F Oracle Label Security Reference

Oracle Label Security provides data dictionary tables and views. You should also be aware of Oracle Label Security restrictions.

Oracle Label Security Data Dictionary Tables and Views

Oracle Label Security provides data dictionary tables, data dictionary views, and an user-created auditing view.

Oracle Database Data Dictionary Tables

Oracle Label Security does not label the Oracle data dictionary tables; accss is controlled by standard Oracle Database system and object privileges.

See Also:

Oracle Database Reference for detailed information about all data dictionary tables and views

Oracle Label Security Data Dictionary Views

Oracle Label Security maintains an independent set of data dictionary views, which are exempt from any policy enforcement.

Access to the data dictionary views is granted by default to the SELECT_CATALOG_ROLE, a standard Oracle Database role that lets you examine the Oracle Database data dictionary.

ALL_SA_AUDIT_OPTIONS View

The ALL_SA_AUDIT_OPTIONS data dictionary view shows for the current user Oracle Label Security auditing options, based on the SA_AUDIT_ADMIN.AUDIT procedure settings.

See SA_AUDIT_ADMIN.AUDIT.

This view displays whether auditing is configured to generate audit records per session (BY SESSION) or per access (BY ACCESS) and for successful or unsuccessful operations. Possible values are as follows:

  • A dash (-) indicates that the audit option is not set.

  • The S character indicates that the audit option is set BY SESSION.

  • The A character indicates that the audit option is set BY ACCESS.

  • Each audit option has two possible settings, WHENEVER SUCCESSFUL and WHENEVER NOT SUCCESSFUL, separated by a slash (/).

For example, in the following output, user jjones is audited with the BY ACCESS audit type for successful actions involving policy-specific privileges. User rlayton is audited with the BY SESSION audit type: audit records are written for failed attempts to remove policies and for successful attempts at setting user authorizations.

SELECT * FROM DBA_SA_AUDIT_OPTIONS;

POLICY_NAME      USER_NAME     APY  REM   SET_  PRV
-----------      ------------  ---  ----  ----  ---
HR_OLS_POL       JJONES        -/-   -/-  -/-   A/-
HR_OLS_POL       RLAYTON       -/-  -/S   S/-   -/-
Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

USER_NAME

VARCHAR2(128)

NOT NULL

Name of the user associated with the policy

APY

VARCHAR2(3)

NULL

Audit option; refers to the application of specified Oracle Label Security policies to tables and schemas

REM

VARCHAR2(3)

NULL

Audit option; refers to the removal of specified Oracle Label Security policies from tables and schemas

SET_

VARCHAR2(3)

NULL

Audit option; refers to the setting of user authorizations, and user and program privileges

PRV

VARCHAR2(3)

NULL

Audit option; refers to the use of all policy-specific privileges

ALL_SA_COMPARTMENTS

The ALL_SA_COMPARTMENTS data dictionary view shows information for the current user about Oracle Label Security policy compartments, based on the SA_COMPONENTS.CREATE_COMPARTMENT procedure settings.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

COMP_NUM

NUMBER(4)

NOT NULL

Compartment number in the range of (0-9999)

SHORT_NAME

VARCHAR2(30)

NOT NULL

Short name for the compartment

LONG_NAME

VARCHAR2(80)

NOT NULL

Long name for the compartment

ALL_SA_DATA_LABELS

The ALL_SA_DATA_LABELS data dictionary view shows for the current user Oracle Label Security policy labels and tags, based on the SA_LABEL_ADMIN.CREATE_LABEL procedure settings.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

LABEL

VARCHAR2(4000)

NULL

Short name of the level, compartment, or group that was specified as the label value

LABEL_TAG

NUMBER

NULL

Integer that represents the sort order of the label, relative to other policy labels (0-99999999)

ALL_SA_GROUPS

The ALL_SA_GROUPS data dictionary shows information about the current user’s Oracle Label Security policy groups, based on the SA_COMPONENTS.CREATE_GROUP and SA_COMPONENTS.ALTER_GROUP_PARENT procedures.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

GROUP_NUM

NUMBER(4)

NOT NULL

Group number (0-9999)

SHORT_NAME

VARCHAR2(30)

NOT NULL

Short name of the group

LONG_NAME

VARCHAR2(80)

NOT NULL

Long name of the group

PARENT_NUM

NUMBER(4)

NULL

Numerical ID for the associated parent group

PARENT_NAME

VARCHAR2(30)

NULL

Name of the group assigned as the parent for the group

ALL_SA_LABELS

The ALL_SA_LABELS data dictionary view shows for the current user information about the tags and types of labels, based on SA_LABEL_ADMIN.CREATE_LABEL and SA_LABEL_ADMIN.ALTER_LABEL.

Access to ALL_SA_LABELS is PUBLIC. However, only the labels authorized for read access by the session are visible.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

LABEL

VARCHAR2(4000)

NOT NULL

Short name of the level associated with this label

LABEL_TAG

NUMBER(30)

NOT NULL

Integer tag assigned to the label

LABEL_TYPE

VARCHAR2(15)

NULL

Type of label

ALL_SA_LEVELS

The ALL_SA_LEVELS data dictionary view shows for the current user information about levels, based on the SA_COMPONENTS.CREATE_LEVEL procedure.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

LEVEL_NUM

NUMBER(4)

NOT NULL

Level number (0-9999)

SHORT_NAME

VARCHAR2(30)

NOT NULL

Short name for the level

LONG_NAME

VARCHAR2(80)

NOT NULL

Long name for the level

ALL_SA_POLICIES

The ALL_SA_POLICIES data dictionary view shows for the current user information about Oracle Label Security policies, based on the SA_SYSDBA.CREATE_POLICY procedure.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

COLUMN_NAME

VARCHAR2(128)

NOT NULL

Name of the column that was added to tables protected by the policy

STATUS

VARCHAR2(8)

NULL

Whether the policy has been enabled or disabled

POLICY_OPTIONS

VARCHAR2(4000)

NULL

Options that were set for this policy

See Categories of Policy Enforcement Options for a listing of the possible enforcement options.

ALL_SA_PROG_PRIVS

The ALL_SA_PROG_PRIVS data dictionary view shows for the current user information about the policy-specific privileges for program units, based on SA_USER_ADMIN.SET_PROG_PRIVS.

Column Datatype Null Description

SCHEMA_NAME

VARCHAR2(128)

NOT NULL

Name of the schema that contains the program unit

PROGRAM_NAME

VARCHAR(128)

NOT NULL

Program unit that was granted privileges

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

PROGRAM_PRIVILEGES

VARCHAR2(4000)

NULL

Policy-specific privileges.

See About Granting Privileges to Users and Trusted Program Units for the Policy for list of possible privileges.

ALL_SA_SCHEMA_POLICIES

The ALL_SA_SCHEMA_POLICIES data dictionary view shows for the current user information about policies applied to all tables in the schema, based on SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

SCHEMA_NAME

VARCHAR2(128)

NOT NULL

Name of the schema associated with this policy

STATUS

VARCHAR2(8)

NULL

Whether the policy has been enabled or disabled for the schema (by the SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY or SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY for procedure)

SCHEMA_OPTIONS

VARCHAR2(4000)

NULL

Options that have been applied.

ALL_SA_TABLE_POLICIES

The ALL_SA_TABLE_POLICIES data dictionary view shows for the current user information about a policy added to a database table, based SA_POLICY_ADMIN.APPLY_TABLE_POLICY settings.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

SCHEMA_NAME

VARCHAR2(128)

NOT NULL

Schema that contains the table that the policy protects

TABLE_NAME

VARCHAR2(128)

NOT NULL

Table to be protected by the policy

STATUS

VARCHAR2(8)

NULL

Whether the policy has been enabled or disabled for the table (by the SA_POLICY_ADMIN.APPLY_TABLE_POLICY or SA_POLICY_ADMIN.DISABLE_TABLE_POLICY for procedure)

TABLE_OPTIONS

VARCHAR2(4000)

NULL

Policy enforcement options to be used for the table

FUNCTION

VARCHAR2(1024)

NULL

Name of the function to return a label value to use as the default

PREDICATE

VARCHAR2(256)

NULL

Predicate to combine (using AND or OR) with the label-based predicate for READ_CONTROL

ALL_SA_USERS

The ALL_SA_USERS data dictionary view shows for the current user information about Oracle Label Security user privileges, based on SA_USER_ADMIN.SET_USER_LABELS and SA_USER_ADMIN.SET_USER_PRIVS.

Column Type Null Description

USER_NAME

VARCHAR2(1024)

NOT NULL

Name of the user

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

USER_PRIVILEGES

VARCHAR2(4000)

NULL

Policy-specific privileges granted to the user.

MAX_READ_LABEL

VARCHAR2(4000)

NULL

Label string to initialize the user's maximum authorized read label

MAX_WRITE_LABEL

VARCHAR2(4000)

NULL

Label string to initialize the user's maximum authorized write label

MIN_WRITE_LABEL

VARCHAR2(4000)

NULL

Label string to initialize the user's minimum authorized write label

DEFAULT_READ_LABEL

VARCHAR2(4000)

NULL

Label string to initialize the user's session label, including level, compartments, and groups, for read access

DEFAULT_WRITE_LABEL

VARCHAR2(4000)

NULL

Label string to initialize the user's session label, including level, compartments, and groups, for write access

DEFAULT_ROW_LABEL

VARCHAR2(4000)

NULL

Label string to initialize the program's row label; includes level, components, and groups

USER_LABELS

VARCHAR2(4000)

NULL

Retained solely for backward compatibility and will be removed in the next release

ALL_SA_USER_LABELS

The ALL_SA_USER_LABELS data dictionary view shows for the current user label-specific information about users, based on the SA_USER_ADMIN.SET_USER_LABELS procedure settings.

Column Datatype Null Description

USER_NAME

VARCHAR2(1024)

NOT NULL

Name of the user

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

LABELS

VARCHAR2(4000)

NULL

Retained solely for backward compatibility and will be removed in the next release

MAX_READ_LABEL

VARCHAR2(4000)

NOT NULL

Label string to initialize the user's maximum authorized read label

MAX_WRITE_LABEL

VARCHAR2(4000)

NULL

Label string to initialize the user's maximum authorized write label

MIN_WRITE_LABEL

VARCHAR2(4000)

NULL

Label string to initialize the user's minimum authorized write label

DEFAULT_READ_LABEL

VARCHAR2(4000)

NULL

Label string to initialize the user's session label, including level, compartments, and groups, for read access

DEFAULT_WRITE_LABEL

VARCHAR2(4000)

NULL

Label string to initialize the user's session label, including level, compartments, and groups, for write access

DEFAULT_ROW_LABEL

VARCHAR2(4000)

NULL

Label string to initialize the program's row label; includes level, components, and groups

ALL_SA_USER_LEVELS

The ALL_SA_USER_LEVELS data dictionary view shows for the current user the minimum and maximum levels assigned to users, based on the SA_USER_ADMIN.SET_LEVELS procdure.

It also lists the user's session label and row label default values.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

USER_NAME

VARCHAR2(1024)

NOT NULL

Name of the user

MAX_LEVEL

VARCHAR2(30)

NOT NULL

Short name of the highest level for read and write access

MIN_LEVEL

VARCHAR2(30)

NOT NULL

Short name of the lowest level for read and write access

DEF_LEVEL

VARCHAR2(30)

NOT NULL

Short name of the default level

ROW_LEVEL

VARCHAR2(30)

NOT NULL

Short name of the row level

ALL_SA_USER_PRIVS

The ALL_SA_USER_PRIVS data dictionary view shows for the current user policy-specific privileges granted to users, based on the SA_USER_ADMIN.SET_USER_PRIVS procedure.

Column Datatype Null Description

USER_NAME

VARCHAR2(1024)

NOT NULL

Name of the user

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

USER_PRIVILEGES

VARCHAR2(4000)

NULL

Policy-specific privileges granted to the user

CDB_OLS_STATUS

The CDB_OLS_STATUS data dictionary view shows the configuration status of Oracle Label Security in the database in a multitenant environment.

Column Datatype Null Description

NAME

VARCHAR2(20)

NOT NULL

Name of the status. Values are:

  • OLS_CONFIGURE_STATUS

  • OLS_DIRECTORY_STATUS

  • OLS_ENABLE_STATUS

STATUS

VARCHAR2(5)

NOT NULL

Indicates the status of the feature mentioned in the corresponding name column. For example, a TRUE value for the OLS_CONFIGURE_STATUS status says that Oracle Label Security has been configured.

DESCRIPTION

VARCHAR2(4000)

NOT NULL

Description of the status:

  • OLS_CONFIGURE_STATUS:Determines if Oracle Label Security is configured.

  • OLS_DIRECTORY_STATUS: Determines if Oracle Internet Directory is enabled with Oracle Label Security.

  • OLS_ENABLE_STATUS: Determines if Oracle Label Security is enabled.

CON_ID

NUMBER

NOT NULL

The container database ID number

DBA_SA_AUDIT_OPTIONS

The DBA_SA_AUDIT_OPTIONS data dictionary view data dictionary view shows for the entire database the Oracle Label Security audit options.

Its columns are the same as ALL_SA_AUDIT_OPTIONS.

DBA_SA_COMPARTMENTS

The ALL_SA_COMPARTMENTS data dictionary view shows for the entire database information about Oracle Label Security policy compartments.

Its columns are the same as ALL_SA_COMPARTMENTS.

DBA_SA_DATA_LABELS

The ALL_SA_DATA_LABELS data dictionary view shows for the entire database the labels and label tags for the specified Oracle Label Security policy.

Its columns are the same as ALL_SA_DATA_LABELS.

DBA_SA_GROUPS

The ALL_SA_GROUPS data dictionary view shows for the entire database information about Oracle Label Security policy groups.

Its columns are the same as ALL_SA_GROUPS.

DBA_SA_GROUP_HIERARCHY

The DBA_SA_GROUP_HIERARCHY data dictionary view shows the hierarchy of groups (that is, parent-child relationships) in a policy.

Column Type Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

HIERARCHY_LEVEL

NUMBER

NULL

Indicates the level of a particular group in a group hierarchy. A group with no parent group will have HIERARCHY_LEVEL 1. Its child group will have HIERARCHY_LEVEL 2 and so on.

For example, consider these groups in the following order:

  1. G1, G4

  2. G2, G5

  3. G3

Here, G1 and G4 have HIERARCHY_LEVEL 1; G2 and G5 have HIERARCHY_LEVEL 2, and G3 has HIERARCHY_LEVEL 3.

The parent-child relationships are:

  • G3 is the child group of G2, and G2 is the child group of G1.

  • G5 is the child group of G4.

GROUP_NAME

VARCHAR2(4000)

NULL

Short name of the group intended to indicate the hierarchy level

DBA_SA_LABELS

The DBA_SA_LABELS data dictionary view shows for the entire database information about the tags and types of labels for a policy.

Its columns are the same as ALL_SA_LABELS.

DBA_SA_LEVELS

The DBA_SA_LEVELS data dictionary view shows for the entire database information about levels associated with a policy.

Its columns are the same as ALL_SA_LEVELS.

DBA_SA_POLICIES

The DBA_SA_POLICIES data dictionary view shows for the entire database information about Oracle Label Security policies, based on the SA_SYSDBA.CREATE_POLICY procedure.

This view also shows whether the policy has been enabled or disabled and its subscription status.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

COLUMN_NAME

VARCHAR2(128)

NOT NULL

Name of the column that was added to tables protected by the policy

STATUS

VARCHAR2(8)

NULL

Whether the policy has been enabled or disabled

POLICY_OPTIONS

VARCHAR2(4000)

NULL

Options that were set for this policy.

See Categories of Policy Enforcement Options for a listing of the possible enforcement options.

POLICY_SUBSCRIBED

VARCHAR2(5)

NULL

Indicates the policy's subscription status, based on the SA_POLICY_ADMIN.POLICY_SUBSCRIBE or SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE procedure

DBA_SA_PROG_PRIVS

The DBA_SA_PROG_PRIVS data dictionary view shows for the entire database information about the policy-specific privileges for program units.

Its columns are the same as ALL_SA_PROG_PRIVS.

DBA_SA_SCHEMA_POLICIES

The DBA_SA_SCHEMA_POLICIES data dictionary view shows for the entire database information about policies that have been applied to all tables in the schema.

Its columns are the same as ALL_SA_SCHEMA_POLICIES.

DBA_SA_TABLE_POLICIES

The DBA_SA_TABLE_POLICIES data dictionary view shows for the entire database information about a policy that has been added to a database table.

Its columns are the same as ALL_SA_TABLE_POLICIES.

DBA_SA_USERS

The DBA_SA_USERS data dictionary view shows for the entire database information about the privileges that Oracle Label Security users have.

Its columns are the same as ALL_SA_USERS.

DBA_SA_USER_COMPARTMENTS

The DBA_SA_USER_COMPARTMENTS data dictionary view shows for the entire database the user authorizations, based on the SA_USER_ADMIN.ADD_COMPARTMENTS procedure.

This view also indicates whether the compartments are authorized for write and read privileges

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

USER_NAME

VARCHAR2(1024)

NOT NULL

Name of the user

COMP

VARCHAR2(30)

NOT NULL

Short name of compartments that were added

RW_ACCESS

VARCHAR2(5)

NULL

Access mode. Possible values are:

  • SA_UTL.READ_ONLY indicates no write access

  • SA_UTL.READ_WRITE indicates that write is authorized

DEF_COMP

VARCHAR2(1)

NOT NULL

Whether the compartments are in the default compartments

ROW_COMP

VARCHAR2(1)

NOT NULL

whether the compartments are in the row label

DBA_SA_USER_GROUPS

The DBA_SA_USER_GROUPS data dictionary view shows for the entire database the groups associated with users, based on the SA_USER_ADMIN.ADD_GROUPS procedure.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

USER_NAME

VARCHAR2(1024)

NOT NULL

Name of the user

GRP

VARCHAR2(30)

NOT NULL

Short name of groups that were added

RW_ACCESS

VARCHAR2(5)

NULL

Access mode. Possible values are:

  • SA_UTL.READ_ONLY indicates read-only access

  • SA_UTL.READ_WRITE indicates read and write access

DEF_GROUP

VARCHAR2(1)

NOT NULL

Whether the group is in a default group

ROW_GROUP

VARCHAR2(1)

NOT NULL

Whether the group is in a label

DBA_SA_USER_LABELS

The DBA_SA_USER_LABELS data dictionary view shows for the entire database label-specific information about users.

Its columns are the same as ALL_SA_USER_LABELS.

DBA_SA_USER_LEVELS

The DBA_SA_USER_LEVELS data dictionary view shows for the entire database the minimum and maximum levels that have been assigned to users.

This view also shows the default values for the user's session label and row label.

Its columns are the same as ALL_SA_USER_LEVELS.

DBA_SA_USER_PRIVS

The DBA_SA_USER_PRIVS data dictionary view shows for the current user the policy-specific privileges that have been granted to users.

Its columns are the same as ALL_SA_USER_PRIVS.

DBA_OLS_STATUS

The DBA_OLS_STATUS data dictionary view shows the configuration status of Oracle Label Security in the database.

Column Datatype Null Description

NAME

VARCHAR2(20)

NULL

Name of the status. Values are:

  • OLS_CONFIGURE_STATUS

  • OLS_DIRECTORY_STATUS

  • OLS_ENABLE_STATUS

STATUS

VARCHAR2(5)

NULL

Indicates the status of the feature mentioned in the corresponding name column. For example, a TRUE value for the OLS_CONFIGURE_STATUS status says that Oracle Label Security has been configured.

DESCRIPTION

VARCHAR2(4000)

NULL

Description of the status:

  • OLS_CONFIGURE_STATUS:Determines if Oracle Label Security is configured.

  • OLS_DIRECTORY_STATUS: Determines if Oracle Internet Directory is enabled with Oracle Label Security.

  • OLS_ENABLE_STATUS: Determines if Oracle Label Security is enabled.

USER_SA_SESSION

The USER_SA_SESSION data dictionary view shows the security attribute values for the current database session.

Access to this view is PUBLIC.

Column Datatype Null Description

POLICY_NAME

VARCHAR2(30)

NOT NULL

Name of the Oracle Label Security policy

SA_USER_NAME

VARCHAR2(4000)

NULL

Name of the current session user

PRIVS

VARCHAR2(4000)

NULL

Current session privileges

MAX_READ_LABEL

VARCHAR2(4000)

NULL

Label string that initialized the user's maximum authorized read label

MAX_WRITE_LABEL

VARCHAR2(4000)

NULL

Label string that initialized the user's maximum authorized write label

MIN_LEVEL

VARCHAR2(4000)

NULL

Minimum Oracle Label Security level authorized for the session

LABEL

VARCHAR2(4000)

NULL

Label for the current database session

COMP_WRITE

VARCHAR2(4000)

NULL

Compartments to which the user is authorized to write

GROUP_WRITE

VARCHAR2(4000)

NULL

Groups to which the user is authorized to write

ROW_LABEL

VARCHAR2(4000)

NULL

Row label that is associated with the policy for the current session

Oracle Label Security User-Created Auditing View

The SA_AUDIT_ADMIN.CREATE_VIEW procedure can be used to create an audit trail view for a specific policy.

By default, this view is named DBA_policyname_AUDIT_TRAIL.

Column Datatype Null Description

USERNAME

VARCHAR2(128)

NULL

Name of the user whose actions were audited

USERHOST

VARCHAR2(128)

NULL

Client host machine name

TERMINAL

VARCHAR2(255)

NULL

Identifier of the user's terminal

TIMESTAMP

DATE

NULL

Date and time of the creation of the audit trail entry (date and time of user login for entries created by AUDIT SESSION) in the local database session time zone

OWNER

VARCHAR2(128)

NULL

Creator of the object affected by the action

OBJ_NAME

VARCHAR2(128)

NULL

Name of the object affected by the action

ACTION

NUMBER

NOT NULL

Numeric action type code. The corresponding name of the action type is in the ACTION_NAME column.

ACTION_NAME

VARCHAR2(47)

NULL

Name of the action type corresponding to the numeric code in the ACTION column

COMMENT_TEXT

VARCHAR2(4000)

NULL

Text comment on the audit trail entry, providing more information about the statement audited

Also indicates how the user was authenticated. The method can be one of the following:

  • DATABASE: Authentication was done by password

  • NETWORK: Authentication was done by Oracle Net Services or by strong authentication

SESSIONID

NUMBER

NOT NULL

Numeric ID for each Oracle session

ENTRYID

NUMBER

NOT NULL

Numeric ID for each audit trail entry in the session

STATEMENTID

NUMBER

NOT NULL

Numeric ID for each statement run

RETURNCODE

NUMBER

NOT NULL

Oracle error code generated by the action. Some useful values:

  • 0: Action succeeded

  • 2004: Security violation

EXTENDED_TIMESTAMP

TIMESTAMP (6) WITH TIME ZONE

NULL

Timestamp of the creation of the audit trail entry (timestamp of user login for entries created by AUDIT SESSION) in UTC (Coordinated Universal Time) time zone

OLS_COL

VARCHAR2(4000)

NULL

Name of the column that was added to the tables that Oracle Label Security protects

Restrictions in Oracle Label Security

Several restrictions exist in this Oracle Label Security release.

These restrictions are as follows:

  • CREATE TABLE AS SELECT restriction

    If you attempt to perform CREATE TABLE AS SELECT in a schema that is protected by an Oracle Label Security policy, then the statement will fail.

  • Label tag restriction

    Label tags must be unique across the policies in the database. When you use multiple policies in a database, you cannot use the same numeric label tag in different policies.

  • Export restriction

    Before Oracle Database 12c release 1 (12.1), the LBACSYS schema could not be exported due to the use of opaque types in Oracle Label Security. An export of the entire database (parameter FULL=Y) with Oracle Label Security installed can be done, except that the LBACSYS schema would not be exported.

    From Oracle Database Release 12c on, this restriction has been removed. See Full Database Export for additional details on the database versions that the export can be supported from.

  • Oracle Label Security removal restriction

    Do not perform a DROP USER CASCADE on the LBACSYS account.

    Connect to the database as user SYS, using the AS SYSDBA syntax, and run the file $ORACLE_HOME/rdbms/admin/catnools.sql to remove Oracle Label Security.

    See Also:

    Your platform-specific Oracle installation documentation

  • Shared schema support restriction

    User accounts defined in the Oracle Internet Directory cannot be given individual Oracle Label Security authorizations. However, authorizations can be given to the shared schema to which the directory users are mapped.

    The Oracle Label Security function SET_ACCESS_PROFILE can be used programmatically to set the label authorization profile to use after a user has been authenticated and mapped to a shared schema. Oracle Label Security does not enforce a mapping between users who are given label authorizations in Oracle Label Security and actual database users.

  • Hidden columns restriction

    PL/SQL does not recognize references to hidden columns in tables. A compiler error will be generated.