Skip Headers

Oracle® Label Security Administrator's Guide
10g Release 1 (10.1)

Part Number B10774-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Feedback

Go to previous page
Previous
Go to next page
Next
View PDF

7
Administering User Labels and Privileges

In Oracle Label Security, you can set authorizations for users, and grant privileges to users or stored program units by means of the available Oracle Label Security packages, or Oracle Policy Manager.

Introduction to User Label and Privilege Management

To manage user labels and privileges, you must have EXECUTE privilege for the SA_USER_ADMIN package, and must have been granted the policy_DBA role.

To perform these functions with Oracle Policy Manager, go to Oracle Label Security Policies--> policyname-->Authorizations-->Users and use the User property sheet.

The SA_USER_ADMIN package provides the functions to manage the Oracle Label Security user security attributes. It contains several procedures to manage user labels by component: that is, specifying user levels, compartments, and groups. For convenience, there are additional procedures that accept character string representations of full labels, rather than components. Note that the level, compartment and group parameters use the short name defined for each component.

All of the label and privilege information is stored in Oracle Label Security data dictionary tables. When a user connects to the database, his session labels are established based on the information stored in the Oracle Label Security data dictionary.

Note that a user can be authorized under multiple policies.

Managing User Labels by Component, with SA_USER_ADMIN

The following SA_USER_ADMIN procedures enable you to manage user labels by label component:

SA_USER_ADMIN.SET_LEVELS

The SET_LEVELS procedure assigns a minimum and maximum level to a user and identifies default values for the user's session label and row label.

Syntax:

PROCEDURE SET_LEVELS (policy_name IN VARCHAR2,
   user_name        IN VARCHAR2,
   max_level        IN VARCHAR2,
   min_level        IN VARCHAR2 DEFAULT NULL,
   def_level        IN VARCHAR2 DEFAULT NULL,
   row_level        IN VARCHAR2 DEFAULT NULL);
Table 7-1 Parameters for SA_USER_ADMIN.SET_LEVELS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

max_level

The highest level for read and write access

min_level

The lowest level for write access

def_level

Specifies the default level (equal to or greater than the minimum level, and equal to or less than the maximum level)

row_level

Specifies the row level (equal to or greater than the minimum level, and equal to or less than the default level)

SA_USER_ADMIN.SET_COMPARTMENTS

The SET_COMPARTMENTS procedure assigns compartments to a user and identifies default values for the user's session label and row label.

All users must have their levels set before their authorized compartments can be established.

The write compartments, if specified, must be a subset of the read compartments. (The write compartments are those to which the user should have write access.)

Syntax:

PROCEDURE SET_COMPARTMENTS (policy_name IN VARCHAR2,
  user_name     IN VARCHAR2,
  read_comps    IN VARCHAR2,
  write_comps   IN VARCHAR2 DEFAULT NULL,
  def_comps     IN VARCHAR2 DEFAULT NULL,
  row_comps     IN VARCHAR2 DEFAULT NULL);
Table 7-2 Parameters for SA_USER_ADMIN.SET_COMPARTMENTS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

read_comps

A comma-delimited list of compartments authorized for read access

write_comps

A comma-delimited list of compartments authorized for write access (subset of read_comps)

def_comps

Specifies the default compartments. This must be a subset of read_comps.

row_comps

Specifies the row compartments. This must be a subset of write_comps and the def_comps.

SA_USER_ADMIN.SET_GROUPS

The SET_GROUPS procedure assigns groups to a user and identifies default values for the user's session label and row label.

All users must have their levels set before their authorized groups can be established.

Syntax:

PROCEDURE SET_GROUPS (policy_name IN VARCHAR2,
  user_name        IN VARCHAR2,
  read_groups      IN VARCHAR2,
  write_groups     IN VARCHAR2 DEFAULT NULL,
  def_group        IN VARCHAR2 DEFAULT NULL,
  row_groups       IN VARCHAR2 DEFAULT NULL);
Table 7-3 Parameters for SA_USER_ADMIN.SET_GROUPS  

Parameter

Meaning

policy_name Specifies the policy
user_name Specifies the user name
read_groups A comma-delimited list of groups authorized for read
write_groups A comma-delimited list of groups authorized for write. This must be a subset of read_groups.
def_groups Specifies the default groups. This must be a subset of read_groups.
row_groups Specifies the row groups. This must be a subset of write_groups and def_groups.

SA_USER_ADMIN.ALTER_COMPARTMENTS

The ALTER_COMPARTMENTS procedure changes the write access, the default label indicator, and/or the row label indicator for each of the compartments in the list.

Syntax:

PROCEDURE ALTER_COMPARTMENTS (policy_name IN VARCHAR2,
user_name    IN VARCHAR2,
comps        IN VARCHAR2,
access_mode  IN VARCHAR2 DEFAULT NULL,
in_def       IN VARCHAR2 DEFAULT NULL,
in_row       IN VARCHAR2 DEFAULT NULL);
Table 7-4 Parameters for SA_USER_ADMIN.ALTER_COMPARTMENTS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

comps

A comma-delimited list of compartments to modify

access_mode

One of two public variables that contain string values that can specify the type of access authorized. The variable names, values, and meaning are as follows:

SA_UTL.READ_ONLY READ_ONLY Indicates no write access

SA_UTL.READ_WRITE READ_WRITE Indicates write is authorized

If access_mode is NULL, then access_mode for the compartment is unaltered.

in_def

Specifies whether these compartments should be in the default compartments (Y/N)

If in_def is NULL, then in_def for the compartment is unaltered.

in_row

Specifies whether these compartments should be in the row label (Y/N)

If in_row is NULL, then in_row for the compartment is unaltered.

SA_USER_ADMIN.ADD_COMPARTMENTS

This procedure adds compartments to a user's authorizations, indicating whether the compartments are authorized for write as well as read.

Syntax:

PROCEDURE ADD_COMPARTMENTS (policy_name IN VARCHAR2,
user_name      IN VARCHAR2,
comps          IN VARCHAR2,
access_model   IN VARCHAR2 DEFAULT NULL,
in_def         IN VARCHAR2 DEFAULT NULL,
in_row         IN VARCHAR2 DEFAULT NULL);
Table 7-5 Parameters for SA_USER_ADMIN.ADD_COMPARTMENTS  

Parameter

Meaning

policy_name Specifies the policy
user_name Specifies the user name
comps A comma-delimited list of read compartments to add
access_mode

One of two public variables that contain string values that can specify the type of access authorized. The variable names, values, and meaning are as follows:

SA_UTL.READ_ONLY READ_ONLY Indicates no write access

SA_UTL.READ_WRITE READ_WRITE Indicates write is authorized

If access_mode is NULL, then it is set to SA_UTL.READ_ONLY.

in_def

Specifies whether these compartments should be in the default compartments (Y/N)

If in_def is NULL, then it is set to Y.

in_row

Specifies whether these compartments should be in the row label (Y/N)

If in_row is NULL, then it is set to N.

SA_USER_ADMIN.DROP_COMPARTMENTS

The DROP_COMPARTMENTS procedure drops the specified compartments from a user's authorizations.

Syntax:

PROCEDURE DROP_COMPARTMENTS (policy_name IN VARCHAR2,
  user_name       IN VARCHAR2,
  comps           IN VARCHAR2);
Table 7-6 Parameters for SA_USER_ADMIN.DROP_COMPARTMENTS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

comps

A comma-delimited list of compartments to drop

SA_USER_ADMIN.DROP_ALL_COMPARTMENTS

The DROP_ALL_COMPARTMENTS procedure drops all compartments from a user's authorizations.

Syntax:

PROCEDURE DROP_ALL_COMPARTMENTS (policy_name IN VARCHAR2,
     user_name     IN VARCHAR2);
Table 7-7 Parameters for SA_USER_ADMIN.DROP_ALL_COMPARTMENTS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

SA_USER_ADMIN.ADD_GROUPS

The ADD_GROUPS procedure adds groups to a user, indicating whether the groups are authorized for write as well as read.

Syntax:

PROCEDURE ADD_GROUPS (policy_name IN VARCHAR2,
  user_name         IN VARCHAR2,
  groups            IN VARCHAR2,
  access_mode       IN VARCHAR2 DEFAULT NULL,
  in_def            IN VARCHAR2 DEFAULT NULL,
  in_row            IN VARCHAR2 DEFAULT NULL);
Table 7-8 Parameters for SA_USER_ADMIN.ADD_GROUPS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

groups

A comma-delimited list of read groups to add

access_mode

One of two public variables that contain string values that can specify the type of access authorized. The variable names, values, and meaning are as follows:

SA_UTL.READ_ONLY READ_ONLY Indicates no write access

SA_UTL.READ_WRITE READ_WRITE Indicates write is authorized

If access_mode is NULL, then access_mode is set to SA_UTL.READ_ONLY.

in_def

Specifies whether these groups should be in the default groups (Y/N)

If in_def is NULL, then it is set to Y.

in_row

Specifies whether these groups should be in the row label (Y/N)

If in_row is NULL, then it is set to N.

SA_USER_ADMIN.ALTER_GROUPS

The ALTER_GROUPS procedure changes the write access, the default label indicator, and/or the row label indicator for each of the groups in the list.

Syntax:

PROCEDURE ALTER_GROUPS (policy_name IN VARCHAR2,
  user_name        IN VARCHAR2,
  groups           IN VARCHAR2,
  access_mode      IN VARCHAR2 DEFAULT NULL,
  in_def           IN VARCHAR2 DEFAULT NULL,
  in_row           IN VARCHAR2 DEFAULT NULL);
Table 7-9 Parameters for SA_USER_ADMIN.ALTER_GROUPS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

groups

A comma-delimited list of groups to alter

access_mode

Two public variables contain string values that can specify the type of access authorized. The variable names, values, and meaning are as follows:

SA_UTL.READ_ONLY READ_ONLY Indicates no write access

SA_UTL.READ_WRITE READ_WRITE Indicates write is authorized

If access_mode is NULL, then access_mode for the group is unaltered.

in_def

Specifies whether these groups should be in the default groups (Y/N)

If in_def is NULL, then in_def for the group is unaltered.

in_row

Specifies whether these groups should be in the row label (Y/N)

If in_row is NULL, then in_row for the group is unaltered.

SA_USER_ADMIN.DROP_GROUPS

The DROP_GROUPS procedure drops the specified groups from a user's authorizations.

Syntax:

PROCEDURE DROP_GROUPS (policy_name IN VARCHAR2,
  user_name   IN VARCHAR2,
  groups      IN VARCHAR2);
Table 7-10 Parameters for SA_USER_ADMIN.DROP_GROUPS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

groups

A comma-delimited list of groups to drop

SA_USER_ADMIN.DROP_ALL_GROUPS

The DROP_ALL_GROUPS procedure drops all groups from a user's authorizations.

Syntax:

PROCEDURE DROP_ALL_GROUPS (policy_name IN VARCHAR2,
  user_name  IN VARCHAR2);
Table 7-11 Parameters for SA_USER_ADMIN.DROP_ALL_GROUPS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

Managing User Labels by Label String, with SA_USER_ADMIN

The following SA_USER_ADMIN procedures enable you to manage user labels by specifying the complete character label string:

SA_USER_ADMIN.SET_USER_LABELS

The SET_USER_LABELS procedure sets the user's levels, compartments, and groups using a set of labels, instead of the individual components.

Syntax:

PROCEDURE SET_USER_LABELS (
  policy_name      IN VARCHAR2,
  user_name        IN VARCHAR2,
  max_read_label   IN VARCHAR2,
  max_write_label  IN VARCHAR2 DEFAULT NULL,
  min_write_label  IN VARCHAR2 DEFAULT NULL,
  def_label        IN VARCHAR2 DEFAULT NULL,
  row_label        IN VARCHAR2 DEFAULT NULL);
Table 7-12 Parameters for SA_USER_ADMIN.SET_USER_LABELS  

Parameter

Meaning

max_read_label

Specifies the label string to be used to initialize the user's maximum authorized read label. Composed of the user's maximum level, compartments authorized for read access, and groups authorized for read access.

max_write_label

Specifies the label string to be used to initialize the user's maximum authorized write label. Composed of the user's maximum level, compartments authorized for write access, and groups authorized for write access. If the max_write_label is not specified, it is set to the max_read_label.

min_write_label

Specifies the label string to be used to initialize the user's minimum authorized write label. Contains only the level, with no compartments or groups. If the min_write_label is not specified, it is set to the lowest defined level for the policy, with no compartments or groups.

def_label

Specifies the label string to be used to initialize the user's session label, including level, compartments, and groups (a subset of max_read_label). If the default_label is not specified, it is set to the max_read_label.

policy_name

Specifies the policy

user_name

Specifies the user name

row_label

Specifies the label string to be used to initialize the program's row label. Includes level, components, and groups: subsets of max_write_label and def_label. If row_label is not specified, it is set to the def_label, with only the compartments and groups authorized for write access.

See Also:

"Managing Program Unit Privileges with SET_PROG_PRIVS"

SA_USER_ADMIN.SET_DEFAULT_LABEL

The SET_DEFAULT_LABEL procedure sets the user's initial session label to the one specified.

Syntax:

PROCEDURE SET_DEFAULT_LABELS (
  policy_name  IN VARCHAR2,
  user_name    IN VARCHAR2,
  def_label    IN VARCHAR2);
Table 7-13 Parameters for SA_USER_ADMIN.SET_DEFAULT_LABEL  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

def_label

Specifies the label string to be used to initialize the user's default labels. This label may contain any compartments and groups that are authorized for read access.

As long as the row label will still be dominated by the new write label, the user can set the session label to:

The row label must be dominated by the new write label that will result from resetting the session label. If this condition is not true, the SET_DEFAULT_LABEL procedure will fail.

For example, suppose the current row label is S:A,B, and that you have write access to both compartments. If you attempt to set the new default label to C:A,B the SET_LABEL procedure will fail. This is because the new write label would be C:A,B, which does not dominate the current row label.

To successfully reset the session label in this case, you must first lower the row label to a value that will be dominated by the resulting session label.

See Also:

"Changing the Session Label with SA_SESSION.SET_LABEL"

"Session Labels and Inverse Groups"



SA_USER_ADMIN.SET_ROW_LABEL

Use the SET_ROW_LABEL procedure to set the user's initial row label to the one specified.

Syntax:

PROCEDURE SET_ROW_LABEL (
  policy_name   IN VARCHAR2,
  user_name     IN VARCHAR2,
  row_label     IN VARCHAR2);
Table 7-14 Parameters for SA_USER_ADMIN.SET_ROW_LABEL  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

row_label

Specifies the label string to be used to initialize the user's row label. The label must contain only those compartments and groups from the default label that are authorized for write access.

The user can set the row label independently, but only to:

If you try to set the row label to an invalid value, the operation is disallowed, and the row label value is unchanged.

See Also:

"Changing the Row Label with SA_SESSION.SET_ROW_LABEL"



SA_USER_ADMIN.DROP_USER_ACCESS

Use the DROP_USER_ACCESS procedure to remove all Oracle Label Security authorizations and privileges from the specified user. This procedure must be issued from the command line. It is not available in Oracle Policy Manager.

Syntax:

PROCEDURE DROP_USER_ACCESS (
  policy_name      IN VARCHAR2,
  user_name        IN VARCHAR2); 
Table 7-15 Parameters for SA_USER_ADMIN.DROP_USER_ACCESS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

Managing User Privileges with SA_USER_ADMIN.SET_USER_PRIVS

The SET_USER_PRIVS procedure sets policy-specific privileges for users. These privileges do not become effective in the current session; rather, they become effective the next time the user logs in. The new set of privileges replaces any existing privileges. A NULL value for the privileges parameter removes the user's privileges for the policy.

To assign policy privileges to users, you must have EXECUTE privilege for the SA_USER_ADMIN package, and must have been granted the policy_DBA role.

To use Oracle Policy Manager to perform these functions, go to the Privileges tab of the User property sheet.

Syntax:

PROCEDURE SET_USER_PRIVS (
  policy_name     IN VARCHAR2,
  user_name       IN VARCHAR2,
  privileges      IN VARCHAR2);
Table 7-16 Parameters for SA_USER_ADMIN.SET_USER_PRIVS  

Parameter

Meaning

policy_name

Specifies the policy name of an existing policy

user_name

The name of the user to be granted privileges

privileges

A character string of policy-specific privileges separated by commas

See Also:

"Managing Program Unit Privileges with SET_PROG_PRIVS"

Setting Labels & Privileges with SA_SESSION.SET_ACCESS_PROFILE

The SET_ACCESS_PROFILE procedure sets the Oracle Label Security authorizations and privileges of the database session to those of the specified user. (Note that the originating user retains the PROFILE_ACCESS privilege.)

The user executing the SA_SESSION.SET_ACCESS_PROFILE procedure must have the PROFILE_ACCESS privilege. Note that the logged-in database user (the Oracle userid) does not change. That user assumes only the authorizations and privileges of the specified user. By contrast, the Oracle Label Security user name is changed.

This administrative procedure is useful for various tasks:

Syntax:

PROCEDURE SET_ACCESS_PROFILE (policy_name IN VARCHAR2
  user_name   IN VARCHAR2); 
Table 7-17 Parameters for SA_SESSION.SET_ACCESS_PROFILE  

Parameter

Meaning

policy_name

The name of an existing policy

user_name

Name of the user whose authorizations and privileges should be assumed

Returning User Name with SA_SESSION.SA_USER_NAME

The SA_USER_NAME function returns the name of the current Oracle Label Security user, as set by the SET_ACCESS_PROFILE procedure (or as established at login). This is how you can determine the identity of the current user in relation to Oracle Label Security, rather than in relation to your Oracle login name.

Syntax:

FUNCTION SA_USER_NAME (policy_name IN VARCHAR2)
RETURN VARCHAR2; 
Table 7-18 Parameters for SA_SESSION.SA_USER_NAME  

Parameter

Meaning

policy_name

The name of an existing policy

Using Oracle Label Security Views

This section describes views you can use to see the user authorization and privilege assignments made by the administrator.

Note that the views are designed to display these values from two different perspectives. The DBA_SA_USERS view is optimized for users of the command-line interface. The component views are optimized for users of the Oracle Policy Manager administrative tool.

View to Display All User Security Attributes: DBA_SA_USERS

The DBA_SA_USERS view displays the values assigned for privileges, levels, compartments, and groups all together--corresponding to how you enter these values through the SA_USER_ADMIN command-line interface. The values include:

USER_PRIVILEGES

MAX_READ_LABEL

MAX_WRITE_LABEL

MIN_WRITE_LABEL

DEFAULT_READ_LABEL

DEFAULT_WRITE_LABEL

DEFAULT_ROW_LABEL

USER_LABELS

MAX_READ_LABEL

MAX_WRITE_LABEL

MIN_WRITE_LABEL

DEFAULT_READ_LABEL

DEFAULT_WRITE_LABEL

DEFAULT_ROW_LABEL

This information is stored in data dictionary tables, and used to establish session and row labels when a user logs in.


Note:

The field USER_LABELS in DBA_SA_USERS is retained solely for backward compatibility and will be removed in the next release.


Views to Display User Authorizations by Component

The following views display individually each component of the label, corresponding to how you enter these values through Oracle Policy Manager.

Table 7-19 Oracle Label Security Views  

View

Contents

DBA_SA_USER_LEVELS

Displays the levels assigned to the user: minimum level, maximum level, default level, and level for the row label

DBA_SA_USER_COMPARTMENTS

Displays the compartments assigned to the user

DBA_SA_USER_GROUPS

Displays the groups assigned to the user