Skip Headers

Oracle® Label Security Administrator's Guide
10g Release 1 (10.1)

Part Number B10774-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Feedback

Go to previous page
Previous
Go to next page
Next
View PDF

C
Reference

This appendix provides the following reference information:

Oracle Label Security Data Dictionary Tables and Views

Oracle9i Data Dictionary Tables

Oracle Label Security does not in any way label the Oracle9i data dictionary tables. Access is controlled by standard Oracle9i system and object privileges. For a description of all data dictionary tables and views, see the Oracle Database Reference

Oracle Label Security Data Dictionary Views

Oracle Label Security maintains an independent set of data dictionary tables. These tables are exempt from any policy enforcement. This section lists the views that can display information related to Oracle Label Security.

Note that access to the DBA views is granted by default to the SELECT_CATALOG_ROLE, a standard Oracle9i role that lets you examine the Oracle9i data dictionary.

ALL_SA_AUDIT_OPTIONS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

USER_NAME

NOT NULL

VARCHAR2(30)

APY

 

VARCHAR2(3)

REM

 

VARCHAR2(3)

SET_

 

VARCHAR2(3)

PRV

 

VARCHAR2(3)

ALL_SA_COMPARTMENTS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

COMP_NUM

NOT NULL

NUMBER(4)

SHORT_NAME

NOT NULL

VARCHAR2(30)

LONG_NAME

NOT NULL

VARCHAR2(80)

ALL_SA_DATA_LABELS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

LABEL

 

VARCHAR2(4000)

LABEL_TAG

 

NUMBER

ALL_SA_GROUPS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

GROUP_NUM

NOT NULL

NUMBER(4)

SHORT_NAME

NOT NULL

VARCHAR2(30)

LONG_NAME

NOT NULL

VARCHAR2(80)

PARENT_NUM

 

NUMBER(4)

PARENT_NAME

 

VARCHAR2(30)

ALL_SA_LABELS

Access to ALL_SA_LABELS is PUBLIC, however only the labels authorized for read access by the session are visible.

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

LABEL

 

VARCHAR2(4000)

LABEL_TAG

 

NUMBER

LABEL_TYPE

 

VARCHAR2(15)

ALL_SA_LEVELS

Name Null? Type

POLICY_NAME

 

VARCHAR2(30)

LEVEL_NUM

 

NUMBER(4)

SHORT_NAME

 

VARCHAR2(30)

LONG_NAME

 

VARCHAR2(80)

ALL_SA_POLICIES

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

COLUMN_NAME

NOT NULL

VARCHAR2(30)

STATUS

 

VARCHAR2(8)

POLICY_OPTIONS

 

VARCHAR2(4000)

ALL_SA_PROG_PRIVS

Name Null? Type

SCHEMA_NAME

NOT NULL

VARCHAR2(30)

PROGRAM_NAME

NOT NULL

VARCHAR(30)

POLICY_NAME

NOT NULL

VARCHAR2(30)

PROGRAM_PRIVILEGES

 

VARCHAR2(4000)

ALL_SA_SCHEMA_POLICIES

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

SCHEMA_NAME

NOT NULL

VARCHAR2(30)

STATUS

 

VARCHAR2(8)

SCHEMA_OPTIONS

 

VARCHAR2(4000)

ALL_SA_TABLE_POLICIES

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

SCHEMA_NAME

NOT NULL

VARCHAR2(30)

TABLE_NAME

NOT NULL

VARCHAR2(30)

STATUS

 

VARCHAR2(8)

TABLE_OPTIONS

 

VARCHAR2(4000)

FUNCTION

 

VARCHAR2(1024)

PREDICATE

 

VARCHAR2(256)

ALL_SA_USERS

Name Null? Type

USER_NAME

NOT NULL

VARCHAR2(30)

POLICY_NAME

NOT NULL

VARCHAR2(30)

USER_PRIVILEGES

 

VARCHAR2(4000)

MAX_READ_LABEL

 

VARCHAR2(4000)

MAX_WRITE_LABEL

 

VARCHAR2(4000)

MIN_WRITE_LABEL

 

VARCHAR2(4000)

DEFAULT_READ_LABEL

 

VARCHAR2(4000)

DEFAULT_WRITE_LABEL

 

VARCHAR2(4000)

DEFAULT_ROW_LABEL

 

VARCHAR2(4000)

USER_LABELS

 

VARCHAR2(4000)

ALL_SA_USER_LABELS

Name Null? Type

USER_NAME

NOT NULL

VARCHAR2(30)

POLICY_NAME

NOT NULL

VARCHAR2(30)

MAX_READ_LABEL

NOT NULL

VARCHAR2(4000)

MAX_WRITE_LABEL

 

VARCHAR2(4000)

MIN_WRITE_LABEL

 

VARCHAR2(4000)

DEFAULT_READ_LABEL

 

VARCHAR2(4000)

DEFAULT_WRITE_LABEL

 

VARCHAR2(4000)

DEFAULT_ROW_LABEL

 

VARCHAR2(4000)

LABELS

 

VARCHAR2(4000)


Note:

The field USER_LABELS in ALL_SA_USERS and the field LABELS in ALL_SA_USER_LABELS are retained solely for backward compatibility and will be removed in the next release.


ALL_SA_USER_LEVELS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

USER_NAME

NOT NULL

VARCHAR2(30)

MAX_LEVEL

NOT NULL

VARCHAR2(30)

MIN_LEVEL

NOT NULL

VARCHAR2(30)

DEF_LEVEL

NOT NULL

VARCHAR2(30)

ROW_LEVEL

NOT NULL

VARCHAR2(30)

ALL_SA_USER_PRIVS

Name Null? Type

USER_NAME

NOT NULL

VARCHAR2(30)

POLICY_NAME

NOT NULL

VARCHAR2(30)

USER_PRIVILEGES

 

VARCHAR2(4000)

DBA_SA_AUDIT_OPTIONS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

USER_NAME

NOT NULL

VARCHAR2(30)

APY

 

VARCHAR2(3)

REM

 

VARCHAR2(3)

SET_

 

VARCHAR2(3)

PRV

 

VARCHAR2(3)

DBA_SA_COMPARTMENTS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

COMP_NUM

NOT NULL

NUMBER(4)

SHORT_NAME

NOT NULL

VARCHAR2(30)

LONG_NAME

NOT NULL

VARCHAR2(80)

DBA_SA_DATA_LABELS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

LABEL

 

VARCHAR2(4000)

LABEL_TAG

 

NUMBER

DBA_SA_GROUPS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

GROUP_NUM

NOT NULL

NUMBER(4)

SHORT_NAME

NOT NULL

VARCHAR2(30)

LONG_NAME

NOT NULL

VARCHAR2(80)

PARENT_NUM

 

NUMBER(4)

PARENT_NAME

 

VARCHAR2(30)

DBA_SA_GROUP_HIERARCHY

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

HIERARCHY_LEVEL

 

NUMBER

GROUP_NAME

 

VARCHAR2(4000)

DBA_SA_LABELS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

LABEL

 

VARCHAR2(4000)

LABEL_TAG

 

NUMBER

LABEL_TYPE

 

VARCHAR2(15)

DBA_SA_LEVELS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

LEVEL_NUM

NOT NULL

NUMBER(4)

SHORT_NAME

NOT NULL

VARCHAR2(30)

LONG_NAME

NOT NULL

VARCHAR2(80)

DBA_SA_POLICIES

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

COLUMN_NAME

NOT NULL

VARCHAR2(30)

STATUS

 

VARCHAR2(8)

POLICY_OPTIONS

 

VARCHAR2(4000)

DBA_SA_PROG_PRIVS

Name Null? Type

SCHEMA_NAME

NOT NULL

VARCHAR2(30)

PROGRAM_NAME

NOT NULL

VARCHAR2(30)

POLICY_NAME

NOT NULL

VARCHAR2(30)

PROGRAM_PRIVILEGES

 

VARCHAR2(4000)

DBA_SA_SCHEMA_POLICIES

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

SCHEMA_NAME

NOT NULL

VARCHAR2(30)

STATUS

 

VARCHAR2(8)

SCHEMA_OPTIONS

 

VARCHAR2(4000)

DBA_SA_TABLE_POLICIES

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

SCHEMA_NAME

NOT NULL

VARCHAR2(30)

TABLE_NAME

NOT NULL

VARCHAR2(30)

STATUS

 

VARCHAR2(8)

TABLE_OPTIONS

 

VARCHAR2(4000)

FUNCTION

 

VARCHAR2(1024)

PREDICATE

 

VARCHAR2(256)

DBA_SA_USERS

Name Null? Type

USER_NAME

NOT NULL

VARCHAR2(30)

POLICY_NAME

NOT NULL

VARCHAR2(30)

USER_PRIVILEGES

 

VARCHAR2(4000)

MAX_READ_LABEL

 

VARCHAR2(4000)

MAX_WRITE_LABEL

 

VARCHAR2(4000)

MIN_WRITE_LABEL

 

VARCHAR2(4000)

DEFAULT_READ_LABEL

 

VARCHAR2(4000)

DEFAULT_WRITE_LABEL

 

VARCHAR2(4000)

DEFAULT_ROW_LABEL

 

VARCHAR2(4000)

USER_LABELS

 

VARCHAR2(4000)


Note:

The field USER_LABELS in DBA_SA_USERS is retained solely for backward compatibility and will be removed in the next release.


DBA_SA_USER_COMPARTMENTS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

USER_NAME

NOT NULL

VARCHAR2(30)

COMP

NOT NULL

VARCHAR2(30)

RW_ACCESS

 

VARCHAR2(5)

DEF_COMP

NOT NULL

VARCHAR2(1)

ROW_COMP

NOT NULL

VARCHAR2(1)

DBA_SA_USER_GROUPS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

USER_NAME

NOT NULL

VARCHAR2(30)

GRP

NOT NULL

VARCHAR2(30)

RW_ACCESS

 

VARCHAR2(5)

DEF_GROUP

NOT NULL

VARCHAR2(1)

ROW_GROUP

NOT NULL

VARCHAR2(1)

DBA_SA_USER_LABELS

Name Null? Type

USER_NAME

NOT NULL

VARCHAR2(30)

POLICY_NAME

NOT NULL

VARCHAR2(30)

MAX_READ_LABEL

NOT NULL

VARCHAR2(4000)

MAX_WRITE_LABEL

 

VARCHAR2(4000)

MIN_WRITE_LABEL

 

VARCHAR2(4000)

DEFAULT_READ_LABEL

 

VARCHAR2(4000)

DEFAULT_WRITE_LABEL

 

VARCHAR2(4000)

DEFAULT_ROW_LABEL

 

VARCHAR2(4000)

LABELS

 

VARCHAR2(4000)


Note:

The field LABELS in DBA_SA_USER_LABELS is retained solely for backward compatibility and will be removed in the next release.


DBA_SA_USER_LEVELS

Name Null? Type

POLICY_NAME

NOT NULL

VARCHAR2(30)

USER_NAME

NOT NULL

VARCHAR2(30)

MAX_LEVEL

NOT NULL

VARCHAR2(30)

MIN_LEVEL

NOT NULL

VARCHAR2(30)

DEF_LEVEL

NOT NULL

VARCHAR2(30)

ROW_LEVEL

NOT NULL

VARCHAR2(30)

DBA_SA_USER_PRIVS

Name Null? Type

USER_NAME

NOT NULL

VARCHAR2(30)

POLICY_NAME

NOT NULL

VARCHAR2(30)

USER_PRIVILEGES

 

VARCHAR2(4000)

Oracle Label Security Auditing Views

Using the SA_AUDIT_ADMIN.CREATE_VIEW procedure, you can create an audit trail view for the specified policy. By default, this view is named DBA_policyname_AUDIT_TRAIL.

The DBA_SA_AUDIT_OPTIONS view contains the columns POLICY_NAME, USER_NAME, APY, SET_, and PRV.

See Also:

"Creating and Dropping an Audit Trail View for Oracle Label Security"

Restrictions in Oracle Label Security

The following restrictions exist in this Oracle Label Security release:

CREATE TABLE AS SELECT Restriction in Oracle Label Security

If you attempt to perform CREATE TABLE AS SELECT in a schema that is protected by an Oracle Label Security policy, the statement will fail.

Label Tag Restriction

Label tags must be unique across all policies in the database. When you use multiple policies in a database, you cannot use the same numeric label tag in different policies.

Export Restriction in Oracle Label Security

The LBACSYS schema cannot be exported due to the use of opaque types in Oracle Label Security. An export of the entire database (parameter FULL=Y) with Oracle Label Security installed can be done, except that the LBACSYS schema would not be exported.

Oracle Label Security Deinstallation Restriction

Do not perform a DROP USER CASCADE on the LBACSYS account.

Connect to the database as user SYS, using the AS SYSDBA syntax, and run the file $ORACLE_HOME/rdbms/admin/catnools.sql to deinstall Oracle Label Security.

See Also:

Your platform-specific Oracle installation documentation

Shared Schema Support

User accounts defined in the Oracle Internet Directory cannot be given individual Oracle Label Security authorizations. However, authorizations can be given to the shared schema to which the directory users are mapped.

The Oracle Label Security function SET_ACCESS_PROFILE can be used programmatically to set the label authorization profile to use after a user has been authenticated and mapped to a shared schema. Oracle Label Security does not enforce a mapping between users who are given label authorizations in Oracle Label Security and actual database users.

Hidden Columns Restriction

PL/SQL does not recognize references to hidden columns in tables. A compiler error will be generated.

Installing Oracle Label Security

The person intending to install Oracle Label Security first selects the Custom installation choice. Oracle Label Security is listed as one of the options in the custom installation screen. After copying the Oracle Label Security files and relinking Oracle, the installer software automatically launches the Database Configuration Assistant (DBCA) during the database registration process, to configure options for the database to be created.

In DBCA, if Oracle Internet Directory (OID) is to be enabled for Oracle Label Security use, an additional option enables the installer users to configure the password for the Directory Integration Platform (DIP) user. A DIP user with default password DIP has been created by catproc.sql. If the password is set during this configuration step, the DIP provisioning profile will be created with the new DIP password.

Behind the scenes, DBCA does the following:

Oracle Label Security and the SYS.AUD$ Table

Installing Oracle Label Security automatically moves the AUD$ table out of SYS and into SYSTEM, and into a different tablespace.

Having the AUD$ table in the SYSTEM schema is supported when Oracle Label Security is being used.

When Oracle Label Security is not installed, moving the SYS.AUD$ table out of the SYSTEM tablespace is not supported because the Oracle code makes implicit assumptions about the data dictionary tables, such as SYS.AUD$, in support of upgrades and backup/recovery scenarios. Moving SYS.AUD$ is not supported unless done by Oracle when Oracle Label Security is installed.

Removing Oracle Label Security

Perform the following steps to remove Oracle Label Security. Do not perform a DROP USER CASCADE on the LBACSYS account to remove Oracle Label Security.

  1. Connect AS SYSDBA.
  2. Execute the $ORACLE_HOME/rdbms/admin/catnools.sql script to delete the LBACSYS account.
  3. Use the Oracle Universal Installer to remove Oracle Label Security.

    See Also:

    Your platform-specific Oracle installation documentation