Starting with this release, the LBACSYS user account is create as a schema-only account.

Users cannot login to a schema-only account until an authentication method is configured for the account by using the ALTER USER statement. LBACSYS is only used as a login account initially to provision named Oracle Label Security administrators. Because users do not need to log in to this account (except for initial provisioning), LBACSYS should remain a schema-only account so that default passwords do not need to be changed or rotated.

This feature meets requirements for users who must be able to create schemas for object ownership without actually allowing the schema owner to log in to the database. Examples of environments that have this need include some Oracle schemas as well as some customer schemas.

Starting in this release, four Oracle Label Security data dictionary views have deprecated columns.

The information in the LABELS and USER_LABELS columns is redundant. This information is displayed in other columns in these data dictionary views.

Starting with this release, Oracle Label Security provides support for the Oracle Database Real Application Security user account.

This feature enables Oracle Label Security policies to be enforced for Real Application Security users by assigning labels and privileges to Real Application Security users.

To configure the Oracle Database Real Application Security user for Oracle Label Security, you can set the user_name parameter in the SA_USER_ADMIN.SET_USER_LABELS procedure and in the SA_USER_ADMIN.SET_USER_PRIVS procedure.

Oracle Label Security now supports rolling upgrades for Oracle Data Guard.

You can perform Oracle Data Guard rolling upgrades to new database releases or patch sets in a rolling fashion, which reduces the planned downtime. The total database downtime for a rolling upgrade is limited to the small amount of time that is required to execute an Oracle Data Guard switchover operation.

Starting with this release, Oracle Label Security supports the use of Oracle Label Security policies in application containers.

In addition to application container support, there are changes in how you can use Oracle Label Security in a CDB environment. As part of this enhancement, you can query the CDB_OLS_STATUS to check the enablement status of Oracle Label Security in a multitenant environment.