6 Fine-Grained Access Control for RDF Data

The default control of access to the RDF data stored in a given RDF network, shared among select users in an Oracle AI Database, is at the RDF graph level: the owner of a graph in that network can grant select, delete, and insert privileges on the graph to the other users (with shared access to the network), by granting appropriate privileges on the view named RDFM_<rdf_graph_name>. However, for applications with stringent security requirements, you can enforce a fine-grained access control mechanism by using the Oracle Label Security option of Oracle AI Database.

Oracle Label Security (OLS) for RDF data allows sensitivity labels to be associated with individual triples, and (optionally) with individual lexical values, stored in an RDF graph. For each query, access to specific triples, and (optionally) to lexical values needed for filtering or projecting, is granted by comparing their labels with the user's session labels. This triple-level, or triple-and-values level, security option provides a thin layer of RDF-specific capabilities on top of the Oracle AI Database native support for label security.

For information about using OLS, see Oracle Label Security Administrator's Guide.

• Triple-Level Security
  The triple-level security option provides a thin layer of RDF-specific capabilities on top of Oracle AI Database native support for label security.
• Triple-and-Values Security
  The triple-and-values security option extends the label security support provided by the triple-level security option to include security for lexical values as well.