4 Getting Started with Oracle Label Security

Before using Oracle Label Security, you must register it with the database and then enable the LBACSYS Oracle Label Security account.

Registering Oracle Label Security with an Oracle Database

You must register Oracle Label Security with the database in which you plan to use it.

About Registering Oracle Label Security

When you install Oracle Database, by default Oracle Label Security is not enabled.

You must register Oracle Label Security with the database. Afterwards, you must enable the default Oracle Label Security user account, LBACSYS. After you register Oracle Label Security, you can disable and re-enable it when necessary.

If you are using a multitenant environment, then only register Oracle Label Security in the pluggable databases (PDBs) in which you plan to create Oracle Label Security policies. Because Oracle Label Security is not designed to protect data dictionary objects, you cannot create policies in the root.

Checking if Oracle Label Security Has Been Registered and Enabled

You can query the DBA_OLS_STATUS and CDB_OLS_STATUS data dictionary views to find if Oracle Label Security has already been registered and enabled.

  1. Log into the database instance as user SYS with the SYSDBA administrative privilege.
    sqlplus sys as sysdba
    Enter password: password
    
  2. If you are using a multitenant environment, then connect to the appropriate PDB.

    For example, to connect to the PDB hrpdb:

    CONNECT SYS@hrpdb AS SYSDBA
    Enter password: password
    

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  3. Run the appropriate query to find if Oracle Label Security has been registered (configured) and enabled.
    • If you want to find the Oracle Label Security status for a non-multitenant database, or in a multitenant environment for the root only or an individual PDB, then query DBA_OLS_STATUS. For example:
      SELECT * FROM DBA_OLS_STATUS;
      
      NAME                 STATUS  DESCRIPTION        
      -------------------- ------- -------------------------------------
      OLS_CONFIGURE_STATUS TRUE    Determines if OLS is configured
      OLS_DIRECTORY_STATUS FALSE   Determines if OID is enabled with OLS
      OLS_ENABLE_STATUS    TRUE    Determines if OLS is enabled
    • If you want to find the Oracle Label Security status of all PDBs in a multitenant environment, as a common user with administrative privileges, then query CDB_OLS_STATUS. For example:
      SELECT * FROM CDB_OLS_STATUS;
      
      NAME                 STATUS  DESCRIPTION                           CON_ID        
      -------------------- ------- ------------------------------------  ------
      OLS_DIRECTORY_STATUS FALSE   Determines if OID is enabled with OLS 4 
      OLS_ENABLE_STATUS    TRUE    Determines if OLS is enabled          4
      OLS_CONFIGURE_STATUS TRUE    Determines if OLS is configured       4
      OLS_DIRECTORY_STATUS FALSE   Determines if OID is enabled with OLS 5 
      OLS_ENABLE_STATUS    TRUE    Determines if OLS is enabled          5
      OLS_CONFIGURE_STATUS TRUE    Determines if OLS is configured       5
        

Registering and Enabling Oracle Label Security from SQL*Plus

You can both register and enable Oracle Label Security from SQL*Plus.

  1. Log into the database instance as user SYS with the SYSDBA administrative privilege.

    For example:

    sqlplus sys as sysdba
    Enter password: password 
    
  2. If you are using a multitenant environment, then connect to the appropriate PDB.

    For example, to connect to the PDB hrpdb:

    CONNECT SYS@hrpdb AS SYSDBA
    Enter password: password
    

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  3. Register and enable Oracle Label Security as follows.
    EXEC LBACSYS.CONFIGURE_OLS; -- This procedure registers Oracle Label Security.
    EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; -- This procedure enables it.
    
  4. Connect as user SYS with the SYSOPER privilege.
    CONNECT SYS AS SYSOPER -- Or, CONNECT SYS@hrpdb AS SYSOPER
    Enter password: password
    
  5. Restart the database.

    For example:

    SHUTDOWN IMMEDIATE
    STARTUP

Registering and Enabling Oracle Label Security Using DBCA

You can both register and enable Oracle Label Security using Database Configuration Assistant.

  1. Start Database Configuration Assistant (DBCA).
    • UNIX: Run the following command:

      $ORACLE_HOME/bin/dbca
      
    • Windows: From the Start menu, click All Programs. Then click Oracle - ORACLE_HOME, then Configuration and Migration Tools, and then Database Configuration Assistant.

    The Welcome screen appears.

  2. Click Next.

    The Operations screen appears.

  3. Select Configure Database Options. Click Next.

    The Database screen appears.

  4. From the list, select the database where you need to configure and enable OLS. Click Next.

    The Database Content screen appears.

  5. Select Oracle Label Security. Click Next.

    The Connection Mode screen appears.

  6. Select either Dedicated Server Mode or Shared Server Mode. Click Finish.

    A dialog box is displayed informing you that the operation will require the database to be restarted.

  7. Click OK.

    A confirmation dialog box is displayed.

  8. Click OK.

    The DBCA progress screen is displayed.

  9. After the operation is complete, you are prompted to perform another operation. Click No to exit DBCA.

Enabling the LBACSYS Oracle Label Security

After you complete the registration process, the default user account, LBACSYS, is granted the LBAC_DBA database role, which provides the privileges necessary to manage Oracle Label Security.

LBACSYS is created as a locked account with its password expired.
  1. Log into the database instance as a user who has been granted the ALTER USER system privilege (for example, the SYSTEM user).

    For example:

    sqlplus system -- Or, sqlplus system@hrpdb for the hrpdb pluggable database (PDB)
    Enter password: password
    

    If Oracle Database Vault is enabled, then log in as a user who has been granted the DV_ACCTMGR role.

  2. Enter this statement:
    ALTER USER LBACSYS ACCOUNT UNLOCK IDENTIFIED BY password;
    

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

After you unlock user LBACSYS and provide a password, as a good practice, you may want to reserve this account as a back-up user account. For day-to-day use, consider granting the LBAC_DBA database role to trusted users who you want to administer Oracle Label Security.

If you plan to use Enterprise Manager Cloud Control to administer Oracle Label Security, then ensure that any users to whom you have granted the LBAC_DBA role also have the SELECT ANY DICTIONARY privilege. By default, the LBACSYS user already has this privilege.

Logging in to Cloud Control or SQL*Plus for Oracle Label Security

After you complete the Oracle Label Security registration and enablement process, you can begin using it.

Logging in to Oracle Label Security from Enterprise Manager Cloud Control

From Enterprise Manager Cloud Control, you use the Oracle Label Security pages to create and manage Oracle Label Security policies.

  1. Ensure that you have configured the Cloud Control target databases that you plan to use with Oracle Label Security.

    See the Oracle Enterprise Manager online help and Oracle Database Enterprise User Security Administrator's Guide for more information about configuring target databases.

  2. Point your browser to the Cloud Control login page.

    For example:

    https://myserver.example.com:7799/em
    
  3. Log into Cloud Control as user SYSMAN.
  4. In the Cloud Control home page, from the Targets menu, select Databases.
  5. In the Databases page, select the link for the database to which you want to connect.

    The Database home page appears.

  6. From the Security menu, select Label Security.

    The Database Login page appears.

  7. Enter the following information:
    • Username: Enter the user name of a user who has been granted the LBAC_DBA database role, or enter LBACSYS.

    • Password: Enter the password.

    • Role: Select NORMAL from the list.

    • Save As: Select this check box if you want these credentials to be automatically filled in for you the next time that this page appears. The credentials are stored in Enterprise Manager in a secured manner. Access to these credentials depends on the user who is currently logged in.

Logging in to Oracle Label Security from SQL*Plus

You can log in to Oracle Label Security from SQL*Plus if you have been granted the LBAC_DBA database role.

  • To use Oracle Label Security from SQL*Plus, connect as user LBACSYS or as a user who has been granted the LBAC_DBA database role. To find if a user has been granted this role, query the GRANTEE and GRANTED_ROLE columns of the DBA_ROLE_PRIVS data dictionary view.

For example:

sqlplus psmith_ols -- Or, sqlplus psmith_ols@hrpdb for a PDB named hrpdb
Enter password: password

To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.