1. Administrator's Guide
  2. Using Oracle Label Security Functionality
  3. Registering and Logging in to Oracle Label Security

4 Registering and Logging in to Oracle Label Security

Before using Oracle Label Security, you must register (configure) it with the database and then you can log in to Oracle Label Security.

Parent topic: Using Oracle Label Security Functionality

4.1 Registering Oracle Label Security with an Oracle Database

You must register Oracle Label Security with the database in which you plan to use it.

Parent topic: Registering and Logging in to Oracle Label Security

4.1.1 About Registering Oracle Label Security

When you install Oracle Database, Oracle Label Security is included in the installation but by default it is not enabled.

This applies if you install Oracle Database by using the Typical installation method in Database Configuration Assistant (DBCA). If you install using a custom installation, then you can optionally register Oracle Label Security from DBCA as part of the Oracle Database installation process.

If you installed using the Typical installation method, then you must manually register (enable) Oracle Label Security before you can use it. You have the choice of using either SQL*Plus or DBCA to perform the registration.

After Oracle Label Security is registered, you must you must create an Oracle Label Security administrative user and grant it the LBAC_DBA role and EXECUTE privileges on the Oracle Label Security management packages. Afterward, you can disable and re-enable Oracle Label Security when necessary.

Only register Oracle Label Security in the pluggable databases (PDBs) in which you plan to create Oracle Label Security policies. Because Oracle Label Security is not designed to protect data dictionary objects, you cannot create policies in the root.

Parent topic: Registering Oracle Label Security with an Oracle Database

4.1.2 Checking if Oracle Label Security Has Been Registered and Enabled

You can query the DBA_OLS_STATUS data dictionary view to find if Oracle Label Security has already been registered and enabled.

  1. Log into the appropriate PDB as user SYS with the SYSDBA administrative privilege.
    sqlplus sys@pdb_name as sysdba
Enter password: password

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  2. Run the following query: 
    SELECT * FROM DBA_OLS_STATUS;

NAME                 STATUS  DESCRIPTION        
-------------------- ------- -------------------------------------
OLS_CONFIGURE_STATUS TRUE    Determines if OLS is configured
OLS_ENABLE_STATUS    TRUE    Determines if OLS is enabled

Parent topic: Registering Oracle Label Security with an Oracle Database

4.1.3 Registering and Enabling Oracle Label Security from SQL*Plus

You can both register and enable Oracle Label Security from SQL*Plus.

  1. Log into the appropriate PDB as user SYS with the SYSDBA administrative privilege.
    sqlplus sys@pdb_name as sysdba
Enter password: password

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  2. Register and enable Oracle Label Security as follows. 
    EXEC LBACSYS.CONFIGURE_OLS; -- This procedure registers Oracle Label Security.
EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; -- This procedure enables it.

    After you invoke LBACSYS.CONFIGURE_OLS, all pending transactions are committed and cannot be rolled back, in the event that LBACSYS.CONFIGURE_OLS fails. LBACSYS.CONFIGURE_OLS can fail for reasons such as a pre-existing LBAC_TRIGGER schema.

  3. Close and reopen the PDB.

    For example:

    ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;
ALTER PLUGGABLE DATABASE pdb_name OPEN;

Parent topic: Registering Oracle Label Security with an Oracle Database

4.1.4 Registering and Enabling Oracle Label Security Using DBCA

You can both register and enable Oracle Label Security using Database Configuration Assistant.

  1. Start Database Configuration Assistant (DBCA).

    • UNIX: Run the following command: 

      $ORACLE_HOME/bin/dbca

    • Windows: From the Start menu, click All Programs. Then click Oracle - ORACLE_HOME, then Configuration and Migration Tools, and then Database Configuration Assistant.

    The Welcome screen appears.

  2. Click Next.

    The Operations screen appears.

  3. Select Configure Database Options. Click Next.

    The Database screen appears.

  4. From the list, select the database where you need to configure and enable OLS. Click Next.

    The Database Content screen appears.

  5. Select Oracle Label Security. Click Next.

    The Connection Mode screen appears.

  6. Select either Dedicated Server Mode or Shared Server Mode. Click Finish.

    A dialog box is displayed informing you that the operation will require the database to be restarted.

  7. Click OK.

    A confirmation dialog box is displayed.

  8. Click OK.

    The DBCA progress screen is displayed.

  9. After the operation is complete, you are prompted to perform another operation. Click No to exit DBCA.

Parent topic: Registering Oracle Label Security with an Oracle Database

4.1.5 Recompiling Oracle Label Security

If invalid objects appear in Oracle Label Security after you have upgraded, then you must recompile Oracle Label Security to remove these invalid objects.

Errors such as the following indicate that there are invalid objects: failures with the catuppst.sql script, CATCL errors, ORA-06550: identifier must be declared errors, or ORA-942 (OLS Is Invalid) errors.
  1. Disable and then enable Oracle Label Security.
  2. Recompile the objects within LBACSYS. 
    EXEC DBMS_UTILITY.COMPILE_SCHEMA(SCHEMA => 'LBACSYS');
  3. If dependent database objects require re-compilation as well, then recompile all the database objects, as follows:
    @$ORACLE_HOME/rdbms/admin/utlrp.sql
  4. In the appropriate PDB, use SQL*Plus, to validate Oracle Label Security. 
    EXECUTE SYS.VALIDATE_OLS;
  5. If the utlrp.sql script compiles all the OLS (LDAPSYS) objects successfully, and there are no errors during compilation, then run the following command to list information about Oracle Label Security components that are loaded into the component registry:
    EXECUTE DBMS_REGISTRY.VALID('OLS');

Related Topics

Parent topic: Registering Oracle Label Security with an Oracle Database

4.2 Security Guideline for Managing the Oracle Label Security Administrative User

You must create a special administrative user who will be responsible for managing Oracle Label Security.

In previous releases, Oracle Label Security provided a special user, LBACSYS, for users who were responsible for managing Oracle Label Security. An Oracle Label Security administrator must not use LBACSYS, because this term has been a dictionary protected user since release 21c. Therefore, you must have a named user designated as an Oracle Label Security administrator. The LBAC_DBA role itself does not have all the necessary privileges.

To create an Oracle Label Security administrative user, create a user who has the appropriate privileges. For example:

CREATE USER "SA_DEMO" IDENTIFIED BY "SA_DEMO";
GRANT CONNECT, RESOURCE, UNLIMITED TABLESPACE, SELECT_CATALOG_ROLE TO SA_DEMO;
GRANT EXECUTE ON SA_COMPONENTS TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_USER_ADMIN TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_USER_ADMIN TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_LABEL_ADMIN TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_POLICY_ADMIN TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_AUDIT_ADMIN TO SA_DEMO WITH GRANT OPTION;
GRANT EXECUTE ON SA_SYSDBA TO SA_DEMO;
GRANT EXECUTE ON TO_LBAC_DATA_LABEL TO SA_DEMO;
GRANT LBAC_DBA TO SA_DEMO;

When users create Oracle Label Security policies, Oracle Label Security creates and grants to the user a special role for the policy named in the format of policy_DBA. Only a user who has this role and the EXECUTE privilege on the SA_POLICY_ADMIN package can manage the policy The LBAC_DBA role does not provide privileges to manage the policy.

Parent topic: Registering and Logging in to Oracle Label Security

4.3 Logging in to Cloud Control or SQL*Plus for Oracle Label Security

After you complete the Oracle Label Security registration and enablement process, you can begin using it.

Parent topic: Registering and Logging in to Oracle Label Security

4.3.1 Logging in to Oracle Label Security from Enterprise Manager Cloud Control

From Enterprise Manager Cloud Control, you use the Oracle Label Security pages to create and manage Oracle Label Security policies.

  1. Ensure that you have configured the Cloud Control target databases that you plan to use with Oracle Label Security.

    See the Oracle Enterprise Manager online help for more information about configuring target databases.

  2. Point your browser to the Cloud Control login page.

    For example: 

    https://myserver.example.com:7799/em
  3. Log into Cloud Control as user SYSMAN.
  4. In the Cloud Control home page, from the Targets menu, select Databases.
  5. In the Databases page, select the link for the database to which you want to connect.

    The Database home page appears.

  6. From the Security menu, select Label Security.

    The Database Login page appears.

  7. Enter the following information:

    • Username: Enter the Oracle Label Security administrator user name.

    • Password: Enter the password.

    • Role: Select NORMAL from the list.

    • Save As: Select this check box if you want these credentials to be automatically filled in for you the next time that this page appears. The credentials are stored in Enterprise Manager in a secured manner. Access to these credentials depends on the user who is currently logged in.

Parent topic: Logging in to Cloud Control or SQL*Plus for Oracle Label Security

4.3.2 Logging in to Oracle Label Security from SQL*Plus

You can log in to Oracle Label Security from SQL*Plus if you have been granted the LBAC_DBA database role.

  • To use Oracle Label Security from SQL*Plus, connect as the Oracle Label Security administrator user.

For example:

sqlplus ols_admin@pdb_name
Enter password: password

To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

Parent topic: Logging in to Cloud Control or SQL*Plus for Oracle Label Security