Table of Contents
- Title and Copyright Information
- Preface
- Changes in This Release for Oracle Label Security Administrator's Guide
-
Part I Getting Started with Oracle Label Security
-
1
Introduction to Oracle Label Security
- 1.1 About Oracle Label Security
- 1.2 Benefits of Oracle Label Security
- 1.3 Who Has Privileges to Use Oracle Label Security?
- 1.4 Duties of Oracle Label Security Administrators
- 1.5 Components of Oracle Label Security
- 1.6 Oracle Label Security Architecture
- 1.7 Oracle Label Security Administrative Interfaces
- 1.8 Oracle Label Security Demonstration File
- 1.9 Oracle Label Security Integration in a Multitenant Environment
- 2 Understanding Data Labels and User Labels
-
3
Access Controls and Privileges
- 3.1 Access Mediation
- 3.2 How the Session Label and Row Label Work
- 3.3 How User Authorizations Work
- 3.4 Evaluation of Labels for Access Mediation
-
3.5
Oracle Label Security Privileges
- 3.5.1 Privileges Defined by Oracle Label Security Policies
- 3.5.2 Special Access Privileges
- 3.5.3 Special Row Label Privileges
- 3.5.4 System Privileges, Object Privileges, and Policy Privileges
- 3.5.5 Access Mediation and Views
- 3.5.6 Access Mediation and Program Unit Execution
- 3.5.7 Access Mediation and Policy Enforcement Options
- 3.6 Working with Multiple Oracle Label Security Policies
-
1
Introduction to Oracle Label Security
-
Part II Using Oracle Label Security Functionality
- 4 Registering and Logging in to Oracle Label Security
-
5
Creating an Oracle Label Security Policy
- 5.1 About Creating Oracle Label Security Policies
- 5.2 Privileges for Managing Oracle Label Security Policies
- 5.3 Step 1: Create the Label Security Policy Container
-
5.4
Step 2: Create Labels for the Label Security
Policy
- 5.4.1 About Labels
- 5.4.2 About Policy Level Sensitivity Components
- 5.4.3 Creating a Policy Level Component
- 5.4.4 About Policy Compartment Components
- 5.4.5 Creating a Policy Compartment Component
- 5.4.6 About Policy Group Components
- 5.4.7 Creating a Policy Label Group
- 5.4.8 About Associating the Policy Components with a Named Data Label
- 5.4.9 Associating the Policy Components with a Named Data Label
- 5.5 Step 3: Authorize Users for the Label Security Policy
- 5.6 Step 4: Grant Privileges to Users and Trusted Stored Program Units
- 5.7 Step 5: Apply the Policy to a Database Table or Schema
- 5.8 Step 6: Add Policy Data Labels to Table Rows
- 5.9 Step 7: Optionally, Configure Auditing
- 5.10 Using Oracle Label Security Policies and Oracle Flashback Data Archive
-
5.11
Using Enterprise Manager Cloud Control to Create an OLS Policy
- 5.11.1 Creating the Label Security Policy Container Using Cloud Control
- 5.11.2 Creating Policy Components Using Cloud Control
- 5.11.3 Creating Data Labels for the Policy Using Cloud Control
- 5.11.4 Authorizing and Granting Privileges for a Policy Using Cloud Control
- 5.11.5 Granting Privileges to Trusted Program Units Using Cloud Control
- 5.11.6 Applying a Policy to a Database Table with Cloud Control
- 5.11.7 Applying Policy Data Labels to Table Rows Using Cloud Control
-
6
Working with Labeled Data
- 6.1 How Policy Label Column and Label Tags Work
- 6.2 The Policy Label Column
- 6.3 Label Tags
- 6.4 Assignments of Labels to Data Rows
- 6.5 Viewing the Label
- 6.6 Filtration of Data Using Labels
- 6.7 Inserting Labeled Data
- 6.8 Changing Session and Row Labels
-
Part III Oracle Label Security Tutorials
-
7
Tutorial: Configuring Levels in Oracle Label Security
- 7.1 About This Tutorial
- 7.2 Step 1: Create a Role and User Accounts
- 7.3 Step 2: Create the Oracle Label Security Policy Container
- 7.4 Step 3: Create the Two Level Components for the Oracle Label Security Policy
- 7.5 Step 4: Create the Data Labels for the Levels
- 7.6 Step 5: Set User Authorizations for the Oracle Label Security Policy
- 7.7 Step 6: Apply the Oracle Label Security Policy to the HR Schema
- 7.8 Step 7: Add the Policy Labels to the HR.EMPLOYEES Table Data
- 7.9 Step 8: Test the Oracle Label Security Policy
- 7.10 Step 9: Optionally, Remove the Oracle Label Security Policy Components
-
8
Tutorial: Configuring Compartments in Oracle Label Security
- 8.1 About This Tutorial
- 8.2 Step 1: Create an Account for Lily Leagull
- 8.3 Step 2: Authorize Lily Leagull for the HIGHLY_SENSITIVE Level
- 8.4 Step 3: Create Two Compartments for the Oracle Label Security Policy
- 8.5 Step 4: Create the Data Labels for the Compartments
- 8.6 Step 5: Assign the Labels to the Users
- 8.7 Step 6: Add the Policy Labels to the HR.EMPLOYEES Table Data
- 8.8 Step 7: Test the Oracle Label Security Policy
- 8.9 Step 8: Optionally, Remove the Oracle Label Security Policy Components
-
9
Tutorial: Configuring Groups in Oracle Label Security
- 9.1 About This Tutorial
- 9.2 Step 1: Create a Role and User Accounts
- 9.3 Step 2: Create the Oracle Label Security Policy Container
- 9.4 Step 3: Create and Authorize a Level Component for the Oracle Label Security Policy
- 9.5 Step 4: Create and Authorize Groups for the Oracle Label Security Policy
- 9.6 Step 5: Apply and Authorize the Policy to the Table
- 9.7 Step 6: Add the Policy Labels to the OE.CUSTOMERS Table Data
- 9.8 Step 7: Test the Oracle Label Security Policy
- 9.9 Step 8: Optionally, Remove the Oracle Label Security Policy Components
-
7
Tutorial: Configuring Levels in Oracle Label Security
-
Part IV Administering an Oracle Label Security Application
-
10
Implementing Policy Enforcement Options and Labeling Functions
- 10.1 Using the LBAC_TRIGGER Schema
-
10.2
Oracle Label Security Policy Enforcement Options
- 10.2.1 About Policy Enforcement Options
- 10.2.2 Policy Enforcement Scopes
- 10.2.3 Categories of Policy Enforcement Options
- 10.2.4 Relationships of Policy Enforcement Options
- 10.2.5 How the HIDE Policy Column Option Works
- 10.2.6 Label Management Enforcement
- 10.2.7 Access Control Enforcement
- 10.2.8 Overriding Enforcement
- 10.2.9 Guidelines for Using the Policy Enforcement Options
- 10.2.10 Exemptions from Oracle Label Security Policy Enforcement
- 10.2.11 Data Dictionary Views for Viewing Policy Options on Tables and Schemas
- 10.3 Labeling Functions
- 10.4 Inserting Labeled Data Using Policy Options and Labeling Functions
- 10.5 Inserts of Rows into Foreign Key Tables That Do Not Exist Yet in Referential Tables
- 10.6 Updating Labeled Data Using Policy Options and Labeling Functions
- 10.7 Deletion of Labeled Data Using Policy Options and Labeling Functions
- 10.8 SQL Predicates with an Oracle Label Security Policy
- 11 Administering and Using Trusted Stored Program Units
-
12
Using Oracle Label Security with a Distributed Database
- 12.1 About the Oracle Label Security Distributed Configuration
- 12.2 How Connections to a Remote Database Under Oracle Label Security Work
- 12.3 Session Labels and Row Labels in Remote Sessions
- 12.4 Labels in a Distributed Environment
- 12.5 Oracle Label Security Policies in a Distributed Environment
- 12.6 Replication with Oracle Label Security
-
13
Performing DBA Functions Under Oracle Label Security
- 13.1 Oracle Data Pump Export Use with Oracle Label Security
-
13.2
Data Pump Import Use with Oracle Label Security
- 13.2.1 Full Database Import for the LBACSYS Schema Metadata
- 13.2.2 Schema and Table Level Import
- 13.3 SQL*Loader Use with Oracle Label Security
- 13.4 Performance Tips for Oracle Label Security
- 13.5 Creation of Additional Databases After Installation
- 13.6 Oracle Label Security Upgrades and Downgrades
-
14
Releasability Using Inverse Groups
- 14.1 About Inverse Groups and Releasability
- 14.2 Comparison of Standard Groups and Inverse Groups
- 14.3 How Inverse Groups Work
- 14.4 Algorithm for Read Access with Inverse Groups
- 14.5 Algorithm for Write Access with Inverse Groups
- 14.6 Algorithms for COMPACCESS Privilege with Inverse Groups
- 14.7 Session Labels and Inverse Groups
-
14.8
Changes in Behavior of Procedures with Inverse Groups
- 14.8.1 SA_SYSDBA.CREATE_POLICY with Inverse Groups
- 14.8.2 SA_SYSDBA.ALTER_POLICY with Inverse Groups
- 14.8.3 SA_USER_ADMIN.ADD_GROUPS with Inverse Groups
- 14.8.4 SA_USER_ADMIN.ALTER_GROUPS with Inverse Groups
- 14.8.5 SA_USER_ADMIN.SET_GROUPS with Inverse Groups
- 14.8.6 SA_USER_ADMIN.SET_USER_LABELS with Inverse Groups
- 14.8.7 SA_USER_ADMIN.SET_DEFAULT_LABEL with Inverse Groups
- 14.8.8 SA_USER_ADMIN.SET_ROW_LABEL with Inverse Groups
- 14.8.9 SA_COMPONENTS.CREATE_GROUP with Inverse Groups
- 14.8.10 SA_COMPONENTS.ALTER_GROUP_PARENT with Inverse Groups
- 14.8.11 SA_SESSION.SET_LABEL with Inverse Groups
- 14.8.12 SA_SESSION.SET_ROW_LABEL with Inverse Groups
- 14.8.13 OLS_LEAST_UBOUND with Inverse Groups
- 14.8.14 OLS_GREATEST_LBOUND with Inverse Groups
- 14.9 Dominance Rules for Labels with Inverse Groups
- 15 Auditing Oracle Label Security
-
10
Implementing Policy Enforcement Options and Labeling Functions
-
Appendixes
- A Disabling, Enabling, Uninstalling, and Reinstalling Oracle Label Security
-
B
Advanced Topics in Oracle Label Security
-
B.1
Analyzing the Relationships Between Labels
- B.1.1 About Dominant and Dominated Labels
- B.1.2 Non-Comparable Labels
-
B.1.3
Using Dominance Functions
- B.1.3.1 About the Dominance Functions
- B.1.3.2 OLS_DOMINATES Standalone Function
- B.1.3.3 OLS_LABEL_DOMINATES Standalone Function
- B.1.3.4 SA_UTL.DOMINATES
- B.1.3.5 OLS_STRICTLY_DOMINATES Standalone Function
- B.1.3.6 OLS_DOMINATED_BY Standalone Function
- B.1.3.7 OLS_STRICTLY_DOMINATED_BY Standalone Function
- B.2 Queries for Audited Oracle Label Security Session Labels
- B.3 Oracle Call Interface for Setting Session Labels
-
B.1
Analyzing the Relationships Between Labels
- C Oracle Label Security in an Oracle RAC Environment
-
D
Oracle Label Security PL/SQL Packages
- D.1 SA_AUDIT_ADMIN Oracle Label Security Auditing PL/SQL Package
-
D.2
SA_COMPONENTS Label Components PL/SQL Package
- D.2.1 About the SA_COMPONENTS PL/SQL Package
- D.2.2 SA_COMPONENTS.ALTER_COMPARTMENT
- D.2.3 SA_COMPONENTS.ALTER_GROUP
- D.2.4 SA_COMPONENTS.ALTER_GROUP_PARENT
- D.2.5 SA_COMPONENTS.ALTER_LEVEL
- D.2.6 SA_COMPONENTS.CREATE_COMPARTMENT
- D.2.7 SA_COMPONENTS.CREATE_GROUP
- D.2.8 SA_COMPONENTS.CREATE_LEVEL
- D.2.9 SA_COMPONENTS.DROP_COMPARTMENT
- D.2.10 SA_COMPONENTS.DROP_GROUP
- D.2.11 SA_COMPONENTS.DROP_LEVEL
- D.3 SA_LABEL_ADMIN Label Management PL/SQL Package
-
D.4
SA_POLICY_ADMIN Policy Administration PL/SQL Package
- D.4.1 About the SA_POLICY_ADMIN PL/SQL Package
- D.4.2 SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY
- D.4.3 SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY
- D.4.4 SA_POLICY_ADMIN.APPLY_TABLE_POLICY
- D.4.5 SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY
- D.4.6 SA_POLICY_ADMIN.DISABLE_TABLE_POLICY
- D.4.7 SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY
- D.4.8 SA_POLICY_ADMIN.ENABLE_TABLE_POLICY
- D.4.9 SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY
- D.4.10 SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
-
D.5
SA_SESSION Session Management PL/SQL Package
- D.5.1 About the SA_SESSION PL/SQL Package
- D.5.2 SA_SESSION.COMP_READ
- D.5.3 SA_SESSION.COMP_WRITE
- D.5.4 SA_SESSION.GROUP_READ
- D.5.5 SA_SESSION.GROUP_WRITE
- D.5.6 SA_SESSION.LABEL
- D.5.7 SA_SESSION.MAX_LEVEL
- D.5.8 SA_SESSION.MAX_READ_LABEL
- D.5.9 SA_SESSION.MAX_WRITE_LABEL
- D.5.10 SA_SESSION.MIN_LEVEL
- D.5.11 SA_SESSION.MIN_WRITE_LABEL
- D.5.12 SA_SESSION.PRIVS
- D.5.13 SA_SESSION.RESTORE_DEFAULT_LABELS
- D.5.14 SA_SESSION.ROW_LABEL
- D.5.15 SA_SESSION.SET_LABEL
- D.5.16 SA_SESSION.SA_USER_NAME
- D.5.17 SA_SESSION.SAVE_DEFAULT_LABELS
- D.5.18 SA_SESSION.SET_ACCESS_PROFILE
- D.5.19 SA_SESSION.SET_ROW_LABEL
- D.6 SA_SYSDBA Policy Management PL/SQL Package
-
D.7
SA_USER_ADMIN PL/SQL Package
- D.7.1 About the SA_USER_ADMIN PL/SQL Package
- D.7.2 SA_USER_ADMIN.ADD_COMPARTMENTS
- D.7.3 SA_USER_ADMIN.ADD_GROUPS
- D.7.4 SA_USER_ADMIN.ALTER_COMPARTMENTS
- D.7.5 SA_USER_ADMIN.ALTER_GROUPS
- D.7.6 SA_USER_ADMIN.DROP_ALL_COMPARTMENTS
- D.7.7 SA_USER_ADMIN.DROP_ALL_GROUPS
- D.7.8 SA_USER_ADMIN.DROP_COMPARTMENTS
- D.7.9 SA_USER_ADMIN.DROP_GROUPS
- D.7.10 SA_USER_ADMIN.DROP_USER_ACCESS
- D.7.11 SA_USER_ADMIN.SET_COMPARTMENTS
- D.7.12 SA_USER_ADMIN.SET_DEFAULT_LABEL
- D.7.13 SA_USER_ADMIN.SET_GROUPS
- D.7.14 SA_USER_ADMIN.SET_LEVELS
- D.7.15 SA_USER_ADMIN.SET_PROG_PRIVS
- D.7.16 SA_USER_ADMIN.SET_ROW_LABEL
- D.7.17 SA_USER_ADMIN.SET_USER_LABELS
- D.7.18 SA_USER_ADMIN.SET_USER_PRIVS
- D.8 SA_UTL PL/SQL Utility Functions and Procedures
-
E
Oracle Label Security Tables and Views
- E.1 Oracle Database Data Dictionary Tables
-
E.2
Oracle Label Security Data Dictionary Views
- E.2.1 About Oracle Label Security Data Dictionary Views
- E.2.2 ALL_SA_AUDIT_OPTIONS View
- E.2.3 ALL_SA_COMPARTMENTS
- E.2.4 ALL_SA_DATA_LABELS
- E.2.5 ALL_SA_GROUPS
- E.2.6 ALL_SA_LABELS
- E.2.7 ALL_SA_LEVELS
- E.2.8 ALL_SA_POLICIES
- E.2.9 ALL_SA_PROG_PRIVS
- E.2.10 ALL_SA_SCHEMA_POLICIES
- E.2.11 ALL_SA_TABLE_POLICIES
- E.2.12 ALL_SA_USERS
- E.2.13 ALL_SA_USER_LABELS
- E.2.14 ALL_SA_USER_LEVELS
- E.2.15 ALL_SA_USER_PRIVS
- E.2.16 DBA_SA_AUDIT_OPTIONS
- E.2.17 DBA_SA_COMPARTMENTS
- E.2.18 DBA_SA_DATA_LABELS
- E.2.19 DBA_SA_GROUPS
- E.2.20 DBA_SA_GROUP_HIERARCHY
- E.2.21 DBA_SA_LABELS
- E.2.22 DBA_SA_LEVELS
- E.2.23 DBA_SA_POLICIES
- E.2.24 DBA_SA_PROG_PRIVS
- E.2.25 DBA_SA_SCHEMA_POLICIES
- E.2.26 DBA_SA_TABLE_POLICIES
- E.2.27 DBA_SA_USERS
- E.2.28 DBA_SA_USER_COMPARTMENTS
- E.2.29 DBA_SA_USER_GROUPS
- E.2.30 DBA_SA_USER_LABELS
- E.2.31 DBA_SA_USER_LEVELS
- E.2.32 DBA_SA_USER_PRIVS
- E.2.33 DBA_OLS_STATUS
- E.2.34 USER_SA_SESSION
- E.3 Oracle Label Security User-Created Auditing View
- F Oracle Label Security Restrictions
-
G
Frequently Asked Questions about Oracle Label Security
- G.1 Who Uses Oracle Label Security?
- G.2 How Can Oracle Label Security Address My Security Needs?
- G.3 Should I Use Oracle Label Security to Protect All My Tables?
- G.4 What Is the Difference Between Oracle Virtual Private Database and Oracle Label Security?
- G.5 Can I Combine Oracle Virtual Private Database and Oracle Label Security?
- G.6 Can I Use Oracle Label Security with Oracle E-Business Suite?
- G.7 Can I Use Oracle Label Security with Oracle Database Vault?
- G.8 Does Oracle Label Security Provide Column-Level Access Control?
- G.9 Can I Base Secure Application Roles on Oracle Label Security?
- G.10 What Are Trusted Stored Program Units?
- G.11 Does VPD or OLS Add an Additional Column to the Protected Table?
- G.12 Why Should the Additional OLS Row Label Column Be Hidden?
- H Troubleshooting Oracle Label Security
- Index