4 Registering and Logging in to Oracle Label Security
Before using Oracle Label Security, you must register (configure) it with the database and then you can log in to Oracle Label Security.
- Registering Oracle Label Security with an Oracle Database
You must register Oracle Label Security with the database in which you plan to use it. - Security Guideline for Managing the Oracle Label Security Administrative User
You must create a special administrative user who will be responsible for managing Oracle Label Security. - Logging in to Cloud Control or SQL*Plus for Oracle Label Security
After you complete the Oracle Label Security registration and enablement process, you can begin using it.
Parent topic: Using Oracle Label Security Functionality
4.1 Registering Oracle Label Security with an Oracle Database
You must register Oracle Label Security with the database in which you plan to use it.
- About Registering Oracle Label Security
When you install Oracle Database, Oracle Label Security is included in the installation but by default it is not enabled. - Checking if Oracle Label Security Has Been Registered and Enabled
You can query theDBA_OLS_STATUS
data dictionary view to find if Oracle Label Security has already been registered and enabled. - Registering and Enabling Oracle Label Security from SQL*Plus
You can both register and enable Oracle Label Security from SQL*Plus. - Registering and Enabling Oracle Label Security Using DBCA
You can both register and enable Oracle Label Security using Database Configuration Assistant. - Recompiling Oracle Label Security
If invalid objects appear in Oracle Label Security after you have upgraded, then you must recompile Oracle Label Security to remove these invalid objects.
Parent topic: Registering and Logging in to Oracle Label Security
4.1.1 About Registering Oracle Label Security
When you install Oracle Database, Oracle Label Security is included in the installation but by default it is not enabled.
This applies if you install Oracle Database by using the Typical installation method in Database Configuration Assistant (DBCA). If you install using a custom installation, then you can optionally register Oracle Label Security from DBCA as part of the Oracle Database installation process.
If you installed using the Typical installation method, then you must manually register (enable) Oracle Label Security before you can use it. You have the choice of using either SQL*Plus or DBCA to perform the registration.
After Oracle Label Security is registered, you must you must create an Oracle Label Security administrative user and grant it the LBAC_DBA
role and EXECUTE
privileges on the Oracle Label Security management packages. Afterward, you can disable and re-enable Oracle Label Security when necessary.
Only register Oracle Label Security in the pluggable databases (PDBs) in which you plan to create Oracle Label Security policies. Because Oracle Label Security is not designed to protect data dictionary objects, you cannot create policies in the root.
4.1.2 Checking if Oracle Label Security Has Been Registered and Enabled
You can query the DBA_OLS_STATUS
data dictionary view to find if Oracle Label Security has already been registered and enabled.
4.1.3 Registering and Enabling Oracle Label Security from SQL*Plus
You can both register and enable Oracle Label Security from SQL*Plus.
4.1.4 Registering and Enabling Oracle Label Security Using DBCA
You can both register and enable Oracle Label Security using Database Configuration Assistant.
4.1.5 Recompiling Oracle Label Security
If invalid objects appear in Oracle Label Security after you have upgraded, then you must recompile Oracle Label Security to remove these invalid objects.
catuppst.sql
script, CATCL
errors, ORA-06550: identifier must be declared
errors, or ORA-942 (OLS Is Invalid)
errors.
Related Topics
4.2 Security Guideline for Managing the Oracle Label Security Administrative User
You must create a special administrative user who will be responsible for managing Oracle Label Security.
In previous releases, Oracle Label Security provided a special user, LBACSYS
, for users who were responsible for managing Oracle Label Security. An Oracle Label Security administrator must not use LBACSYS
, because this term has been a dictionary protected user since release 21c. Therefore, you must have a named user designated as an Oracle Label Security administrator. The LBAC_DBA
role itself does not have all the necessary privileges.
To create an Oracle Label Security administrative user, create a user who has the appropriate privileges. For example:
CREATE USER "SA_DEMO" IDENTIFIED BY "SA_DEMO";
GRANT CONNECT, RESOURCE, UNLIMITED TABLESPACE, SELECT_CATALOG_ROLE TO SA_DEMO;
GRANT EXECUTE ON SA_COMPONENTS TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_USER_ADMIN TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_USER_ADMIN TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_LABEL_ADMIN TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_POLICY_ADMIN TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_AUDIT_ADMIN TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_SYSDBA TO SA_DEMO;
GRANT EXECUTE ON TO_LBAC_DATA_LABEL TO SA_DEMO;
GRANT LBAC_DBA TO SA_DEMO;
When users create Oracle Label Security policies, Oracle Label Security creates and grants to the user a special role for the policy named in the format of policy_DBA
. Only a user who has this role and the EXECUTE
privilege on the SA_POLICY_ADMIN
package can manage the policy The LBAC_DBA
role does not provide privileges to manage the policy.
Parent topic: Registering and Logging in to Oracle Label Security
4.3 Logging in to Cloud Control or SQL*Plus for Oracle Label Security
After you complete the Oracle Label Security registration and enablement process, you can begin using it.
- Logging in to Oracle Label Security from Enterprise Manager Cloud Control
From Enterprise Manager Cloud Control, you use the Oracle Label Security pages to create and manage Oracle Label Security policies. - Logging in to Oracle Label Security from SQL*Plus
You can log in to Oracle Label Security from SQL*Plus if you have been granted theLBAC_DBA
database role.
Parent topic: Registering and Logging in to Oracle Label Security
4.3.1 Logging in to Oracle Label Security from Enterprise Manager Cloud Control
From Enterprise Manager Cloud Control, you use the Oracle Label Security pages to create and manage Oracle Label Security policies.
4.3.2 Logging in to Oracle Label Security from SQL*Plus
You can log in to Oracle Label Security from SQL*Plus if you have been granted the LBAC_DBA
database role.
-
To use Oracle Label Security from SQL*Plus, connect as the Oracle Label Security administrator user.
For example:
sqlplus ols_admin@pdb_name Enter password: password
To find the available PDBs, query the DBA_PDBS
data dictionary view. To check the current PDB, run the show con_name
command.