B
Command-line Tools for Label Security Using Oracle Internet Directory

When Oracle Label Security is used with Oracle Internet Directory, security administrators must use certain commands to create and alter label security attributes stored in the directory.

This Appendix describes these commands and the parameters they require. They perform updates, inserts and deletes of entries in the directory and are implemented through a script named "olsadmintool", which you invoke from $ORACLE_HOME/bin/olsadmintool. This Appendix contains the sections and tables listed below.

Table B-1 lists all the commands, in categories, with links to their explanations. Some of these commands replace PL/SQL procedures (indicated in Table B-1) that are used for the indicated purposes when Oracle Label Security is used without Oracle Internet Directory. Sites already using Oracle Label Security that add Oracle Internet Directory must replace the use of those PL/SQL procedures by switching to use these new commands instead.
Table B-2 then lists the commands alphabetically, with links to their explanations.
Command Explanations, after Table B-2, provides the individual explanations and examples of the commands and their parameters, in alphabetical order.
Relating Parameters to Commands for olsadmintool follows Table B-2 with Summaries in Table B-3 and Table B-4. These tables present summaries of the commands' use of parameters by listing the commands and their parameters in tabular format, enabling you to see patterns of parameter usage.
Table B-5 then gives a detailed explanation for each parameter, in alphabetical order, and lists the commands in which it is used.

Examples of Using olsadmintool shows typical uses of the tool and the results of the specific examples shown.

Table B-1 Oracle Label Security Commands in Categories

Command Category	Purpose of Command	Command	Replaces PL/SQL Statement
Policies	Create Policy	olsadmintool createpolicy	SA_SYSDBA.CREATE_POLICY
	Alter a Level	olsadmintool alterpolicy	SA_SYSDBA.ALTER_POLICY
	Drop a Policy	olsadmintool droppolicy	SA_SYSDBA.DROP_POLICY
	Add Policy Creator	olsadmintool addpolcreator	None; new
	Drop Policy Creator	olsadmintool droppolcreator	None; new
Levels in a Policy	Create a Level	olsadmintool createlevel	SA_COMPONENTS.CREATE_LEVEL
	Alter a Level	olsadmintool alterlevel	SA_COMPONENTS.ALTER_LEVEL
	Drop a Level	olsadmintool droplevel	SA_COMPONENTS.DROP_LEVEL
Groups in a Policy	Create a Group	olsadmintool creategroup	SA_COMPONENTS.CREATE_GROUP
	Alter a Group	olsadmintool altergroup	SA_COMPONENTS.ALTER_GROUP
	(also a group parent)		SA_COMPONENTS.ALTER_GROUP_PARENT
	Drop a Group	olsadmintool dropgroup	SA_COMPONENTS.DROP_GROUP
Compartments in a Policy	Create a Compartment	olsadmintool createcompartment	SA_COMPONENTS.CREATE_COMPARTMENT
	Alter a Compartment	olsadmintool altercompartment	SA_COMPONENTS.ALTER_COMPARTMENT
	Drop a Compartment	olsadmintool dropcompartment	SA_COMPONENTS.DROP_COMPARTMENT
Data Labels	Create a Label	olsadmintool createlabel	SA_LABEL_ADMIN.CREATE_LABEL
	Alter a Label	olsadmintool alterlabel	SA_LABEL_ADMIN.ALTER_LABEL
	Drop a Label	olsadmintool droplabel	SA_LABEL_ADMIN.DROP_LABEL
Users	Add a User to a Profile	olsadmintool adduser	None; new
	Drop a User	olsadmintool dropuser	SA_USER_ADMIN.DROP_USER_ACCESS
Profiles	Create a Profile	olsadmintool createprofile	Replaces the use of several methods. ^{Foot 1}
	List Profiles	olsadmintool listprofile	None; new
	Describe a Profile	olsadmintool describeprofile	None; new
	Drop a Profile	olsadmintool dropprofile	None; new
Policy Administrators	Drop Policy Administrator	olsadmintool addadmin	None; new.
	Drop Policy Administrator	olsadmintool dropadmin	None; new.
Policy Access	Set Audit Options	olsadmintool addpolaccess	None; new.
	Relating Parameters to Commands for olsadmintool	olsadmintool droppolaccess	None; new.
Auditing	Set Audit Options	olsadmintool audit	SA_AUDIT_ADMIN.AUDIT
		olsadmintool noaudit	SA_AUDIT_ADMIN.NOAUDIT
Help	Get Help for olsadmintool	olsadmintool command --help	None; new

¹ Replaces several methods in SA_USER_ADMIN: SET_LEVELS, SET_USER_PRIVILEGES, and SET_DEFAULT_LABEL

Table B-2 olsadmintool Commands Linked to Their Explanations

Purpose of Command (Links in Alphabetical Order)	Command
Add a User to a Profile	olsadmintool adduser
Add Policy Administrators	olsadmintool addadmin
Add Policy Creator	olsadmintool addpolcreator
Alter a Compartment	olsadmintool altercompartment
Alter a Group	olsadmintool altergroup
Alter a Label	olsadmintool alterlabel
Alter a Level	olsadmintool alterlevel
Alter a Level	olsadmintool alterpolicy
Cancel Audit Options	olsadmintool noaudit
Create a Compartment	olsadmintool createcompartment
Create a Group	olsadmintool creategroup
Create a Label	olsadmintool createlabel
Create a Level	olsadmintool createlevel
Create a Profile	olsadmintool createprofile
Create Policy	olsadmintool createpolicy
Describe a Profile	olsadmintool describeprofile
Drop a Compartment	olsadmintool dropcompartment
Drop a Group	olsadmintool dropgroup
Drop a Label	olsadmintool droplabel
Drop a Level	olsadmintool droplevel
Drop a Policy	olsadmintool droppolicy
Drop a Profile	olsadmintool dropprofile
Drop a User	olsadmintool dropuser
Drop Policy Administrator	olsadmintool dropadmin
Drop Policy Creator	olsadmintool droppolcreator
Get Help for an olsadmintool Command	olsadmintool <command name> --help
List Profiles	olsadmintool listprofile
Set Audit Options	olsadmintool audit

Command Explanations

In the command explanations that follow, some parameters are optional, which is indicated by enclosing such a parameter within square brackets. The two most common examples are [ -b <admin context> ] and [-p <port>], indicating that it is optional to specify either the administrative context for the command or the port through which to connect to Oracle Internet Directory. (Default port is 389.)

The use of two dashes (--, no space) is required for all parameters other than b, h, p, D, and w, which are preceded by a single dash. The double dash indicates the need to specify the full or long version of the name or parameter being used.

Each command appears in this listing on multiple lines for readability, but in reality would be issued as a single long string on the command line.

Add a User to a Profile

olsadmintool adduser --polname <policy name> --profname <profilename> --userdn 
<enterprise user DN>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the `adduser` command

Use the adduser command to add an enterprise user to a profile within a policy. Provide the profile and policy names and the user DN.^{Foot 1}

Example of the adduser command

olsadmintool adduser --polname tradesecret --profname topsales --userdn 
'cn=perot'
-b 'cn=EDS' -h ford -p 1890 -D cn=lbacsys -w lbacsyspwrd

See Also:

Please refer to the Oracle Advanced Security Administrator's Guide, Chapter 13, Administering Enterprise User Security, for further concepts, tools, steps, and procedures.

Add Policy Administrators

olsadmintool addadmin --polname <policy name> --admindn <admin DN>
[ -b <admin context>] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the addadmin command

Use the addadmin command to add an enterprise user to the administrative group for a policy, so that s/he is able to create, modify or delete the specified policy's metadata. Provide the policy name and the new administrator's DN. ^{Command Footnote}

Example of the addadmin command


olsadmintool addadmin --polname defense --admindn 'cn=scott,c=us'
-h yippee -D cn=lbacsys -w lbacsys

Add Policy Creator

olsadmintool addpolcreator --userdn <user DN>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the addpolcreator command

Use the addpolcreator command to enable the specified user to create policies. Provide the DN for the user. ^{Command Footnote}

Example of the addpolcreator command

olsadmintool addpolcreator --userdn 'cn=scott' -h yippee -D cn=lbacsys -w 
lbacsys

Alter a Compartment

olsadmintool altercompartment --polname <policy name> --shortname <short 
compartment name> --longname <new long compartment name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the altercompartment command

Use the altercompartment command to change the long name of a compartment. Provide the name of the policy, the short name of the compartment, and the new long name of the compartment. ^{Command Footnote}

Example of the altercompartment command


olsadmintool altercompartment --polname defense --shortname A --longname 'Allied 
Forces' -h yippee -D cn=defense_admin -w welcome1

Alter a Group

olsadmintool altergroup --polname <policy name> --shortname <short group name>
--longname <new long group name> [--parentname <new short group name> ]
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the altergroup command

Use the altergroup command to change the long name for a group component or parent group. Provide the name of the policy, the short name of the group, the long name of the group, and optionally the short name for the parent group. ^{Command Footnote}

Example of the altergroup command


olsadmintool altergroup --polname defense --shortname US --longname 'United 
States of America' --parentname 'Earth' -h yippee -D cn=defense_admin -w 
welcome1

Alter a Label

olsadmintool alterlabel --polname <policy name> --tag <tag number> --value <new 
label value>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the alterlabel command

Use the alterlabel command to change the character string defining the label associated with a label tag. Provide the policy name, the numeric tag of the label, and the new character string representing the label. ^{Command Footnote}

Example of the alterlabel command


olsadmintool alterlabel --polname defense --tag 100 --value 'TS:A:US' -h yippee 
-D cn=defense_admin -w welcome1

Alter a Level

olsadmintool alterlevel --polname <policy name> --shortname <short level name> 
--longname <new long level name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the alterlevel command

Use the alterlevel command to change the long name of a level. Provide the name of the policy, the short name of the level, and the new long name of the level. ^{Command Footnote}

Example of the alterlevel command


olsadmintool alterlevel --polname defense --shortname TS
--longname 'VERY TOP SECRET' -h yippee -D cn=defense_admin -w welcome1

Alter Policy

olsadmintool alterpolicy --name <policy name> --options <new options>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the alterpolicy command

Use the alterpolicy command to alter the options of a policy. Provide the name of the policy and the new options. ^{Command Footnote}

Example of the alterpolicy command

olsadmintool alterpolicy --name defense --options 'READ_CONTROL,INSERT_CONTROL'
 -h yippee -D cn=defense_admin -w welcome1

Cancel Audit Options

olsadmintool noaudit --polname <policy name> --options <audit option name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of noaudit command

Use the noaudit command to cancel the audit options for a policy. Provide the policy name and the options that are no longer to be audited. ^{Command Footnote}

Example of the noaudit command


olsadmintool noaudit --polname defense --options 'APPLY,PRIVILEGES'
-h yippee -D cn=defense_admin -w welcome1

Create a Compartment

olsadmintool createcompartment --polname <policy name> --tag <tag number> 
--shortname <short compartment name> --longname <long compartment name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the createcompartment command

Use the createcompartment command to create a new compartment component. Provide the name of the policy, the tag numeric value of the compartment, the short name of the compartment, and the long name of the compartment. ^{Command Footnote}

Example of the createcompartment command


olsadmintool createcompartment --polname defense --tag 100 --shortname A 
--longname Alpha -h yippee -D cn=defense_admin -w welcome1

Create a Group

olsadmintool creategroup --polname <policy name> --tag <tag number> --shortname 
<short group name> --longname <long group name>
[--parentname <parent group name>]
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the creategroup command

Use the creategroup command to create a new group component. Provide the name of the policy, the tag numeric value of the group, the short name of the group, the long name of the group, and the parent group name (optional). ^{Command Footnote}

Example of the creategroup command


olsadmintool creategroup --polname defense --tag 55 --shortname US
--longname 'United States' -h yippee -D cn=defense_admin -w welcome1

Create a Label

olsadmintool createlabel --polname <policy name> --tag <tag number> --value 
<label value>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the createlabel command

Use the createlabel command to create a valid data label. Provide the policy name, the numeric tag of the label to be created, and the character string representation of the label.^{Command Footnote}

Example of the createlabel command


olsadmintool createlabel --polname defense --tag 100 --value 'TS:A,B:US,CA'
-h yippee -D cn=defense_admin -w welcome1

Create a Level

olsadmintool createlevel --polname <policy name> --tag <tag number> --shortname 
<short level name> --longname <long level name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the createlevel command

Use the createlevel command to create a new level component. Provide the name of the policy, the tag numeric value, the short name of the level, and the long name of the level. ^{Command Footnote}

Example of the createlevel command


olsadmintool createlevel --polname defense --tag 100 --shortname TS
--longname 'TOP SECRET' -h yippee -D cn=defense_admin -w welcome1

Create a Profile

olsadmintool createprofile --polname <policy name> --profname <profile name> 
--maxreadlabel <max read label> --maxwritelabel <max write label> 
--minwritelabel <min write label> --defreadlabel <default read label> 
--defrowlabel <default row label> --privileges <privileges separated by comma>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the createprofile command

Use the createprofile command to create a new profile. Provide the policy name, the profile name, and either privileges, labels, or both privileges and labels. (A user profile can have either null label information or null privilege information, but not both null at the same time.) For labels, specify the maximum label users in this profile can use to read data, the maximum label users in this profile can use to write data, the minimum label users in this profile can use to write data, the default label for reading, the default row label for writing. For privileges, enclose in quotes the list of privileges, separated by commas, for members of this profile. ^{Command Footnote}

Example of the createprofile command


olsadmintool createprofile --polname topsecret --profname topsales 
--maxreadlabel 'TS:A,B:US,CA' --maxwritelabel 'TS:A,B:US,CA' --minwritelabel 
'C:A,B:US,CA' --defreadlabel 'TS:A,B:US,CA' --defrowlabel 'C:A,B:US,CA'
--privileges 'READ,COMPACCESS,WRITEACROSS'
-b EDS -h ford -p 1890 -D cn=lbacsys -w lbacsyspwrd

Create Policy

olsadmintool createpolicy --name <policy name> --colname <column name> --options 
<options separated by commas>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the createpolicy command

Use the createpolicy command to create a policy. Provide the name of the policy, the name of its label column, and the options. ^{Command Footnote}

Example of the createpolicy command


olsadmintool createpolicy --name defense --colname defense_col --options 'READ_
CONTROL,UPDATE_CONTROL' -h yippee -p 389 -D cn=defense_admin -w welcome1

Describe a Profile

olsadmintool describeprofile --polname <policy name> --profname <profile name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the `describeprofile` command

Use the describeprofile command to see the contents of the specified profile in the specified policy. Provide the policy name and the name of the profile. ^{Command Footnote}

Example of the `describeprofile` command


olsadmintool describeprofile --polname defense --profname contractors
-h yippee -D cn=defense_admin -w welcome1

Drop a Compartment

olsadmintool dropcompartment --polname <policy name> --shortname <short 
compartment name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the `dropcompartment` command

Use the dropcompartment command to remove a compartment component. Provide the name of the policy and the short name of the compartment. ^{Command Footnote}

Example of the `dropcompartment` command


olsadmintool dropcompartment --polname defense --shortname A
-h yippee -D cn=defense_admin -w welcome1

Drop a Group

olsadmintool dropgroup --polname <policy name> --shortname <short group name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the `dropgroup` command

Use the dropgroup command to remove a group component. Provide the policy name and the short group name. ^{Command Footnote}

Example of the `dropgroup` command


olsadmintool dropgroup --polname defense --shortname US
-h yippee -D cn=defense_admin -w welcome1

Drop a Label

olsadmintool droplabel --polname <policy name> --value <label value>
-h yippee [-p <port>] -D <bind DN> -w <bind password>

Description of the `droplabel` command

Use the droplabel command to drop a label from the policy. Provide the policy name and the string representation of the label. ^{Command Footnote}

Example of the `droplabel` command


olsadmintool droplabel --polname defense --value 'TS:A:US'
h yippee -D cn=defense_admin -w welcome1

Drop a Level

olsadmintool droplevel --polname <policy name> --shortname <short level name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the `droplevel` command

Use the droplevel command to remove a level component from a specified policy. Provide the name of the policy and the short name of the level. ^{Command Footnote}

Example of the `droplevel` command


olsadmintool droplevel --polname defense --shortname TS
-h yippee -D cn=defense_admin -w welcome1

Drop a Policy

olsadmintool droppolicy --name <policy name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the `droppolicy` command

Use the droppolicy command to drop a policy. Provide the name of the policy to be dropped.^{Command Footnote} For directory-enabled installations of Oracle Label Security, see also Subscribing Policies in Directory-Enabled Label Security in Chapter 9, "Applying Policies to Tables and Schemas".

Example of the `droppolicy` command


olsadmintool droppolicy --name defense -h yippee -D cn=defense_admin -w welcome1

Drop a Profile

olsadmintool dropprofile --polname <policy name> --profname <profile name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the `dropprofile` command

Use the dropprofile command to remove the specified profile. Provide the policy name and the name of the profile to be dropped.^{Command Footnote}

Note:

Dropping a profile removes the authorization on that policy for all the users in the dropped profile. They will be unable to see data protected by that policy.

Example of the `dropprofile` command


olsadmintool dropprofile --name defense --profname employees
-h yippee -D cn=defense_admin -w welcome1

Drop a User

olsadmintool dropuser --polname <policy name> --profname <profilename>
--userdn <enterprise user DN>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the dropuser command

Use the dropuser command to drop a user from the specified profile in the specified policy. Provide the policy name, the name of the profile, and the DN of the user. ^{Command Footnote}

Example of the `dropuser` command


olsadmintool dropuser --polname defense --profname contractors --userdn 
'cn=hanssen,c=us' -h yippee -D cn=defense_admin -w welcome1

Drop Policy Administrator

olsadmintool dropadmin --polname <policy name> --admindn <admin DN>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the `dropadmin` command

Use the dropadmin command to remove an enterprise user from the administrative group of a policy, so that s/he is no longer able to create, modify or delete the specified policy's metadata. Provide the policy name and the DN of the administrator to be removed from the administrative group. ^{Command Footnote}

Example of the `dropadmin` command


olsadmintool dropadmin --polname defense --admindn 'cn=scott,c=us'
-h yippee -D cn=lbacsys -w lbacsys

Drop Policy Creator

olsadmintool droppolcreator --userdn <user DN>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the `droppolcreator` command

Use the droppolcreator command to cancel the ability of the specified user to create policies. Provide the user's DN. ^{Command Footnote}

Example of the `droppolcreator` command


olsadmintool droppolcreator --userdn 'cn-scott,c=us'
-b UA -h yippee -p 1890 -D <bind DN> -w <bind password>

Get Help for an olsadmintool Command

olsadmintool <command name> --help

List Profiles

olsadmintool listprofile --polname <policy name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the listprofile command

Use the listprofile command to see a list of all profiles in a given policy. Provide the policy name. ^{Command Footnote}

Example of the listprofile command


olsadmintool listprofile --polname defense -b CIA
-h yippee -D cn=defense_admin -w welcome1

Set Audit Options

olsadmintool audit --polname <policy name> --options <audit option name> --type 
<audit option type> --success <audit success type>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the audit command

Use the audit command to set the audit options for a policy. Provide the policy name, the options to be audited, the type of audit and the type of success to be audited. ^{Command Footnote}

Example of the audit command


olsadmintool audit --polname defense --options 'APPLY,PRIVILEGE' --type session
--success success -h yippee -D cn=defense_admin -w welcome1

Relating Parameters to Commands for olsadmintool

All olsadmintool commands must specify connection parameters: the OID host, the bind DN, the bind password and optionally the port through which the connection to Oracle Internet Directory is to be made. (The default port is 389.)

All olsadmintool commands may specify, as needed, the subscriber/administrative-context using the -b flag.

The fact that specifying a parameter is optional, such as a port or an administrative context, is shown by enclosing the parameter within square brackets. The two most common examples are [ -b <admin context> ] and [-p <port>].

Since every command must specify a host, bind DN, and password, and may if needed also specify an administrative context, Table B-3 uses the abbreviation CON to represent all of these connection parameters as a group:

[ -b <admin context> ] h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Summaries

Table B-3 summarizes the commands in the following categories:

Policies: creating, altering, or dropping policies or their components, that is, levels, groups, and compartments.
Data labels: creating, altering, or dropping them.
Administrators and policy creators: adding or dropping them.
Users: adding or dropping users from a profile.
Auditing options: setting the options for what to audit for a policy
Profiles: creating, listing, describing, or dropping them.
Default read or row labels: setting them.

In Table B-3 and Table B-4, the column headings show only the parameters, not the keywords that must precede them. For example, Table B-3 shows "policyname" and "column-name" as parameters for the createpolicy command, without showing the keywords that must precede them (--name and --colname). These keywords are shown as required in each of the command descriptions, such as at Create Policy.

Table B-5 explains the individual parameters that are used as column headings in the summaries of Table B-3 and Table B-4.

In all these tables, X means required, and O means unused or omitted.

Table B-3 Summary: olsadmintool Command Parameters

Command Category	Commands & Parameters
Policies	Command	policy name	column- name	optionsP	CON
	olsadmintool createpolicy	X	X	X	X
	olsadmintool alterpolicy	X	O	X	X
	olsadmintool droppolicy	X	O	O	X
Within a Policy, Create:	Command	policy name	tag	short name	long name	CON	parent name
a level	olsadmintool createlevel	X	X	X	X	X	O
a group	olsadmintool creategroup	X	X	X	X	X	[ X ]
a compartment	olsadmintool createcompartment	X	X	X	X	X	O
Within a Policy, Alter:
a level	olsadmintool alterlevel	X	O	X	X	X	O
a group or group parent	olsadmintool altergroup	X	O	X	X	X	[X]
	Command	policy name	tag	short name	long name	CON	parent name
a compartment	olsadmintool altercompartment	X	O	X	X	X	O
Within a Policy, Drop:
level	olsadmintool droplevel	X	O	X	O	X	O
group	olsadmintool dropgroup	X	O	X	O	X	O
compartment	olsadmintool dropcompartment	X	O	X	O	X	O

Data Labels	Command	policy name	tag	value	CON
Create label	olsadmintool createlabel	X	X	X	X
Alter data label	olsadmintool alterlabel	X	X	X	X
Drop data label	olsadmintool droplabel	X	O	X	X
Policy Administrators	Command	policy name	userDN	CON
Add an Admin	olsadmintool addadmin	X	X	X
Drop an Admin	olsadmintool dropadmin	X	X	X
Policy Creation	olsadmintool addpolcreator	O	X	X
	`olsadmintool droppolcreator`	O	X	X

Users	Command	policy name	profile name	userDN	CON
Add a User	olsadmintool adduser	X	X	X	X
Drop a User	`olsadmintool dropuser`	X	X	X	X

Auditing	olsadmintool audit	X	optionsA	type	success	CON
	olsadmintool noaudit	X	X	X	X	X
Help on olsadmintool	olsadmintool <commandmame> -- help	O	O	O	O	O

Table B-4 Summary of Profile & Default Command Parameters

Profile Action	Profile Command	Policy Name	Profile Name	Max Read Label	Max Write Label	Min Write Label	Def Read Label	Def Row Label	Priv's	CON
Create a Profile ^{Foot 1}	olsadmin tool create profile	X	X	X	X	X	X	X	X	X
List Profiles	olsadmin tool list profile	X	O	O	O	O	O	O	O	X
Describe a Profile	olsadmin tool describe profile	X	X	O	O	O	O	O	O	X
Drop a Profile	olsadmin tool drop profile	X	X	O	O	O	O	O	O	X

¹ In createprofile, specifying both privileges and labels is not required: a profile can specify labels, privileges, or both.

Examples of Using olsadmintool

The 12 subsections that follow illustrate using the olsadmintool commands in typical tasks needed to set up Oracle Label Security in an Oracle Internet Directory environment. Each command appears in this listing on multiple lines for readability, but in reality would be issued as a single long string on the command line. The summarized results of executing all these commands appear in Results of These Examples, which follows the last example.

Make Other Users Policy Creators

ORACLE_HOME/bin/olsadmintool addpolcreator --userdn 'cn=snamudur,c=us'
 -b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=lbacsys,c=us' -w lbacsys

Create Policies With Valid Options

ORACLE_HOME/bin/olsadmintool createpolicy --name Policy1 --colname pol1
--options READ_CONTROL,WRITE_CONTROL -b 'ou=Americas,o=Oracle,c=US'
-h yippee -p 389 -D 'cn=snamudur,c=us' -w snamudur

ORACLE_HOME/bin/olsadmintool createpolicy --name Policy2 --colname pol2
--options READ_CONTROL -b 'ou=Americas,o=Oracle,c=US'
-h yippee -p 389 -D 'cn=lbacsys,c=us' -w lbacsys

Create Policy Administrators

ORACLE_HOME/bin/olsadmintool addadmin --polname Policy1
 --admindn 'cn=shwong,c=us' -b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 
'cn=snamudur,c=us' -w snamudur

ORACLE_HOME/bin/olsadmintool addadmin --polname Policy2
--admindn 'cn=shwong,c=us' -b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 
'cn=lbacsys,c=us' -w lbacsys

Create Some Levels

ORACLE_HOME/bin/olsadmintool createlevel --polname Policy1 --tag 100
--shortname TS --longname "TOP SECRET" -b 'ou=Americas,o=Oracle, c=US'
-h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

ORACLE_HOME/bin/olsadmintool createlevel --polname Policy1 --tag 99
--shortname S --longname SECRET -b 'ou=Americas,o=Oracle,c=US'
-h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

ORACLE_HOME/bin/olsadmintool createlevel --polname Policy1 --tag 98
--shortname U --longname UNCLASSIFIED -b 'ou=Americas,o=Oracle,c=US'
-h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Create Some Compartments

ORACLE_HOME/bin/olsadmintool createcompartment --polname Policy1 --tag 100 
--shortname A --longname ALPHA -b 'ou=Americas,o=Oracle,c=US'
-h yippee -p 389 D 'cn=shwong,c=us' -w shwong

ORACLE_HOME/bin/olsadmintool createcompartment --polname Policy1 --tag 99
--shortname B --longname BETA -b 'ou=Americas,o=Oracle,c=US'
-h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Create Some Groups

ORACLE_HOME/bin/olsadmintool creategroup --polname Policy1 --tag 100
--shortname G1 --longname GROUP1
-b 'ou=Americas,o=Oracle,c=US'  -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

ORACLE_HOME/bin/olsadmintool creategroup --polname Policy1 --tag 99
--shortname G2 --longname GROUP2
-b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

ORACLE_HOME/bin/olsadmintool creategroup --polname Policy1 --tag 98
--shortname G3 --longname GROUP3
-b 'ou=Americas,o=Oracle,c=US'  -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Create Some Labels

ORACLE_HOME/bin/olsadmintool createlabel --polname Policy1 --tag 100
--value TS:A:G1
-b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

ORACLE_HOME/bin/olsadmintool createlabel --polname Policy1 --tag 101
--value TS:A,B:G2
-b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Create A Profile

ORACLE_HOME/bin/olsadmintool createprofile --polname Policy1 --profname Profile1
--maxreadlabel TS:A:G1 --maxwritelabel TS:A:G1 --minwritelabel U::
--defreadlabel U:A:G1 --defrowlabel U:A:G1 --privileges WRITEUP,READ
-b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Add A User To The Above Profile

ORACLE_HOME/bin/olsadmintool adduser --polname Policy1 --profname Profile1
--userdn cn=nina,ou=Asia,o=microsoft,l=seattle,st=WA,c=US
-b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Add Another User To The Above Profile

ORACLE_HOME/bin/olsadmintool adduser --polname Policy1 --profname Profile1
--userdn cn=daniel,ou=France,o=oracle,l=madison,st=WI,c=US
-b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Set Some Audit Options

ORACLE_HOME/bin/olsadmintool audit --polname Policy1 --option 'SET,APPLY'
--type SESSION --success BOTH
-b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Results of These Examples

As a result of running the 12 sets of olsadmintool commands above, this sample Oracle Label Security site has the following structure:

Policy creators: User snamudur
Policies: Policy1 and Policy2.
Policy Administrators: User shwong

Levels, Compartments, and Groups: See Table B-5, "Label Component Definitions from Using olsadmintool Commands"

Table B-5 Label Component Definitions from Using olsadmintool Commands

Label Component	Tag	Short Name	Long Name
Level	100	TS	TOP SECRET
	99	S	SECRET
	98	U	UNCLASSIFIED
Compartment	100	A	ALPHA
	99	B	BETA
Group	100	G1	GROUP1
	99	G2	GROUP2
	98	G3	GROUP3

Data labels: Tag 100 for TS:A:G1 and tag 101 for TS:A,B:G2
Users: Nina, from the Asia group of Microsoft, based in Seattle, Washington, managed under the Americas organization of the US Oracle organization, and Daniel, from the France group of Oracle in Madison, Wisconsin, managed under the same organization.

Profiles: See Table B-6, "Contents of Profile1 from Using olsadmintool Commands"

Table B-6 Contents of Profile1 from Using olsadmintool Commands

Profile Element	Contents	Long-name Expansion or Meaning
MaxReadLabel	TS:A:G1	TOP SECRET:ALPHA:GROUP1
MaxWriteLabel	TS:A:G1	TOP SECRET:ALPHA:GROUP1
MinWriteLabel	U::	UNCLASSIFIED (not restricted to any compartments or groups)
DefReadLabel	U:A:G1	UNCLASSIFIED:ALPHA:GROUP1
DefRowLabel	U:A:G1	UNCLASSIFIED:ALPHA:GROUP1
Privileges	WRITE_UP, READ	User can read any row and raise the level of rows he writes.

Auditing options: SET, APPLY, SESSION, and BOTH

¹ Command Footnote
Every command must include the directory hostname, the bind DN, and the bind password. Any command may, as needed, also supply the subscriber admin- istrative context (optional), the directory port number (also optional), or both. See also Table B-3, "Summary: olsadmintool Command Parameters" for additional details on these parameters.

B Command-line Tools for Label Security Using Oracle Internet Directory