18.1 SEM_RDFSA.APPLY_OLS_POLICY
Format
SEM_RDFSA.APPLY_OLS_POLICY( policy_name IN VARCHAR2, rdfsa_options IN NUMBER DEFAULT SEM_RDFSA.SECURE_SUBJECT, table_options IN VARCHAR2 DEFAULT 'ALL_CONTROL', label_function IN VARCHAR2 DEFAULT NULL, predicate IN VARCHAR2 DEFAULT NULL, network_owner IN VARCHAR2 DEFAULT NULL, network_name IN VARCHAR2 DEFAULT NULL);
Description
Applies an OLS policy to the semantic data store.
Parameters
- policy_name
-
Name of an existing OLS policy.
- rdfsa_options
-
Options specifying the mode of fine-grained access control to be enabled for RDF data. The default option for securing RDF data involves assigning sensitivity labels for the resources appearing the triples' subject position. You can override the defaults by using the
rdfsa_options
parameter and specifying one of the constants defined in Table 18-1 in the Usage Notes. - table_options
-
Policy enforcement options. The default value (
ALL_CONTROL
) is the only supported value for this procedure. - label_function
-
A string invoking a function to return a label value to use as the default.
- predicate
-
An additional predicate to combine with the label-based predicate.
- network_owner
-
Owner of the semantic network. (See Table 1-2.)
- network_name
-
Name of the semantic network. (See Table 1-2.)
Usage Notes
The OLS policy specified with this procedure must be created with CTXT1 as the column name, and it should use default policy options. For information about policy options, see Oracle Label Security Administrator's Guide.
This procedure invokes the sa_policy_admin.apply_table_policy
procedure on multiple tables defined in the semantic network. The parameters
table_options
, label_function
, and
predicate
for the SEM_RDFSA.APPLY_OLS_POLICY procedure have same
semantics as the parameters with same names in the sa_policy_admin.apply_table_policy
procedure.
For the rdfsa_options
parameter, you can specify the package constant for the desired option. Table 18-1 lists these constants and their descriptions.
Table 18-1 SEM_RDFSA Package Constants for rdfsa_options Parameter
Constant | Description |
---|---|
SEM_RDFSA.SECURE_SUBJECT |
Assigns sensitivity labels for the resources appearing the triples' subject position. |
SEM_RDFSA.SECURE_PREDICATE |
Assigns sensitivity labels for the resources appearing the triples' predicate position. |
SEM_RDFSA.SECURE_OBJECT |
Assigns sensitivity labels for the resources appearing the triples' object position. |
SEM_RDFSA.TRIPLE_LEVEL_ONLY |
Applies triple-level security. Provides good performance, and eliminates the need to assign labels to individual resources. (Requires that Patch 9819833, available from My Oracle Support, be installed.) |
SEM_RDFSA.OPT_DEFINE_BEFORE_USE |
Restricts the use of an RDF resource in a triple before the sensitivity label is defined for the resource. If this option is not specified, the user's initial row label is used as the default label for the resource upon first use. |
SEM_RDFSA.OPT_RELAX_TRIPLE_LABEL |
Relaxes the dominating relationship that exists between the triple label and the labels associated with all its components. With this option, a triple can be defined if the user has READ access to all the triple components and the triple label may not bear any relationship with the component labels. Without this option, the triple label should at least cover the label for all its components. |
You can specify a function in the label_function
parameter to
generate custom labels for newly inserted triples. The label function is associated with the
RDF_LINK$ table, and the columns in this table may be configured as parameters to the label
function as shown in the following example:
fgac_admin.new_triple_label(:new.model_id, :new.start_node_id, :new.p_value_id, :new.canon_end_node_id)'
Because the OLS policy is applied to more than one table with different structures, the only valid column reference in any predicates assigned to the predicate
parameter is that of the label column: CTXT1. If OLS is enabled for a semantic data store with existing data, you can specify a predicate of the form 'OR CTXT1 is null'
to be able to continue using this data with no access restrictions.
An OLS-enabled semantic data store uses sensitivity labels for all the RDF triples organized in multiple models. User access to such triples, through model views and SEM_MATCH queries, is restricted by the OLS policy. Additionally, independent of a user owning the semantic model, access to the triple column (of type SDO_RDF_TRIPLE_S) in the RDFT triple view is restricted to users with FULL access privileges with the OLS policy.
The triples are inserted into a specific RDF model using the INSERT privileges on the corresponding RDFT triple view. A sensitivity label for the new triple is generated using the user's session context (initial row label) or the label function. The triple is validated for any RDF policy violations using labels associated with the triple components. Although the triple information may not be accessed through the RDFT triple view, the model view may be queried to access the triples, while enforcing the OLS policy restrictions. If you have the necessary policy privileges (such as writeup, writeacross), you can update the CTXT1 column in the model view to reset the label assigned to the triple. The new label is automatically validated for any RDF policy violations involving the triple components. Update privilege on the CTXT1 column of the model view is granted to the owner of the model, and this user may selectively grant this privilege to other users.
If the RDF models are created in schemas other than the user with FULL access, necessary privileges on the model objects -- specifically, read/write access on the RDFT triple view, read access to the model view, and write access to the CTXT1 column in the model view -- can be granted to such users for maintenance operations. These operations include bulk loading into the model, resetting any sensitivity labels assigned to the triples, and creating entailments using the model.
To disable the OLS policy, use the SEM_RDFSA.DISABLE_OLS_POLICY procedure.
For information about support for OLS, see Fine-Grained Access Control for RDF Data.
For information about semantic network types and options, see RDF Networks.
Examples
The following example enable secure access to RDF data with secure subject and secure predicate options.
begin sem_rdfsa.apply_ols_policy( policy_name => 'defense', rdfsa_options => sem_rdfsa.SECURE_SUBJECT+ sem_rdfsa.SECURE_PREDICATE, network_owner => 'RDFUSER', network_name => 'NET1'); end; /
The following example extends the preceding example by specifying a Define Before Use option, which allows a user to define a triple only if the triple components secured (Subject, Predicate or Object) are predefined with an associated sensitivity label. This configuration is effective if the user inserting the triple does not have execute privileges on the SEM_RDFSA package.
begin sem_rdfsa.apply_ols_policy( policy_name => 'defense', rdfsa_options => sem_rdfsa.SECURE_SUBJECT+ sem_rdfsa.SECURE_PREDICATE+ sem_rdfsa.OPT_DEFINE_BEFORE_USE, network_owner => 'RDFUSER', network_name => 'NET1'); end; /
Parent topic: SEM_RDFSA Package Subprograms