1. Graph Developer's Guide for RDF Graph
  2. Reference Information
  3. SEM_RDFSA Package Subprograms
  4. SEM_RDFSA.APPLY_OLS_POLICY

18.1 SEM_RDFSA.APPLY_OLS_POLICY

Format

SEM_RDFSA.APPLY_OLS_POLICY(
     policy_name    IN VARCHAR2, 
     rdfsa_options  IN NUMBER  DEFAULT SEM_RDFSA.SECURE_SUBJECT, 
     table_options  IN VARCHAR2 DEFAULT 'ALL_CONTROL', 
     label_function IN VARCHAR2 DEFAULT NULL, 
     predicate      IN VARCHAR2 DEFAULT NULL,
     network_owner  IN VARCHAR2 DEFAULT NULL,
     network_name   IN VARCHAR2 DEFAULT NULL);

Description

Applies an OLS policy to the semantic data store.

Parameters

policy_name

Name of an existing OLS policy.

rdfsa_options

Options specifying the mode of fine-grained access control to be enabled for RDF data. The default option for securing RDF data involves assigning sensitivity labels for the resources appearing the triples' subject position. You can override the defaults by using the rdfsa_options parameter and specifying one of the constants defined in Table 18-1 in the Usage Notes.

table_options

Policy enforcement options. The default value (ALL_CONTROL) is the only supported value for this procedure.

label_function

A string invoking a function to return a label value to use as the default.

predicate

An additional predicate to combine with the label-based predicate.

network_owner

Owner of the semantic network. (See Table 1-2.)

network_name

Name of the semantic network. (See Table 1-2.)

Usage Notes

The OLS policy specified with this procedure must be created with CTXT1 as the column name, and it should use default policy options. For information about policy options, see Oracle Label Security Administrator's Guide.

This procedure invokes the sa_policy_admin.apply_table_policy procedure on multiple tables defined in the semantic network. The parameters table_options, label_function, and predicate for the SEM_RDFSA.APPLY_OLS_POLICY procedure have same semantics as the parameters with same names in the sa_policy_admin.apply_table_policy procedure.

For the rdfsa_options parameter, you can specify the package constant for the desired option. Table 18-1 lists these constants and their descriptions.

Table 18-1 SEM_RDFSA Package Constants for rdfsa_options Parameter

Constant Description

SEM_RDFSA.SECURE_SUBJECT

Assigns sensitivity labels for the resources appearing the triples' subject position.

SEM_RDFSA.SECURE_PREDICATE

Assigns sensitivity labels for the resources appearing the triples' predicate position.

SEM_RDFSA.SECURE_OBJECT

Assigns sensitivity labels for the resources appearing the triples' object position.

SEM_RDFSA.TRIPLE_LEVEL_ONLY

Applies triple-level security. Provides good performance, and eliminates the need to assign labels to individual resources. (Requires that Patch 9819833, available from My Oracle Support, be installed.)

SEM_RDFSA.OPT_DEFINE_BEFORE_USE

Restricts the use of an RDF resource in a triple before the sensitivity label is defined for the resource. If this option is not specified, the user's initial row label is used as the default label for the resource upon first use.

SEM_RDFSA.OPT_RELAX_TRIPLE_LABEL

Relaxes the dominating relationship that exists between the triple label and the labels associated with all its components. With this option, a triple can be defined if the user has READ access to all the triple components and the triple label may not bear any relationship with the component labels. Without this option, the triple label should at least cover the label for all its components.

You can specify a function in the label_function parameter to generate custom labels for newly inserted triples. The label function is associated with the RDF_LINK$ table, and the columns in this table may be configured as parameters to the label function as shown in the following example: 

fgac_admin.new_triple_label(:new.model_id,
                            :new.start_node_id,
                            :new.p_value_id,
                            :new.canon_end_node_id)'

Because the OLS policy is applied to more than one table with different structures, the only valid column reference in any predicates assigned to the predicate parameter is that of the label column: CTXT1. If OLS is enabled for a semantic data store with existing data, you can specify a predicate of the form 'OR CTXT1 is null' to be able to continue using this data with no access restrictions.

An OLS-enabled semantic data store uses sensitivity labels for all the RDF triples organized in multiple models. User access to such triples, through model views and SEM_MATCH queries, is restricted by the OLS policy. Additionally, independent of a user owning the semantic model, access to the triple column (of type SDO_RDF_TRIPLE_S) in the RDFT triple view is restricted to users with FULL access privileges with the OLS policy.

The triples are inserted into a specific RDF model using the INSERT privileges on the corresponding RDFT triple view. A sensitivity label for the new triple is generated using the user's session context (initial row label) or the label function. The triple is validated for any RDF policy violations using labels associated with the triple components. Although the triple information may not be accessed through the RDFT triple view, the model view may be queried to access the triples, while enforcing the OLS policy restrictions. If you have the necessary policy privileges (such as writeup, writeacross), you can update the CTXT1 column in the model view to reset the label assigned to the triple. The new label is automatically validated for any RDF policy violations involving the triple components. Update privilege on the CTXT1 column of the model view is granted to the owner of the model, and this user may selectively grant this privilege to other users.

If the RDF models are created in schemas other than the user with FULL access, necessary privileges on the model objects -- specifically, read/write access on the RDFT triple view, read access to the model view, and write access to the CTXT1 column in the model view -- can be granted to such users for maintenance operations. These operations include bulk loading into the model, resetting any sensitivity labels assigned to the triples, and creating entailments using the model.

To disable the OLS policy, use the SEM_RDFSA.DISABLE_OLS_POLICY procedure.

For information about support for OLS, see Fine-Grained Access Control for RDF Data.

For information about semantic network types and options, see RDF Networks.

Examples

The following example enable secure access to RDF data with secure subject and secure predicate options.

begin
  sem_rdfsa.apply_ols_policy(
        policy_name   => 'defense',
        rdfsa_options => sem_rdfsa.SECURE_SUBJECT+
                         sem_rdfsa.SECURE_PREDICATE,
        network_owner => 'RDFUSER',
        network_name  => 'NET1'); 
end;
/

The following example extends the preceding example by specifying a Define Before Use option, which allows a user to define a triple only if the triple components secured (Subject, Predicate or Object) are predefined with an associated sensitivity label. This configuration is effective if the user inserting the triple does not have execute privileges on the SEM_RDFSA package.

begin
  sem_rdfsa.apply_ols_policy(
        policy_name   => 'defense',
        rdfsa_options => sem_rdfsa.SECURE_SUBJECT+
                         sem_rdfsa.SECURE_PREDICATE+
                         sem_rdfsa.OPT_DEFINE_BEFORE_USE,
        network_owner => 'RDFUSER',
        network_name  => 'NET1'); 
end;
/

Parent topic: SEM_RDFSA Package Subprograms