Contents
- Audience
- Documentation Accessibility
- Organization
- Related Documentation
- Conventions
- Computer Security and Data Access Controls
- Oracle Label Security and Security Standards
- Security Policies
- Access Control
- Discretionary Access Control
- Oracle Label Security
- How Oracle Label Security Works with Discretionary Access Control
- Oracle Label Security Architecture
- Features of Oracle Label Security
- Overview of Oracle Label Security Policy Functionality
- Oracle Enterprise Edition: Virtual Private Database Technology
- Oracle Label Security: An Out-of-the-Box Virtual Private Database
- Label Policy Features
- Data Labels
- Label Authorizations
- Policy Privileges
- Policy Enforcement Options
- Summary: Four Aspects of Label-Based Row Access
- Oracle Label Security Integration with Oracle Internet Directory
- Introduction to Label-Based Security
- Label Components
- Label Component Definitions and Valid Characters
- Levels
- Compartments
- Groups
- Industry Examples of Levels, Compartments, and Groups
- Label Syntax and Type
- How Data Labels and User Labels Work Together
- Administering Labels
- Introducing Access Mediation
- Understanding Session Label and Row Label
- The Session Label
- The Row Label
- Session Label Example
- Understanding User Authorizations
- Authorizations Set by the Administrator
- Authorized Levels
- Authorized Compartments
- Authorized Groups
- Computed Session Labels
- Evaluating Labels for Access Mediation
- Introducing Read/Write Access
- Difference Between Read and Write Operations
- Propagation of Read/Write Authorizations on Groups
- The Oracle Label Security Algorithm for Read Access
- The Oracle Label Security Algorithm for Write Access
- Using Oracle Label Security Privileges
- Privileges Defined by Oracle Label Security Policies
- Special Access Privileges
- READ
- FULL
- COMPACCESS
- PROFILE_ACCESS
- Special Row Label Privileges
- WRITEUP
- WRITEDOWN
- WRITEACROSS
- System Privileges, Object Privileges, and Policy Privileges
- Access Mediation and Views
- Access Mediation and Program Unit Execution
- Access Mediation and Policy Enforcement Options
- Working with Multiple Oracle Label Security Policies
-
- Multiple Oracle Label Security Policies in a Single Database
- Multiple Oracle Label Security Policies in a Distributed Environment
- The Policy Label Column and Label Tags
- The Policy Label Column
- Hiding the Policy Label Column
- Example 1: Numeric Column Datatype (NUMBER)
- Example 2: Numeric Column Datatype with Hidden Column
- Label Tags
- Manually Defining Label Tags to Order Labels
- Manually Defining Label Tags to Manipulate Data
- Automatically Generated Label Tags
- Assigning Labels to Data Rows
- Presenting the Label
- Converting a Character String to a Label Tag, with CHAR_TO_LABEL
- Converting a Label Tag to a Character String, with LABEL_TO_CHAR
- LABEL_TO_CHAR Examples
- Retrieving All Columns from a Table When Policy Label Column Is Hidden
- Filtering Data Using Labels
- Using Numeric Label Tags in WHERE Clauses
- Ordering Labeled Data Rows
- Ordering by Character Representation of Label
- Determining Upper and Lower Bounds of Labels
- Finding Least Upper Bound with LEAST_UBOUND
- Finding Greatest Lower Bound with GREATEST_LBOUND
- Merging Labels with the MERGE_LABEL Function
- Inserting Labeled Data
- Inserting Labels Using CHAR_TO_LABEL
- Inserting Labels Using Numeric Label Tag Values
- Inserting Data Without Specifying a Label
- Inserting Data When the Policy Label Column Is Hidden
- Inserting Labels Using TO_DATA_LABEL
- Changing Your Session and Row Labels with SA_SESSION
- SA_SESSION Functions to Change Session and Row Labels
- Changing the Session Label with SA_SESSION.SET_LABEL
- Changing the Row Label with SA_SESSION.SET_ROW_LABEL
- Restoring Label Defaults with SA_SESSION.RESTORE_DEFAULT_LABELS
- Saving Label Defaults with SA_SESSION.SAVE_DEFAULT_LABELS
- Viewing Session Attributes with SA_SESSION Functions
- USER_SA_SESSION View to Return All Security Attributes
- Functions to Return Individual Security Attributes
- Introducing Label Management on Oracle Internet Directory
- Configuring Oracle Internet Directory-Enabled Label Security
- Registering a Database and Configuring OID-enabled OLS
- Task 1. Configure Your Oracle Home for Directory Usage.
- Task 2 : Configure the Database for OID-Enabled OLS
- Alternate Method for Task 2, Configuring Database for OID-Enabled OLS
- Task3: Set the DIP Password and Connect Data
- Unregistering a Database with OID-enabled OLS
- Oracle Label Security Profiles
- Integrated Capabilities When Label Security Uses the Directory
- Oracle Label Security Policy Attributes in Oracle Internet Directory
- Restrictions on New Data Label Creation
- Two Types of Administrators
- Bootstrapping Databases
- Synchronizing the Database and Oracle Internet Directory
- Directory Integration Platform (DIP) Provisioning Profiles
- Disabling, Changing, and Enabling a Provisioning Profile
- Security Roles and Permitted Actions
- Superseded PL/SQL Statements
- Procedures for Policy Administrators Only
- Oracle Label Security Administrative Task Overview
- Step 1: Create the Policy
- Step 2: Define the Components of the Labels
- Step 3: Identify the Set of Valid Data Labels
- Step 4: Apply the Policy to Tables and Schemas
- Step 5: Authorize Users
- Step 6: Create and Authorize Trusted Program Units (Optional)
- Step 7: Configure Auditing (Optional)
- Organizing the Duties of Oracle Label Security Administrators
- Choosing an Oracle Label Security Administrative Interface
- Oracle Label Security Packages
- Oracle Label Security Demonstration File
- Oracle Policy Manager
- Using the SA_SYSDBA Package to Manage Security Policies
- Who Can Use the SA_SYSDBA Package
- Who Can Administer a Policy
- Valid Characters for Policy Specifications
- Creating a Policy with SA_SYSDBA.CREATE_POLICY
- Modifying Policy Options with SA_SYSDBA.ALTER_POLICY
- Disabling a Policy with SA_SYSDBA.DISABLE_POLICY
- Enabling a Policy with SA_SYSDBA.ENABLE_POLICY
- Removing a Policy with SA_SYSDBA.DROP_POLICY
- Using the SA_COMPONENTS Package to Define Label Components
- Using Overloaded Procedures
- Creating a Level with SA_COMPONENTS.CREATE_LEVEL
- Modifying a Level with SA_COMPONENTS.ALTER_LEVEL
- Removing a Level with SA_COMPONENTS.DROP_LEVEL
- Creating a Compartment with SA_COMPONENTS.CREATE_COMPARTMENT
- Modifying a Compartment with SA_COMPONENTS.ALTER_COMPARTMENT
- Removing a Compartment with SA_COMPONENTS.DROP_COMPARTMENT
- Creating a Group with SA_COMPONENTS.CREATE_GROUP
- Modifying a Group with SA_COMPONENTS.ALTER_GROUP
- Modifying a Group Parent with SA_COMPONENTS.ALTER_GROUP_PARENT
- Removing a Group with SA_COMPONENTS.DROP_GROUP
- Using the SA_LABEL_ADMIN Package to Specify Valid Labels
- Creating a Valid Data Label with SA_LABEL_ADMIN.CREATE_LABEL
- Modifying a Label with SA_LABEL_ADMIN.ALTER_LABEL
- Deleting a Label with SA_LABEL_ADMIN.DROP_LABEL
- Introduction to User Label and Privilege Management
- Managing User Labels by Component, with SA_USER_ADMIN
- SA_USER_ADMIN.SET_LEVELS
- SA_USER_ADMIN.SET_COMPARTMENTS
- SA_USER_ADMIN.SET_GROUPS
- SA_USER_ADMIN.ALTER_COMPARTMENTS
- SA_USER_ADMIN.ADD_COMPARTMENTS
- SA_USER_ADMIN.DROP_COMPARTMENTS
- SA_USER_ADMIN.DROP_ALL_COMPARTMENTS
- SA_USER_ADMIN.ADD_GROUPS
- SA_USER_ADMIN.ALTER_GROUPS
- SA_USER_ADMIN.DROP_GROUPS
- SA_USER_ADMIN.DROP_ALL_GROUPS
- Managing User Labels by Label String, with SA_USER_ADMIN
- SA_USER_ADMIN.SET_USER_LABELS
- SA_USER_ADMIN.SET_DEFAULT_LABEL
- SA_USER_ADMIN.SET_ROW_LABEL
- SA_USER_ADMIN.DROP_USER_ACCESS
- Managing User Privileges with SA_USER_ADMIN.SET_USER_PRIVS
- Setting Labels & Privileges with SA_SESSION.SET_ACCESS_PROFILE
- Returning User Name with SA_SESSION.SA_USER_NAME
- Using Oracle Label Security Views
- View to Display All User Security Attributes: DBA_SA_USERS
- Views to Display User Authorizations by Component
- Choosing Policy Options
- Overview of Policy Enforcement Options
- The HIDE Policy Column Option
- The Label Management Enforcement Options
- LABEL_DEFAULT: Using the Session's Default Row Label
- LABEL_UPDATE: Changing Data Labels
- CHECK_CONTROL: Checking Data Labels
- The Access Control Enforcement Options
- READ_CONTROL: Reading Data
- WRITE_CONTROL: Writing Data
- INSERT_CONTROL, UPDATE_CONTROL, and DELETE_CONTROL
- The Overriding Enforcement Options
- Guidelines for Using the Policy Enforcement Options
- Exemptions from Oracle Label Security Policy Enforcement
- Viewing Policy Options on Tables and Schemas
- Using a Labeling Function
- Labeling Data Rows under Oracle Label Security
- Understanding Labeling Functions in Oracle Label Security Policies
- Creating a Labeling Function for a Policy
- Specifying a Labeling Function in a Policy
- Inserting Labeled Data Using Policy Options and Labeling Functions
- Evaluating Enforcement Control Options and INSERT
- Inserting Labels When a Labeling Function is Specified
- Inserting Child Rows into Tables with Declarative Referential Integrity Enabled
- Updating Labeled Data Using Policy Options and Labeling Functions
- Updating Labels Using CHAR_TO_LABEL
- Evaluating Enforcement Control Options and UPDATE
- Updating Labels When a Labeling Function Is Specified
- Updating Child Rows in Tables with Declarative Referential Integrity Enabled
- Deleting Labeled Data Using Policy Options and Labeling Functions
- Using a SQL Predicate with an Oracle Label Security Policy
- Modifying an Oracle Label Security Policy with a SQL Predicate
- Affecting Oracle Label Security Policies with Multiple SQL Predicates
- Policy Administration Terminology
- Subscribing Policies in Directory-Enabled Label Security
- Subscribing to a Policy with SA_POLICY_ADMIN.POLICY_SUBSCRIBE
- Syntax
- Unsubscribing to a Policy with SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE
- Syntax
- Policy Administration Functions for Tables and Schemas
- Administering Policies on Tables Using SA_POLICY_ADMIN
- Applying a Policy with SA_POLICY_ADMIN.APPLY_TABLE_POLICY
- Syntax
- Removing a Policy with SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
- Syntax
- Disabling a Policy with SA_POLICY_ADMIN.DISABLE_TABLE_POLICY
- Syntax
- Re-enabling a Policy with SA_POLICY_ADMIN.ENABLE_TABLE_POLICY
- Syntax
- Administering Policies on Schemas with SA_POLICY_ADMIN
- Applying a Policy with SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY
- Syntax
- Altering Enforcement Options: SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY
- Syntax
- Removing a Policy with SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY
- Syntax
- Disabling a Policy with SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY
- Syntax
- Re-Enabling a Policy with SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY
- Syntax
- Policy Issues for Schemas
- Introduction to Trusted Stored Program Units
-
- How a Trusted Stored Program Unit Executes
- Trusted Stored Program Unit Example
- Managing Program Unit Privileges with SET_PROG_PRIVS
- Creating and Compiling Trusted Stored Program Units
- Creating Trusted Stored Program Units
- Setting Privileges for Trusted Stored Program Units
- Re-Compiling Trusted Stored Program Units
- Recreating Trusted Stored Program Units
- Executing Trusted Stored Program Units
- Using SA_UTL Functions to Set and Return Label Information
- Viewing Session Label and Row Label Using SA_UTL
- SA_UTL.NUMERIC_LABEL
- SA_UTL.NUMERIC_ROW_LABEL
- SA_UTL.DATA_LABEL
- Setting the Session Label and Row Label Using SA_UTL
- SA_UTL.SET_LABEL
- SA_UTL.SET_ROW_LABEL
- Returning Greatest Lower Bound and Least Upper Bound
- GREATEST_LBOUND
- LEAST_UBOUND
- Overview of Oracle Label Security Auditing
- Enabling Systemwide Auditing: AUDIT_TRAIL Initialization Parameter
- Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN
- Auditing Options for Oracle Label Security
- Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.AUDIT
- Disabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.NOAUDIT
- Examining Audit Options with the DBA_SA_AUDIT_OPTIONS View
- Managing Policy Label Auditing
- Policy Label Auditing with SA_AUDIT_ADMIN.AUDIT_LABEL
- Disabling Policy Label Auditing with SA_AUDIT_ADMIN.NOAUDIT_LABEL
- Finding Label Audit Status with AUDIT_LABEL_ENABLED
- Creating and Dropping an Audit Trail View for Oracle Label Security
- Creating a View with SA_AUDIT_ADMIN.CREATE_VIEW
- Dropping the View with SA_AUDIT_ADMIN.DROP_VIEW
- Oracle Label Security Auditing Tips
- Strategy for Setting SA_AUDIT_ADMIN Options
- Auditing Privileged Operations
- An Oracle Label Security Distributed Configuration
- Connecting to a Remote Database Under Oracle Label Security
- Establishing Session Label and Row Label for a Remote Session
- Setting Up Labels in a Distributed Environment
- Setting Label Tags in a Distributed Environment
- Setting Numeric Form of Label Components in a Distributed Environment
- Using Oracle Label Security Policies in a Distributed Environment
- Using Replication with Oracle Label Security
- Introduction to Replication Under Oracle Label Security
- Replication Functionality Supported by Oracle Label Security
- Row Level Security Restriction on Replication Under Oracle Label Security
- Contents of a Materialized View
- How Materialized View Contents Are Determined
- Complete Materialized Views
- Partial Materialized Views
- Requirements for Creating Materialized Views Under Oracle Label Security
- Requirements for the REPADMIN Account
- Requirements for the Owner of the Materialized View
- Requirements for Creating Partial Multilevel Materialized Views
- Requirements for Creating Complete Multilevel Materialized Views
- How to Refresh Materialized Views
- Using the Export Utility with Oracle Label Security
- Using the Import Utility with Oracle Label Security
- Requirements for Import Under Oracle Label Security
- Preparing the Import Database
- Verifying Import User Authorizations
- Defining Data Labels for Import
- Importing Labeled Data Without Installing Oracle Label Security
- Importing Unlabeled Data
- Importing Tables with Hidden Columns
- Using SQL*Loader with Oracle Label Security
- Requirements for Using SQL*Loader Under Oracle Label Security
- Oracle Label Security Input to SQL*Loader
- Performance Tips for Oracle Label Security
- Using ANALYZE to Improve Oracle Label Security Performance
- Creating Indexes on the Policy Label Column
- Planning a Label Tag Strategy to Enhance Performance
- Partitioning Data Based on Numeric Label Tags
- Creating Additional Databases After Installation
- Introduction to Inverse Groups and Releasability
- Comparing Standard Groups and Inverse Groups
- How Inverse Groups Work
- Implementing Inverse Groups with the INVERSE_GROUP Enforcement Option
- Inverse Groups and Label Components
- Computed Labels with Inverse Groups
- Computed Session Labels with Inverse Groups
- Inverse Groups and Computed Max Read Groups and Max Write Groups
- Inverse Groups and Hierarchical Structure
- Inverse Groups and User Privileges
- Algorithm for Read Access with Inverse Groups
- Algorithm for Write Access with Inverse Groups
- Algorithms for COMPACCESS Privilege with Inverse Groups
- Session Labels and Inverse Groups
- Setting Initial Session/Row Labels for Standard or Inverse Groups
- Standard Groups: Rules for Changing Initial Session/Row Labels
- Inverse Groups: Rules for Changing Initial Session/Row Labels
- Setting Current Session/Row Labels for Standard or Inverse Groups
- Standard Groups: Rules for Changing Current Session/Row Labels
- Inverse Groups: Rules for Changing Current Session/Row Labels
- Examples of Session Labels and Inverse Groups
- Inverse Groups Example 1
- Inverse Groups Example 2
- Changes in Behavior of Procedures with Inverse Groups
- SYSDBA.CREATE_POLICY with Inverse Groups
- SYSDBA.ALTER_POLICY with Inverse Groups
- SA_USER_ADMIN.ADD_GROUPS with Inverse Groups
- SA_USER_ADMIN.ALTER_GROUPS with Inverse Groups
- SA_USER_ADMIN.SET_GROUPS with Inverse Groups
- SA_USER_ADMIN.SET_USER_LABELS with Inverse Groups
- SA_USER_ADMIN.SET_DEFAULT_LABEL with Inverse Groups
- SA_USER_ADMIN.SET_ROW_LABEL with Inverse Groups
- SA_COMPONENTS.CREATE_GROUP with Inverse Groups
- SA_COMPONENTS.ALTER_GROUP_PARENT with Inverse Groups
- SA_SESSION.SET_LABEL with Inverse Groups
- SA_SESSION.SET_ROW_LABEL with Inverse Groups
- LEAST_UBOUND with Inverse Groups
- GREATEST_LBOUND with Inverse Groups
- Dominance Rules for Labels with Inverse Groups
- Analyzing the Relationships Between Labels
- Dominant and Dominated Labels
- Non-Comparable Labels
- Using Dominance Functions
- DOMINATES Standalone Function
- STRICTLY_DOMINATES Standalone Function
- DOMINATED_BY Standalone Function
- STRICTLY_DOMINATED_BY Standalone Function
- SA_UTL.DOMINATES
- SA_UTL.STRICTLY_DOMINATES
- SA_UTL.DOMINATED_BY
- SA_UTL.STRICTLY_DOMINATED_BY
- OCI Interface for Setting Session Labels
- OCIAttrSet
- OCIAttrGet
- OCIParamGet
- OCIAttrSet
- OCI Example
- Command Explanations
- Relating Parameters to Commands for olsadmintool
- Summaries
- Examples of Using olsadmintool
-
- Make Other Users Policy Creators
- Create Policies With Valid Options
- Create Policy Administrators
- Create Some Levels
- Create Some Compartments
- Create Some Groups
- Create Some Labels
- Create A Profile
- Add A User To The Above Profile
- Add Another User To The Above Profile
- Set Some Audit Options
- Results of These Examples
- Oracle Label Security Data Dictionary Tables and Views
- Oracle9i Data Dictionary Tables
- Oracle Label Security Data Dictionary Views
- ALL_SA_AUDIT_OPTIONS
- ALL_SA_COMPARTMENTS
- ALL_SA_DATA_LABELS
- ALL_SA_GROUPS
- ALL_SA_LABELS
- ALL_SA_LEVELS
- ALL_SA_POLICIES
- ALL_SA_PROG_PRIVS
- ALL_SA_SCHEMA_POLICIES
- ALL_SA_TABLE_POLICIES
- ALL_SA_USERS
- ALL_SA_USER_LABELS
- ALL_SA_USER_LEVELS
- ALL_SA_USER_PRIVS
- DBA_SA_AUDIT_OPTIONS
- DBA_SA_COMPARTMENTS
- DBA_SA_DATA_LABELS
- DBA_SA_GROUPS
- DBA_SA_GROUP_HIERARCHY
- DBA_SA_LABELS
- DBA_SA_LEVELS
- DBA_SA_POLICIES
- DBA_SA_PROG_PRIVS
- DBA_SA_SCHEMA_POLICIES
- DBA_SA_TABLE_POLICIES
- DBA_SA_USERS
- DBA_SA_USER_COMPARTMENTS
- DBA_SA_USER_GROUPS
- DBA_SA_USER_LABELS
- DBA_SA_USER_LEVELS
- DBA_SA_USER_PRIVS
- Oracle Label Security Auditing Views
- Restrictions in Oracle Label Security
- CREATE TABLE AS SELECT Restriction in Oracle Label Security
- Label Tag Restriction
- Export Restriction in Oracle Label Security
- Oracle Label Security Deinstallation Restriction
- Shared Schema Support
- Hidden Columns Restriction
- Installing Oracle Label Security
- Oracle Label Security and the SYS.AUD$ Table
- Removing Oracle Label Security
