Oracle® Label Security Administrator's Guide 10g Release 1 (10.1) Part Number B10774-01 |
|
|
View PDF |
Oracle Label Security enables access control to reach specific (labeled) rows of a database. With Oracle Label Security in place, users with varying privilege levels automatically have (or are excluded from) the right to see or alter labeled rows of data.
This Oracle Label Security Administrator's Guide describes how to use Oracle Label Security to protect sensitive data. It explains the basic concepts behind label-based security and provides examples to show how it is used.
This preface contains these topics:
The Oracle Label Security Administrator's Guide is intended for database administrators (DBAs), application programmers, security administrators, system operators, and other Oracle users who perform the following tasks:
To use this document, you need a working knowledge of SQL and Oracle fundamentals. You should also be familiar with Oracle security features described in "Related Documentation". To use SQL*Loader, you must know how to use the file management facilities of your operating system.
Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at
http://www.oracle.com/accessibility/
JAWS, a Windows screen reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.
This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.
This document contains:
This part introduces basic conceptual information about Oracle Label Security.
This chapter introduces Oracle Label Security in the larger context of data security. It gives an overview of computer security issues and data access controls, and outlines the architecture and major features of Oracle Label Security.
This chapter discusses the fundamental concepts of data labels and user authorizations, and introduces the terminology that will help you understand Oracle Label Security. It covers label components, label syntax and type, and explains how data labels and user authorizations work together.
This chapter presents the access controls and privileges that determine the type of access users can have to the rows affected. It introduces the concepts of session label and row label, and explains how rows are evaluated for access mediation.
This part provides the information needed by users of Oracle Label Security policies.
This chapter explains how to use Oracle Label Security features to manage labeled data. It then shows how to view and change the value of security attributes for a session.
This chapter explains the integration of Oracle Label Security features with those of Oracle Internet Directory. Enabling Oracle Label Security to take advantage of the central directory simplifies management of data labels, user labels and privileges, policies, and enterprise users across multiple databases and domains.
This part explains how to create and manage an Oracle Label Security application.
This chapter explains how to create an Oracle Label Security policy, and its underlying label components and labels.
This chapter explains how you can set authorizations for users, and grant privileges to users or stored program units by means of the available Oracle Label Security packages, or Oracle Policy Manager.
This chapter explains how to customize the enforcement of Oracle Label Security policies, and how to implement labeling functions and SQL predicates.
This chapter describes the SA_POLICY_ADMIN package, which enables you to administer policies on tables and schemas.
This chapter explains how to use trusted stored program units to enhance system security.
This chapter explains how Oracle Label Security supplements the Oracle9i audit facility by tracking use of its own administrative operations and policy privileges. It describes the SA_AUDIT_ADMIN package, which enables you to set and change the policy auditing options.
This chapter describes special considerations for using Oracle Label Security in a distributed configuration.
The standard Oracle9i utilities can be used under Oracle Label Security, but certain restrictions apply, and extra steps may be required to get the expected results. This chapter describes these special considerations.
This chapter discusses the Oracle Label Security implementation of releasability using inverse groups.
This appendix describes dominance relationships, and other ways in which the relationships between labels can be analyzed. It also describes the OCI interface for setting session labels.
This appendix documents the MAX_LABEL_POLICIES initialization parameter, the Oracle Label Security data dictionary tables, and Oracle Label Security restrictions.
For more information, see these Oracle resources:
Many of the examples in the documentation set use the sample schemas of the seed database, which is installed by default when you install Oracle. Refer to Oracle Database Sample Schemas for information on how these schemas were created and how you can use them yourself.
In North America, printed documentation is available for sale in the Oracle Store at
http://oraclestore.oracle.com/
Other customers can contact their Oracle representative to purchase printed documentation.
To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at
http://otn.oracle.com/admin/account/membership.html
If you already have a username and password for OTN, then you can go directly to the documentation section of the OTN Web site at
http://otn.oracle.com/docs/index.htm
This section describes the conventions used in the text and code examples of this documentation set. It describes:
We use various conventions in text to help you more quickly identify special terms. The following table describes those conventions and provides examples of their use.
Code examples illustrate SQL, PL/SQL, SQL*Plus, or other command-line statements. They are displayed in a monospace (fixed-width) font and separated from normal text as shown in this example:
SELECT username FROM dba_users WHERE username = 'MIGRATE';
The following table describes typographic conventions used in code examples and provides examples of their use.