Table of Contents
- Title and Copyright Information
- Preface
- Changes in This Release for Oracle Label Security Administrator's Guide
-
Part I Getting Started with Oracle Label Security
-
1
Introduction to Oracle Label Security
- 1.1 About Oracle Label Security
- 1.2 Benefits of Oracle Label Security
- 1.3 Who Has Privileges to Use Oracle Label Security?
- 1.4 Duties of Oracle Label Security Administrators
- 1.5 Components of Oracle Label Security
- 1.6 Oracle Label Security Architecture
- 1.7 Oracle Label Security Administrative Interfaces
- 1.8 Oracle Label Security Demonstration File
- 1.9 How Oracle Label Security Works with Other Oracle Products
- 2 Understanding Data Labels and User Labels
-
3
Access Controls and Privileges
- 3.1 Access Mediation
- 3.2 How the Session Label and Row Label Work
- 3.3 How User Authorizations Work
- 3.4 Evaluation of Labels for Access Mediation
-
3.5
Oracle Label Security Privileges
- 3.5.1 Privileges Defined by Oracle Label Security Policies
- 3.5.2 Special Access Privileges
- 3.5.3 Special Row Label Privileges
- 3.5.4 System Privileges, Object Privileges, and Policy Privileges
- 3.5.5 Access Mediation and Views
- 3.5.6 Access Mediation and Program Unit Execution
- 3.5.7 Access Mediation and Policy Enforcement Options
- 3.6 Working with Multiple Oracle Label Security Policies
-
1
Introduction to Oracle Label Security
-
Part II Using Oracle Label Security Functionality
- 4 Registering and Logging in to Oracle Label Security
-
5
Creating an Oracle Label Security Policy
- 5.1 About Creating Oracle Label Security Policies
- 5.2 Step 1: Create the Label Security Policy Container
-
5.3
Step 2: Create Data Labels for the Label Security Policy
- 5.3.1 About Data Labels
- 5.3.2 About Policy Level Sensitivity Components
- 5.3.3 Creating a Policy Level Component
- 5.3.4 About Policy Compartment Components
- 5.3.5 Creating a Policy Compartment Component
- 5.3.6 About Policy Group Components
- 5.3.7 Creating a Policy Data Label Group
- 5.3.8 About Associating the Policy Components with a Named Data Label
- 5.3.9 Associating the Policy Components with a Named Data Label
- 5.4 Step 3: Authorize Users for the Label Security Policy
- 5.5 Step 4: Grant Privileges to Users and Trusted Stored Program Units
- 5.6 Step 5: Apply the Policy to a Database Table or Schema
- 5.7 Step 6: Add Policy Labels to Table Rows
- 5.8 Step 7: (Optional) Configure Auditing
-
5.9
Using Enterprise Manager Cloud Control to Create an OLS Policy
- 5.9.1 Creating the Label Security Policy Container Using Cloud Control
- 5.9.2 Creating Policy Components Using Cloud Control
- 5.9.3 Creating Data Labels for the Policy Using Cloud Control
- 5.9.4 Authorizing, Granting Privileges, and Auditing Users for a Policy Using Cloud Control
- 5.9.5 Granting Privileges to Trusted Program Units Using Cloud Control
- 5.9.6 Applying a Policy to a Database Table with Cloud Control
- 5.9.7 Applying Policy Labels to Table Rows Using Cloud Control
- 5.9.8 Auditing Oracle Label Security Policies Using Cloud Control
-
6
Working with Labeled Data
- 6.1 How Policy Label Column and Label Tags Work
- 6.2 Assignments of Labels to Data Rows
- 6.3 Presenting the Label
- 6.4 Filtration of Data Using Labels
- 6.5 Inserting Labeled Data
- 6.6 Changing Session and Row Labels
-
7
Oracle Label Security Using Oracle Internet Directory
- 7.1 About Label Management on Oracle Internet Directory
-
7.2
Configuring Oracle Internet Directory-Enabled Label Security
- 7.2.1 About Configuring Oracle Internet Directory-Enabled Label Security
- 7.2.2 Granting Permissions for Configuring OID-Enabled Oracle Label Security
- 7.2.3 Registering a Database and Configuring OID-Enabled Oracle Label Security
- 7.2.4 Unregisteration of a Database with OID-Enabled Oracle Label Security
- 7.3 Oracle Label Security Profiles
- 7.4 Integrated Capabilities When Label Security Uses the Directory
- 7.5 Oracle Label Security Policy Attributes in Oracle Internet Directory
- 7.6 Subscription of Policies in Directory-Enabled Label Security
- 7.7 Restrictions on New Data Label Creation
- 7.8 Administrator Duties for Oracle Internet Directory and Oracle Label Security
- 7.9 Bootstrapping Databases
-
7.10
Synchronizing the Database and Oracle Internet Directory
- 7.10.1 About Synchronizing the Database and Oracle Internet Directory
- 7.10.2 Oracle Directory Integration and Provisioning (DIP) Provisioning Profiles
- 7.10.3 Modifying a Provisioning Profile
- 7.10.4 Changing the Database Connection Information for a Provisioning Profile
- 7.10.5 Configuring OID-Enabled Oracle Label Security with Oracle Data Guard
- 7.11 Security Roles and Permitted Actions
- 7.12 Superseded PL/SQL Statements When OID Is Enabled with OLS
- 7.13 Oracle Label Security Procedures for Policy Administrators
-
Part III Oracle Label Security Tutorials
-
8
Tutorial: Configuring Levels in Oracle Label Security
- 8.1 About This Tutorial
- 8.2 Step 1: Create a Role and User Accounts
- 8.3 Step 2: Create the Oracle Label Security Policy Container
- 8.4 Step 3: Create the Two Level Components for the Oracle Label Security Policy
- 8.5 Step 4: Create the Data Labels for the Levels
- 8.6 Step 5: Set User Authorizations for the Oracle Label Security Policy
- 8.7 Step 6: Apply the Oracle Label Security Policy to the HR Schema
- 8.8 Step 7: Add the Policy Labels to the HR.EMPLOYEES Table Data
- 8.9 Step 8: Test the Oracle Label Security Policy
- 8.10 Step 9: Optionally, Remove the Oracle Label Security Policy Components
-
9
Tutorial: Configuring Compartments in Oracle Label Security
- 9.1 About This Tutorial
- 9.2 Step 1: Create an Account for Lily Leagull
- 9.3 Step 2: Authorize Lily Leagull for the HIGHLY_SENSITIVE Level
- 9.4 Step 3: Create Two Compartments for the Oracle Label Security Policy
- 9.5 Step 4: Create the Data Labels for the Compartments
- 9.6 Step 5: Assign the Labels to the Users
- 9.7 Step 6: Add the Policy Labels to the HR.EMPLOYEES Table Data
- 9.8 Step 7: Test the Oracle Label Security Policy
- 9.9 Step 8: Optionally, Remove the Oracle Label Security Policy Components
-
10
Tutorial: Configuring Groups in Oracle Label Security
- 10.1 About This Tutorial
- 10.2 Step 1: Create a Role and User Accounts
- 10.3 Step 2: Create the Oracle Label Security Policy Container
- 10.4 Step 3: Create and Authorize a Level Component for the Oracle Label Security Policy
- 10.5 Step 4: Create and Authorize Groups for the Oracle Label Security Policy
- 10.6 Step 5: Apply and Authorize the Policy to the Table
- 10.7 Step 6: Add the Policy Labels to the OE.CUSTOMERS Table Data
- 10.8 Step 7: Test the Oracle Label Security Policy
- 10.9 Step 8: Optionally, Remove the Oracle Label Security Policy Components
-
8
Tutorial: Configuring Levels in Oracle Label Security
-
Part IV Administering an Oracle Label Security Application
-
11
Implementing Policy Enforcement Options and Labeling Functions
-
11.1
Oracle Label Security Policy Enforcement Options
- 11.1.1 About Policy Enforcement Options
- 11.1.2 Levels of Policy Enforcement Options
- 11.1.3 Categories of Policy Enforcement Options
- 11.1.4 Relationships of Policy Enforcement Options
- 11.1.5 How the HIDE Policy Column Option Works
- 11.1.6 How the Label Management Enforcement Options Work
- 11.1.7 How the Access Control Enforcement Options Work
- 11.1.8 How the Overriding Enforcement Options Work
- 11.1.9 Guidelines for Using the Policy Enforcement Options
- 11.1.10 Exemptions from Oracle Label Security Policy Enforcement
- 11.1.11 Data Dictionary Views for Viewing Policy Options on Tables and Schemas
- 11.2 Labeling Functions
- 11.3 Inserting Labeled Data Using Policy Options and Labeling Functions
- 11.4 Updating Labeled Data Using Policy Options and Labeling Functions
- 11.5 Deletion of Labeled Data Using Policy Options and Labeling Functions
- 11.6 SQL Predicates with an Oracle Label Security Policy
-
11.1
Oracle Label Security Policy Enforcement Options
- 12 Administering and Using Trusted Stored Program Units
- 13 Auditing Under Oracle Label Security
-
14
Using Oracle Label Security with a Distributed Database
- 14.1 About the Oracle Label Security Distributed Configuration
- 14.2 How Connections to a Remote Database Under Oracle Label Security Work
- 14.3 Session Labels and Row Labels in Remote Sessions
- 14.4 Labels in a Distributed Environment
- 14.5 Oracle Label Security Policies in a Distributed Environment
- 14.6 Replication with Oracle Label Security
-
15
Performing DBA Functions Under Oracle Label Security
- 15.1 Oracle Data Pump Export Use with Oracle Label Security
-
15.2
Data Pump Import Use with Oracle Label Security
- 15.2.1 Full Database Import for the LBACSYS Schema Metadata
- 15.2.2 Schema and Table Level Import
- 15.3 SQL*Loader Use with Oracle Label Security
- 15.4 Performance Tips for Oracle Label Security
- 15.5 Creation of Additional Databases After Installation
- 15.6 Oracle Label Security Upgrades and Downgrades
-
16
Releasability Using Inverse Groups
- 16.1 About Inverse Groups and Releasability
- 16.2 Comparison of Standard Groups and Inverse Groups
- 16.3 How Inverse Groups Work
- 16.4 Algorithm for Read Access with Inverse Groups
- 16.5 Algorithm for Write Access with Inverse Groups
- 16.6 Algorithms for COMPACCESS Privilege with Inverse Groups
- 16.7 Session Labels and Inverse Groups
-
16.8
Changes in Behavior of Procedures with Inverse Groups
- 16.8.1 SA_SYSDBA.CREATE_POLICY with Inverse Groups
- 16.8.2 SA_SYSDBA.ALTER_POLICY with Inverse Groups
- 16.8.3 SA_USER_ADMIN.ADD_GROUPS with Inverse Groups
- 16.8.4 SA_USER_ADMIN.ALTER_GROUPS with Inverse Groups
- 16.8.5 SA_USER_ADMIN.SET_GROUPS with Inverse Groups
- 16.8.6 SA_USER_ADMIN.SET_USER_LABELS with Inverse Groups
- 16.8.7 SA_USER_ADMIN.SET_DEFAULT_LABEL with Inverse Groups
- 16.8.8 SA_USER_ADMIN.SET_ROW_LABEL with Inverse Groups
- 16.8.9 SA_COMPONENTS.CREATE_GROUP with Inverse Groups
- 16.8.10 SA_COMPONENTS.ALTER_GROUP_PARENT with Inverse Groups
- 16.8.11 SA_SESSION.SET_LABEL with Inverse Groups
- 16.8.12 SA_SESSION.SET_ROW_LABEL with Inverse Groups
- 16.8.13 LEAST_UBOUND with Inverse Groups
- 16.8.14 GREATEST_LBOUND with Inverse Groups
- 16.9 Dominance Rules for Labels with Inverse Groups
-
11
Implementing Policy Enforcement Options and Labeling Functions
-
Appendixes
- A Disabling and Enabling Oracle Label Security
-
B
Advanced Topics in Oracle Label Security
-
B.1
Analyzing the Relationships Between Labels
- B.1.1 About Dominant and Dominated Labels
- B.1.2 Non-Comparable Labels
-
B.1.3
Using Dominance Functions
- B.1.3.1 About the Dominance Functions
- B.1.3.2 OLS_DOMINATES Standalone Function
- B.1.3.3 OLS_LABEL_DOMINATES Standalone Function
- B.1.3.4 OLS_STRICTLY_DOMINATES Standalone Function
- B.1.3.5 OLS_DOMINATED_BY Standalone Function
- B.1.3.6 OLS_STRICTLY_DOMINATED_BY Standalone Function
- B.1.3.7 SA_UTL.DOMINATES
- B.1.3.8 SA_UTL.STRICTLY_DOMINATES
- B.1.3.9 SA_UTL.DOMINATED_BY
- B.1.3.10 SA_UTL.STRICTLY_DOMINATED_BY
- B.2 Queries for Audited Oracle Label Security Session Labels
- B.3 Oracle Call Interface for Setting Session Labels
-
B.1
Analyzing the Relationships Between Labels
-
C
Command-line Tools for Label Security Using Oracle Internet Directory
- C.1 About the Command-line Oracle Label Security Tools
- C.2 Oracle Label Security Commands in Categories
-
C.3
olsadmintool Command Reference
- C.3.1 About the olsadmintool Commands
- C.3.2 olsadmintool addadmin
- C.3.3 olsadmintool addpolcreator
- C.3.4 olsadmintool adduser
- C.3.5 olsadmintool altercompartent
- C.3.6 olsadmintool altergroup
- C.3.7 olsadmintool altergroupparent
- C.3.8 olsadmintool alterlabel
- C.3.9 olsadmintool alterlevel
- C.3.10 olsadmintool alterpolicy
- C.3.11 olsadmintool audit
- C.3.12 olsadmintool createcompartment
- C.3.13 olsadmintool creategroup
- C.3.14 olsadmintool createlabel
- C.3.15 olsadmintool createlevel
- C.3.16 olsadmintool createprofile
- C.3.17 olsadmintool createpolicy
- C.3.18 olsamindtool describeprofile
- C.3.19 olsadmintool dropadmin
- C.3.20 olsadmintool dropcompartment
- C.3.21 olsadmintool dropgroup
- C.3.22 olsadmintool droplabel
- C.3.23 olsadmintool droplevel
- C.3.24 olsadmintool droppolicy
- C.3.25 olsadmintool dropprofile
- C.3.26 olsadmintool droppolcreator
- C.3.27 olsadmintool dropuser
- C.3.28 olsadmintool --help
- C.3.29 olsadmintool listprofile
- C.3.30 olsadmintool noaudit
- C.4 Relating Parameters to Commands for olsadmintool
-
C.5
Examples of Using the olsadmintool Utility
- C.5.1 Example: Making Other Users Policy Creators
- C.5.2 Example: Creating Policies with Valid Options
- C.5.3 Example: Creating Policy Administrators
- C.5.4 Example: Creating Levels
- C.5.5 Example: Creating Compartments
- C.5.6 Example: Creating Groups
- C.5.7 Example: Creating Labels
- C.5.8 Example: Creating a Profile
- C.5.9 Example: Adding a User to a Profile
- C.5.10 Example: Adding Another User to a Profile
- C.5.11 Example: Setting Audit Options
- C.5.12 Results of These Examples
- C.6 olsoidsync Command Reference
- D Oracle Label Security in an Oracle RAC Environment
-
E
Oracle Label Security PL/SQL Packages
- E.1 SA_AUDIT_ADMIN Oracle Label Security Auditing PL/SQL Package
-
E.2
SA_COMPONENTS Label Components PL/SQL Package
- E.2.1 About the SA_COMPONENTS PL/SQL Package
- E.2.2 SA_COMPONENTS.ALTER_COMPARTMENT
- E.2.3 SA_COMPONENTS.ALTER_GROUP
- E.2.4 SA_COMPONENTS.ALTER_GROUP_PARENT
- E.2.5 SA_COMPONENTS.ALTER_LEVEL
- E.2.6 SA_COMPONENTS.CREATE_COMPARTMENT
- E.2.7 SA_COMPONENTS.CREATE_GROUP
- E.2.8 SA_COMPONENTS.CREATE_LEVEL
- E.2.9 SA_COMPONENTS.DROP_COMPARTMENT
- E.2.10 SA_COMPONENTS.DROP_GROUP
- E.2.11 SA_COMPONENTS.DROP_LEVEL
- E.3 SA_LABEL_ADMIN Label Management PL/SQL Package
-
E.4
SA_POLICY_ADMIN Policy Administration PL/SQL Package
- E.4.1 About the SA_POLICY_ADMIN PL/SQL Package
- E.4.2 SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY
- E.4.3 SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY
- E.4.4 SA_POLICY_ADMIN.APPLY_TABLE_POLICY
- E.4.5 SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY
- E.4.6 SA_POLICY_ADMIN.DISABLE_TABLE_POLICY
- E.4.7 SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY
- E.4.8 SA_POLICY_ADMIN.ENABLE_TABLE_POLICY
- E.4.9 SA_POLICY_ADMIN.POLICY_SUBSCRIBE
- E.4.10 SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE
- E.4.11 SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY
- E.4.12 SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
-
E.5
SA_SESSION Session Management PL/SQL Package
- E.5.1 About the SA_SESSION PL/SQL Package
- E.5.2 SA_SESSION.COMP_READ
- E.5.3 SA_SESSION.COMP_WRITE
- E.5.4 SA_SESSION.GROUP_READ
- E.5.5 SA_SESSION.GROUP_WRITE
- E.5.6 SA_SESSION.LABEL
- E.5.7 SA_SESSION.MAX_LEVEL
- E.5.8 SA_SESSION.MAX_READ_LABEL
- E.5.9 SA_SESSION.MAX_WRITE_LABEL
- E.5.10 SA_SESSION.MIN_LEVEL
- E.5.11 SA_SESSION.MIN_WRITE_LABEL
- E.5.12 SA_SESSION.PRIVS
- E.5.13 SA_SESSION.RESTORE_DEFAULT_LABELS
- E.5.14 SA_SESSION.ROW_LABEL
- E.5.15 SA_SESSION.SET_LABEL
- E.5.16 SA_SESSION.SA_USER_NAME
- E.5.17 SA_SESSION.SAVE_DEFAULT_LABELS
- E.5.18 SA_SESSION.SET_ACCESS_PROFILE
- E.5.19 SA_SESSION.SET_ROW_LABEL
- E.6 SA_SYSDBA Policy Management PL/SQL Package
-
E.7
SA_USER_ADMIN PL/SQL Package
- E.7.1 About the SA_USER_ADMIN PL/SQL Package
- E.7.2 SA_USER_ADMIN.ADD_COMPARTMENTS
- E.7.3 SA_USER_ADMIN.ADD_GROUPS
- E.7.4 SA_USER_ADMIN.ALTER_COMPARTMENTS
- E.7.5 SA_USER_ADMIN.ALTER_GROUPS
- E.7.6 SA_USER_ADMIN.DROP_ALL_COMPARTMENTS
- E.7.7 SA_USER_ADMIN.DROP_ALL_GROUPS
- E.7.8 SA_USER_ADMIN.DROP_COMPARTMENTS
- E.7.9 SA_USER_ADMIN.DROP_GROUPS
- E.7.10 SA_USER_ADMIN.DROP_USER_ACCESS
- E.7.11 SA_USER_ADMIN.SET_COMPARTMENTS
- E.7.12 SA_USER_ADMIN.SET_DEFAULT_LABEL
- E.7.13 SA_USER_ADMIN.SET_GROUPS
- E.7.14 SA_USER_ADMIN.SET_LEVELS
- E.7.15 SA_USER_ADMIN.SET_PROG_PRIVS
- E.7.16 SA_USER_ADMIN.SET_ROW_LABEL
- E.7.17 SA_USER_ADMIN.SET_USER_LABELS
- E.7.18 SA_USER_ADMIN.SET_USER_PRIVS
-
E.8
SA_UTL PL/SQL Utility Functions and Procedures
- E.8.1 About the SA_UTL PL/SQL Package
- E.8.2 SA_UTL.CHECK_LABEL_CHANGE
- E.8.3 SA_UTL.CHECK_READ
- E.8.4 SA_UTL.CHECK_WRITE
- E.8.5 SA_UTL.DATA_LABEL
- E.8.6 SA_UTL.GREATEST_LBOUND
- E.8.7 SA_UTL.LEAST_UBOUND
- E.8.8 SA_UTL.NUMERIC_LABEL
- E.8.9 SA_UTL.NUMERIC_ROW_LABEL
- E.8.10 SA_UTL.SET_LABEL
- E.8.11 SA_UTL.SET_ROW_LABEL
-
F
Oracle Label Security Tables and Views
- F.1 Oracle Database Data Dictionary Tables
-
F.2
Oracle Label Security Data Dictionary Views
- F.2.1 ALL_SA_AUDIT_OPTIONS View
- F.2.2 ALL_SA_COMPARTMENTS
- F.2.3 ALL_SA_DATA_LABELS
- F.2.4 ALL_SA_GROUPS
- F.2.5 ALL_SA_LABELS
- F.2.6 ALL_SA_LEVELS
- F.2.7 ALL_SA_POLICIES
- F.2.8 ALL_SA_PROG_PRIVS
- F.2.9 ALL_SA_SCHEMA_POLICIES
- F.2.10 ALL_SA_TABLE_POLICIES
- F.2.11 ALL_SA_USERS
- F.2.12 ALL_SA_USER_LABELS
- F.2.13 ALL_SA_USER_LEVELS
- F.2.14 ALL_SA_USER_PRIVS
- F.2.15 DBA_SA_AUDIT_OPTIONS
- F.2.16 DBA_SA_COMPARTMENTS
- F.2.17 DBA_SA_DATA_LABELS
- F.2.18 DBA_SA_GROUPS
- F.2.19 DBA_SA_GROUP_HIERARCHY
- F.2.20 DBA_SA_LABELS
- F.2.21 DBA_SA_LEVELS
- F.2.22 DBA_SA_POLICIES
- F.2.23 DBA_SA_PROG_PRIVS
- F.2.24 DBA_SA_SCHEMA_POLICIES
- F.2.25 DBA_SA_TABLE_POLICIES
- F.2.26 DBA_SA_USERS
- F.2.27 DBA_SA_USER_COMPARTMENTS
- F.2.28 DBA_SA_USER_GROUPS
- F.2.29 DBA_SA_USER_LABELS
- F.2.30 DBA_SA_USER_LEVELS
- F.2.31 DBA_SA_USER_PRIVS
- F.2.32 DBA_OLS_STATUS
- F.2.33 USER_SA_SESSION
- F.3 Oracle Label Security User-Created Auditing View
- G Oracle Label Security Restrictions
-
H
Frequently Asked Questions about Oracle Label Security
- H.1 Who Uses Oracle Label Security?
- H.2 How Can Oracle Label Security Address My Security Needs?
- H.3 Should I Use Oracle Label Security to Protect All My Tables?
- H.4 What Is the Difference Between Oracle Virtual Private Database and Oracle Label Security?
- H.5 Can I Combine Oracle Virtual Private Database and Oracle Label Security?
- H.6 Can I Use Oracle Label Security with Oracle E-Business Suite?
- H.7 Can I Use Oracle Label Security with Oracle Database Vault?
- H.8 Does Oracle Label Security Provide Column-Level Access Control?
- H.9 Can I Base Secure Application Roles on Oracle Label Security?
- H.10 What Are Trusted Stored Program Units?
- H.11 Does VPD or OLS Add an Additional Column to the Protected Table?
- H.12 Why Should the Additional OLS Row Label Column Be Hidden?
- I Troubleshooting Oracle Label Security
- Index