedure, 5-16
- DROP_POLICY procedure, 5-11
- DROP_USER_ACCESS procedure, 6-15
- DROP_VIEW procedure, 10-11
- duties, of security administrators, 5-5
E
- ENABLE_POLICY procedure, 5-11
- ENABLE_SCHEMA_POLICY procedure, 8-3, 8-11
- ENABLE_TABLE_POLICY procedure, 8-3, 8-7
- enforcement options
- and UPDATE, 7-14
- combinations of, 7-8
- exemptions, 7-9
- guidelines, 7-8
- list of, 7-3
- overview, 7-2
- viewing, 7-10
- EXEMPT ACCESS POLICY privilege, 7-9
- Export utility
- LBACSYS restriction, B-14
- policy enforcement, 7-9
- row labels, 3-18, 12-2, 12-4
F
- FULL privilege, 3-17, 3-18, 3-20
G
- GLBD function, 4-13
- granularity, data access, 3-14
- GREATEST_LBOUND function, 4-13, 9-9
- GROUP_READ function, 4-24
- GROUP_WRITE function, 4-24
- groups
- definition, 2-8
- example, 2-8
- hierarchical, 2-8, 2-13, B-8
- parent, 2-8, 3-11, 5-19, 5-21
- read/write access, 3-11
- setting authorizations, 3-8
H
- HIDE option
- default, 5-9
- discussion of, 7-4
- example, 4-3
- importing hidden column, 12-5
- inserting data, 4-17
- introduction, 4-2
- not exported, 12-2
- per-table basis, 4-9
- PL/SQL restriction, B-15
- schema level, 7-2
I
- Import utility
- importing labeled data, 12-3, 12-4
- importing policies, 12-2
- importing unlabeled data, 12-5
- with Oracle Label Security, 12-2
- indexes, 12-8
- INITIAL_LABEL variable, A-7
- INITIAL_ROW_LABEL variable, A-7
- initialization parameters
- AUDIT_TRAIL, 10-3
- COMPATIBLE, 12-13
- INSERT_CONTROL option, 7-3, 7-13
- inserting labeled data, 4-16, 7-13
- INTO TABLE clause, 12-6
L
- label components
- defining, 5-2, 5-12
- in distributed environment, 11-6
- industry examples, 2-10
- interrelation, 2-13
- valid characters, 2-3, 5-9
- label evaluation process
- COMPACCESS read, 3-19
- COMPACCESS write, 3-20
- LABEL_UPDATE, 7-15
- read access, 3-12
- write access, 3-14
- LABEL function, 4-24
- label tags
- converting from string, 4-7
- converting to string, 4-8
- distributed environment, 11-6
- example, 4-5
- inserting data, 4-16
- introduction, 2-11
- manually defined, 4-4, 4-5
- strategy, 12-10
- using in WHERE clauses, 4-10
- LABEL_DEFAULT option
- and labeling functions, 7-5, 7-10, 7-11
- authorizing compartments, 3-7
- authorizing groups, 3-8
- definition, 7-3
- importing unlabeled data, 12-5
- inserting labeled data, 4-16, 4-17
- with enforcement options, 7-8
- with SET_ROW_LABEL, 4-21
- LABEL_TO_CHAR function, 4-8, 4-9, 4-11
- LABEL_UPDATE option
- and labeling functions, 7-5, 7-11
- and privileges, 7-5
- and WRITE_CONTROL, 7-6
- and WRITEACROSS, 3-17
- and WRITEDOWN, 3-17, 3-21
- and WRITEUP, 3-17, 3-21
- definition, 7-3
- evaluation process, 7-15
- with enforcement options, 7-8
- label-based security, 2-2
- labeling functions
- ALL_CONTROL and NO_CONTROL, 7-7
- and CHECK_CONTROL, 7-13
- and LABEL_DEFAULT, 7-5, 7-11
- and LABEL_UPDATE, 7-5
- and LBACSYS, 7-11
- creating, 7-12
- example, 7-10
- how they work, 7-11
- importing unlabeled data, 12-5
- inserting data, 4-17
- introduction, 3-24
- override manual insert, 7-13
- specifying, 7-12
- testing, 7-11
- UPDATE, 7-16
- using, 7-10
- with enforcement options, 7-8
- labels
- administering, 2-14
- and performance, 3-18
- data and user, 2-12
- merging, 4-14
- non-comparable, A-2
- relationships between, A-2
- syntax, 2-11
- valid, 2-11, 4-4
- Labels property sheet, 5-2, 5-3
- LBAC_DBA role, 5-8
- LBAC_LABEL datatype, 7-11
- LBACSYS schema
- and labeling functions, 7-11
- creating additional databases, 12-13
- data dictionary tables, 12-8
- export restriction, 12-2, B-14
- LEAST_UBOUND function, 4-12, 4-15, 9-9
- levels
- definition, 2-4
- example, 2-5
- setting authorizations, 3-6
- LUBD function, 4-12
M
- materialized views, 11-9, 11-13
- MAX_LEVEL function, 4-24
- MERGE_LABEL function, 4-14, 4-15
- MIN_LEVEL function, 4-24
N
- NO_CONTROL option, 7-3, 7-7
- NOAUDIT procedure, 10-4, 10-7, 10-10
- NUMBER datatype, 4-2
- NUMERIC_LABEL function, 9-7
- NUMERIC_ROW_LABEL function, 9-7
O
- object privileges
- and Oracle Label Security privileges, 3-22
- and trusted stored program units, 3-23, 9-3
- discretionary access control, 1-5
- OCI example, A-9
- OCI interface, A-7
- OCI_ATTR_APPCTX_LIST, A-7
- OCI_ATTR_APPCTX_SIZE, A-7
- OCIAttrGet, A-7
- OCIAttrSet, A-7, A-8
- OCIParamGet, A-8
- Oracle Policy Manager
- administering labels, 2-14
- applying policies, 5-3, 8-3
- authorizing trusted program units, 5-4
- authorizing users, 5-3, 6-2
- configuring auditing, 5-4
- creating policies, 5-2, 5-8
- defining label components, 5-2
- identifying valid labels, 5-3
- introduction, 5-7
- ORDER BY clause, 4-10, 4-11
P
- packages
- Oracle Label Security, 5-6
- trusted stored program units, 9-2
- partitioning, 4-5, 12-12
- performance, Oracle Label Security
- ANALYZE command, 12-8
- indexes, 12-8
- label tag strategy, 12-10
- partitioning, 12-12
- READ privilege, 3-18
- PL/SQL
- creating VPD policies, 1-6
- overloaded procedures, 5-13
- recreating labels for import, 12-4
- SA_UTL package, 9-7
- trusted stored program units, 9-2
- policies
- creating, 5-2
- enforcement guidelines, 7-8
- enforcement options, 1-11, 3-24, 4-1, 7-2, 7-3, 7-8
- managing, 5-8
- multiple, 3-25, 4-4, 6-2, B-14
- privileges, 1-5, 1-11, 3-22, 6-15
- terminology, 8-2
- virtual private database (VPD), 1-7
- policy label column
- indexing, 12-8
- inserting data when hidden, 4-17
- introduction, 2-2, 4-2
- retrieving, 4-8
- retrieving hidden, 4-9
- storing label tag, 2-11
- policy_DBA role, 5-5, 5-8, 5-22, 6-2, 6-15, 8-4, 8-8
- predicates
- access mediation, 3-24
- errors, 7-19
- label tag performance strategy, 12-10
- multiple, 7-19
- used with policy, 7-18
- virtual private database, 1-4
- privileges
- COMPACCESS, 3-17, 3-19
- FULL, 3-17, 3-18, 3-20
- Oracle Label Security, 3-17
- PROFILE_ACCESS, 3-17, 3-20
- program units, 3-23
- READ, 3-17, 3-18
- row label, 3-21
- trusted stored program units, 9-6
- WRITEACROSS, 3-17, 3-21
- WRITEDOWN, 3-17, 3-21, 3-23
- WRITEUP, 3-17, 3-21
- PRIVS function, 4-24
- procedures, overloaded, 5-13
- PROFILE_ACCESS privilege, 3-17, 3-20
R
- read access
- algorithm, 3-12, 3-18
- introduction, 3-10
- read label, 3-9
- READ privilege, 3-17, 3-18
- READ_CONTROL option
- about, 7-6
- algorithm, 3-12
- and CHECK_CONTROL, 7-5
- and child rows, 7-14
- definition, 7-3
- referential integrity, 7-16
- with other options, 7-8
- with predicates, 7-18
- READ_ONLY function, 6-7, 6-8, 6-9, 6-10
- READ_WRITE function, 6-7, 6-8, 6-9, 6-10
- reading down, 3-13
- referential integrity, 7-14, 7-16, 7-17
- remote users, 11-4
- REMOVE_SCHEMA_POLICY procedure, 8-3, 8-10
- REMOVE_TABLE_POLICY procedure, 8-3, 8-5
- REPADMIN account, 11-9, 11-13, 11-14
- replication
- materialized views (snapshots), 11-9, 11-13, 11-15
- with Oracle Label Security, 11-9, 11-10
- RESTORE_DEFAULT_LABELS procedure, 4-19, 4-22
- restrictions, Oracle Label Security, B-14
- row labels
- changing compartments, 6-7
- default, 3-7, 3-8, 3-9, 4-19, 9-8
- example, 3-4
- in distributed environment, 11-5
- inserting, 4-16
- LABEL_DEFAULT option, 7-5
- privileges, 3-21
- restoring, 4-22
- saving defaults, 4-22
- setting, 4-21, 9-8
- setting compartments, 6-5
- setting groups, 6-6
- setting levels, 6-4
- understanding, 3-3
- updating, 3-21
- viewing, 9-7
- ROW_LABEL function, 4-24
- row-level security, 1-4
S
- SA_COMPONENTS package, 5-12
- SA_POLICY_ADMIN package, 8-1
- SA_SESSION functions
- defined, 4-19
- viewing security attributes, 4-24
- SA_SYSDBA package, 5-8
- SA_USER_ADMIN package
- administering stored program units, 9-4
- overview, 6-2
- SA_USER_NAME function, 4-24, 6-16
- SA_UTL package
- dominance functions, A-5
- overview, 9-7
- SAVE_DEFAULT_LABELS procedure, 4-19, 4-22
- schemas
- applying policies to, 5-3, 5-10, 7-2, 7-8
- default policy options, 5-9
- restrictions on shared, B-15
- security
- introduction, 1-2
- standards, 1-3
- security policies
- introduction, 1-3
- Oracle Label Security, 1-7
- VPD, 1-7
- session labels
- changing, 4-20
- computed, 3-9
- distributed database, 11-5
- example, 3-4
- OCI interface, A-7
- restoring, 4-22
- SA_UTL.SET_LABEL, 9-8
- saving defaults, 4-22
- setting compartments, 6-5
- setting groups, 6-6
- setting levels, 6-4
- understanding, 3-3
- viewing, 9-7
- SET_ACCESS_PROFILE function, B-15
- SET_ACCESS_PROFILE procedure, 6-16
- SET_COMPARTMENTS procedure, 6-5
- SET_DEFAULT_LABEL function, 6-13
- SET_GROUPS procedure, 6-6
- SET_LABEL function
- and RESTORE_DEFAULT_LABELS, 4-22
- definition, 4-19
- on remote database, 11-5
- SA_UTL.SET_LABEL, 9-8
- using, 4-20
- SET_LEVELS procedure, 6-4
- SET_PROG_PRIVS function, 9-4
- SET_ROW_LABEL procedure, 4-19, 4-21, 6-14, 9-8
- SET_USER_LABELS procedure, 6-12
- SET_USER_PRIVS function, 6-15
- shared schema restrictions, B-15
- SQL*Loader, 12-6
- STRICTLY_DOMINATED_BY function, A-3, A-5, A-6
- STRICTLY_DOMINATES function, A-3, A-4, A-5
- SYS account
- policy enforcement, 7-9
- SYS_CONTEXT
- and labeling functions, 7-11
- variables, A-7
- SYSDBA privilege, 10-3
- system privileges, 1-5, 3-22, 3-23
T
- tasks, overview, 5-2
- TO_DATA_LABEL function, 4-18, 5-3, 5-23
- TO_LBAC_DATA_LABEL function, 7-11
- triggers, 7-11
- trusted stored program units
- creating, 9-5
- error handling, 9-6
- example, 9-3
- executing, 9-6
- introduction, 9-2
- privileges, 3-23, 9-6
- re-compiling, 9-5
- replacing, 9-5
U
- UPDATE_CONTROL option, 7-3, 7-14
- updating labeled data, 7-14
- user authorizations
- compartments, 3-7
- groups, 3-8
- levels, 3-6
- understanding, 3-5
- USER_SA_SESSION view, 4-23
V
- views
- access mediation, 3-22
- ALL_SA_COMPARTMENTS, B-3
- ALL_SA_GROUPS, B-3
- ALL_SA_LABELS, B-3, B-4
- ALL_SA_LEVELS, B-4
- ALL_SA_POLICIES, B-4
- ALL_SA_PROG_PRIVS, B-5
- ALL_SA_SCHEMA_POLICIES, B-5
- ALL_SA_TABLE_POLICIES, B-5
- ALL_SA_USER_LABELS, B-6
- ALL_SA_USER_LEVELS, B-6
- ALL_SA_USER_PRIVS, B-7
- ALL_SA_USERS, B-6
- auditing, B-13
- DBA_policyname_AUDIT_TRAIL, B-13
- DBA_SA_AUDIT_OPTIONS, 10-9, B-7, B-13
- DBA_SA_COMPARTMENTS, B-7
- DBA_SA_DATA_LABELS, B-8
- DBA_SA_GROUP_HIERARCHY, B-8
- DBA_SA_GROUPS, B-8
- DBA_SA_LABELS, B-9
- DBA_SA_LEVELS, B-9
- DBA_SA_POLICIES, B-9
- DBA_SA_PROG_PRIVS, B-10
- DBA_SA_SCHEMA_POLICIES, 7-10, B-10
- DBA_SA_TABLE_POLICIES, 7-10, B-10
- DBA_SA_USER_COMPARTMENTS, B-11
- DBA_SA_USER_GROUPS, B-11
- DBA_SA_USER_LABELS, B-12
- DBA_SA_USER_LEVELS, B-12
- DBA_SA_USER_PRIVS, B-12
- DBA_SA_USERS, B-11
- USER_SA_SESSION, 4-23
- virtual private database (VPD)
- introduction, 1-4
- Oracle Label Security policies, 1-7
- policies, 1-6
W
- write access
- algorithm, 3-15, 3-18
- introduction, 3-10
- write label, 3-9
- WRITE_CONTROL option
- algorithm, 3-14
- definition, 7-3
- introduction, 7-6
- LABEL_UPDATE, 7-6
- with INSERT, UPDATE, DELETE, 7-6
- with other options, 7-8
- WRITEACROSS privilege, 3-17, 3-21, 7-3, 7-5, 7-15
- WRITEDOWN privilege, 3-17, 3-21, 3-23, 7-3, 7-5, 7-15
- WRITEUP privilege, 3-17, 3-21
