C Oracle Label Security in an Oracle RAC Environment
You can use Oracle Label Security in an Oracle Real Application Clusters (Oracle RAC) environment.
- Oracle Label Security Policy Functions in an Oracle RAC Environment
Policy changes made on one instance are available to other instances in the Oracle Real Application Clusters (Oracle RAC) environment immediately. - Transparent Application Failover in Oracle Label Security
Session information is preserved on Transparent Application Failover.
Parent topic: Appendixes
C.1 Oracle Label Security Policy Functions in an Oracle RAC Environment
Policy changes made on one instance are available to other instances in the Oracle Real Application Clusters (Oracle RAC) environment immediately.
It is not necessary to restart the other instances to pick up the changes.
Important changes made on one database instance are automatically propagated to the other instances. One example would be creating a new policy. Another would be altering the policy options.
Propagating such changes ensures two valuable protections:
-
That all users of the table are subject to the same policy
-
That if any instance fails, continuation of its work by other instances will use the same policies and parameters that were in force immediately prior to that failure. So, if a policy had been enabled or disabled, it would be seen as such in all instances.
If an administrator changes policy information in one instance by using the policy functions listed in Table C-1, Oracle Label Security stores the relevant information about whatever that function call changed. The new information is immediately available to the other active instances in the Oracle RAC, enabling uniformity among users of the affected policies.
Table C-1 Policy Functions Preserving Status in an Oracle RAC Environment
Policy Functions | Description |
---|---|
|
Creates a new policy |
|
Drops an existing policy |
|
Enables an existing policy |
|
Disables an existing policy |
|
Alters an existing policy |
Parent topic: Oracle Label Security in an Oracle RAC Environment
C.2 Transparent Application Failover in Oracle Label Security
Session information is preserved on Transparent Application Failover.
Any changes to the session's information by way of session functions listed in Table C-2 are preserved on Transparent Application Failover.
For example, suppose a user SCOTT
is logged on with default label Top Secret
. If the user calls sa_session.set_label()
to change their session label to Secret
, and a failover to another instance occurs, they will see no change but their session label remains Secret
.
Preserving current user session information means that the access permissions and restrictions on what data that user can see or affect remain as they were. Despite the failover, the user can see and affect only the tables and rows accessible before the failover. If preservation were not the case, failing over to another instance could cause or enable the user to see a different set of data.
Whenever one of the session functions listed in Table C-2 is used, Oracle Label Security stores the relevant information about whatever was changed by that function call.
Table C-2 Session Functions Preserving Status in an Oracle RAC Environment
Session Functions | Description |
---|---|
|
Lets the user set a new level and new compartments and groups to which they have read access |
|
Lets the user set the default row label that will be applied to new rows |
|
Lets the user store the current session label and row label as the default for future sessions |
|
Lets the user reset the current session label and row label to the stored default settings |
|
Sets the Oracle Label Security authorizations and privileges of the database session to those of the specified user |
Parent topic: Oracle Label Security in an Oracle RAC Environment