3.12 Using GeoRaster with Workspace Manager and Label Security

Oracle Workspace Manager provides a versioning capability for the raster blocks of a GeoRaster object. Oracle Label Security supports GeoRaster objects with enhanced security at the row level of raster blocks.

To use GeoRaster with Oracle Workspace Manager or Oracle Label Security, you should create a raster data table (RDT) as a relational table for the GeoRaster objects (see Example 3-3). You do not need to define an object view of SDO_RASTER type on the base relational RDT.

• Using GeoRaster with Workspace Manager
  
• Using GeoRaster with Label Security
  

3.12.1 Using GeoRaster with Workspace Manager

With Workspace Manager, you can conveniently manage changes to the raster data by saving different raster data versions and making modifications in different workspaces. To use GeoRaster with Workspace Manager, you must use relational raster data tables for raster storage and version-enable these relational raster data tables. For example (general format):

EXECUTE DBMS_WM.EnableVersioning (<rdt_relational_table>, 'VIEW_WO_OVERWRITE');

Note:

You can version-enable only raster data tables. Do not version-enable any GeoRaster tables, where GeoRaster objects are stored, and do not perform any operations that will require a GeoRaster table to be modified while you are in a workspace.

After you version-enable a relational RDT, you can use the subprograms in the DBMS_WM package to manage changes to the raster data. If you need to directly modify a raster block, call the DBMS_WM.copyForUpdate procedure before the operation, as shown in the following example:

declare
  geor sdo_georaster;
  cond varchar2(1000);
  lb   blob;
  r1   raw(1024);
  amt  number;
begin
  r1 := utl_raw.copies(utl_raw.cast_to_raw('0'),1024);
 
  select georaster into geor from georaster_table where georid=1;
  cond := 'rasterId=' || geor.rasterId || ' AND pyramidLevel=0 AND ' ||
          ' bandBlockNumber=0 AND rowBlockNumber=0 AND columnBlockNumber=0';
  dbms_wm.copyForUpdate(geor.rasterDataTable, cond);
  sdo_geor.getRasterBlockLocator(geor, 0, 0, 0, 0, lb, null, 'TRUE');
  amt := 1024;
  dbms_lob.write(lb, amt, 1, r1);
end;
/

However, if you modify raster data using GeoRaster subprograms, you do not need to call the DBMS_WM.copyForUpdate procedure beforehand.

For information about Workspace Manager, see Oracle Database Workspace Manager Developer's Guide.

3.12.2 Using GeoRaster with Label Security

Oracle Label Security provides row-level access control for sensitive data based on a user's level of security clearance. To use GeoRaster with Label Security, follow these basic steps:

1. Create the GeoRaster table and relational RDT or RDTs.
2. Create an Oracle Label Security policy and define the label components.
3. Create labeling functions for the GeoRaster table and the relational RDT or RDTs.

   The labels for rows in a GeoRaster table should be generated according to the application's requirements. Use the same label for both the row that stores a GeoRaster object and for the GeoRaster object's raster rows in the associated RDT; otherwise, the GeoRaster objects might be invalid or have an inconsistent status.

   The following example creates the labeling function for a relational RDT:

   CREATE OR REPLACE FUNCTION gen_rdt_label(rdt_name varchar2, rid number)
     RETURN LBACSYS.LBAC_LABEL
   AS
     tabname varchar2(80);
     schema  varchar2(32);
     grcol   varchar2(1024);
     colname varchar2(30);
     label   NUMBER;
   BEGIN
     EXECUTE IMMEDIATE
      'SELECT v.owner, v.table_name, v.column_name grcol, p.column_name ' ||
      '  FROM all_sdo_geor_sysdata v, all_sa_policies p, all_sa_table_policies t '
      || ' WHERE v.rdt_table_name=:1 AND v.raster_id=:2 AND ' ||
      ' v.owner=t.schema_name AND v.table_name=t.table_name AND ' ||
      ' p.policy_name=t.policy_name ' 
      INTO schema, tabname, grcol, colname
      USING upper(rdt_name), rid;
     EXECUTE IMMEDIATE
       'SELECT t.' || colname  ||
        ' FROM ' || schema || '.' || tabname || ' t ' ||
        ' WHERE t.' || grcol || '.rasterdatatable=:1 AND ' ||
        '       t.' || grcol || '.rasterid=:2' 
       INTO label
       USING upper(rdt_name), rid;
     RETURN LBACSYS.LBAC_LABEL.NEW_LBAC_LABEL(label);
   END;
   /
   

4. Apply the Label Security policy to a GeoRaster table and its associated RDT or RDTs.

   The following example (general format) applies a Label Security policy to an RDT using the labeling function example from the preceding step.

   BEGIN
     SA_POLICY_ADMIN.REMOVE_TABLE_POLICY(<policy_name>,<schema_name>,<rdt_relational_table>);
     SA_POLICY_ADMIN.APPLY_TABLE_POLICY(
       POLICY_NAME => <policy_name>,
       SCHEMA_NAME => <schema_name>,
       TABLE_NAME  => <rdt_relational_table>,
       TABLE_OPTIONS => 'READ_CONTROL,WRITE_CONTROL,CHECK_CONTROL',
       LABEL_FUNCTION => '<schema_name>.gen_rdt_label(<rdt_relational_table>,:new.rasterid)',
       PREDICATE => NULL);
   END;
   /
   

5. Create and authorize users, and complete other administrative tasks related to Label Security.

You can load GeoRaster data before or after applying the policy to the tables.

The ALL_SDO_GEOR_SYSDATA view (described in GeoRaster System Data Views (xxx_SDO_GEOR_SYSDATA)) contains system data for all GeoRaster objects accessible by the current user, and accessibility in this case is determined by the user's privileges as defined in the context of discretionary access control (DAC).

After the label for a GeoRaster table row is updated, ensure that the related data labels in the RDT are updated, so that the labels are synchronized.

For information about Label Security, see Oracle Label Security Administrator's Guide.