Skip Headers

Oracle® Label Security Administrator's Guide
10g Release 1 (10.1)
Part Number B 10774-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Feedback
Go to previo us page
Previous		 Go to next page
Next
 View PDF

9
Applying Policies to Tables and Schemas

This chapter describes the SA_POLICY_ADMIN package, which enables you to administer policies on tables and schemas. It contains t hese sections:

Policy Administration Terminology

When you apply a policy to a table, the policy is automatically enabled. T o disable a policy is to turn off its protections, although it is still applied to the table. To enable a policy is to turn on and enforce its protections for a particular table or schema.

< p class="BP">To remove a policy is to take it entirely away from the table or schema. Note, however, that the policy label column and labels remain in the table unless you explicitly drop them.

You ca n alter the default policy enforcement options for future tables that may be created in a schema. This does n ot, however, affect policy enforcement options on existing tables in the schema.

To change the enforcement options on an existing table, you must first remove the policy from the table, make the desir ed changes, and then re-apply the policy to the table.

See Also:

"Choosing Policy Options"



Subscribing Policies in Directory -Enabled Label Security

In directory-enabled Oracle Label Security ( OLS), a policy must be subscribed before it can be applied (by APPLY_TABLE_POLICY or APPLY_SCHEMA_POLICY). In a standalone OLS instal lation, the latter functions can be used directly without the need to subscribe.

You subscr ibe a policy by using SA_POLICY_ADMIN.POLICY_SUBSCRIBE, as described in the next section.

S uch a policy cannot be dropped unless it has been removed from any table or schema to which it was applied, and then has been unsubsc ribed.

You unsubscribe a policy by using SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE as described in a subsequent section.

Subscribing to a Policy with SA_POLICY_ADMIN.POLICY_SUBSCRIBE

In an OID-enabled OLS configuration, use the POLICY_SUBSCRIBE procedure to subscribe to the policy for usage in APPLY_TABLE_P OLICY and APPLY_SCHEMA_POLICY. This procedure must be invoked for a policy before that policy can be applied to a table or schema. Su bscribing is needed only once, not for each use of the policy in a table or schema.

PROCEDURE POLICY_SUBSCRIBE(
  policy_name     IN VARCHAR2);

where policy_name specifies an existing policy.

< /a>
Note::

This procedure needs to be used before policy usage only in the case of OID-enabled OLS configuration. In the standalone OLS case, the po licy can be used in APPLY_TABLE_POLICY, APPLY_SCHEMA_POLICY directly without the need to subscribe.
Example:

The following statement subscribes the database to the HUMAN_RESOURCES p olicy so that it can used by applying on tables and schema.

SA_POLICY_ADMIN.POLICY_SUBSCRI
BE('human_resources');

Unsubscribing to a Policy with SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE

In an OID-enabled OLS configuration, use the POLICY_UNSUBSCRIBE procedure to unsubscribe to the policy. This procedure can be used only if the policy is not in use, that is, it has not been applied to any table or schema. (If it has been applied to tables or schemas, it must be removed from all of them before it can be unsubscribed.) A policy can be dropped i n OID (olsadmintool droppolicy in Appendix B) only if is not subscribed in any of the databases that have registered with that OID.

Syntax

PROCEDURE POLICY_UNSUBSCRIBE(
  policy_name  IN
VARCHAR2);

where policy_name specifies an existing policy.

Example:

The following statement unsubscribes the dat abase to the HUMAN_RESOURCES policy.

SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE('human_resources')
;

Poli cy Administration Functions for Tables and Schemas

Two sets of funct ions are available to administer Oracle Label Security policies:

Schema-level functions are provided for convenience. No te, however, that administrative operations that you perform at the table level will override operations performed at the schema leve l.

Table 9-1 Policy Administration Functions
< th class="Formal" align="left" valign="bottom" scope="col">

Schema-Level Function

Purpose

Table-Level Function

Apply policy

APPLY_TABLE_POLICY

APPLY_SCHEMA_POLICY

Alter policy

Not applicable

ALT ER_SCHEMA_POLICY

Disable policy

DISABLE_TABLE_POLICY

DISABLE_SCHEMA_POLICY

Re-enable policy

ENABLE_T ABLE_POLICY

ENABLE_SCHEMA_POLICY

Remove policy

REMOVE_TABLE_POLICY

REMOVE_SCHEMA_POL ICY



To perform these functions with Oracle Policy Mana ger, go to Oracle Label Security Policies--> policyname -->Protected Objects. Select either Schemas or Tables, and use the corresponding property sheet.

Note:

You sh ould restrict access to application tables when using Oracle Policy Manager to change enforcement options. This is because Oracle Pol icy Manager must remove the policy in order to make such changes, and then re-apply the policy after the changes have been made.

Administering Policies on Tables Using SA_POLICY_ADMIN

To administer policies on tables, a user must have EXECUTE privilege for the SA_POLICY_ADMIN package, and must have been granted t he policy_DBA role. Authorized users can also perform these functions with the Oracle Policy Manager. This se ction contains these topics:

Applying a Policy with SA_POLICY_ADMIN.APPLY_TABLE_POLICY

Use the APPLY_TABLE_POLICY proced ure to add the specified policy to a table. A policy label column is added to the table if it does not exist, and is set to NULL. Whe n a policy is applied, it is automatically enabled. To change the table options, labeling function, or predicate, you must first remo ve the policy, then re-apply it.

Syntax

PROCEDU
RE APPLY_TABLE_POLICY (
  policy_name       IN VARCHAR2,
  schema_name       IN VARCHAR2,

  table_name        IN VARCHAR2,
  table_options     IN VARCHAR2 DEFAULT NULL,
  label_function    IN VARCHAR2 DEFAULT NULL,
  predicate         IN VARCHAR2 DEFAULT NULL);
Parameter Specifies

policy_name

An existing policy

schema_name< /em>

The schema that contains the table

table_name

The table to be controlled by the policy

table_options< /p>

A comma-delimited list of policy enforcement options to be used f or the table. If NULL, then the policy's default options are used.

label_function

A string invoking a function to return a label value to use as the default. For example, my_label( :new.dept,:new.status) computes the label based on the new values of the DEPT and STATUS columns in the row.

predicate< /em>

An additional predicate to combine (using AND or OR) with th e label-based predicate for READ_CONTROL

Example:

The following statement applies the HUMAN_RESOURCES policy to the EMP table in the SA_DEMO schema.

< pre class="CE">SA_POLICY_ADMIN.APPLY_TABLE_POLICY('human_resources', 'sa_demo','emp','no _control');

Removing a Policy with SA_POLICY_ADMIN.REMOVE_TABLE_POLICY

The REMOVE_TABLE_POLICY procedure removes the specified policy from a table. The policy predicate and any DML tri ggers will be removed from the table, and the policy label column can optionally be dropped. Policies can be removed from tables belo nging to a schema that is protected by the policy.

Syntax

PROCEDURE REMOVE_TA
BLE_POLICY (
policy_name        IN VARCHAR2,
schema_name        IN VARCHAR2,
table_name         IN VARCHAR2,
  drop_column      IN BOOLEAN DEFAULT FALSE);
< tr class="Informal" align="left" valign="top">
Parameter Specifies

policy_n ame

An existing policy

schema_name

The schema that contains the table

table_name

The table

drop_column

Whether the column is to be dropped: if TRUE, the policy's column will be dropped from the table; otherwise, it will remain.

Example:

The following statement removes the HUMAN_RESOURCES policy from the EMP table in the SA_DEMO schema:

SA_POLICY_ADMIN.REMOVE_TABLE_POLICY('human_resources','sa_demo','emp');

Disabling a Policy with SA_POLICY_ADMIN.DISABLE_TABLE_POLICY

The DISABLE_TABLE_POLICY procedure disables the enforcement of the policy for the specified table without changing the enforcement options, labeling function, or predicate values. It removes the RLS p redicate and DML triggers from the table.

Syntax

PROCEDURE DISABLE_TABLE_POLI
CY (
  policy_name      IN VARCHAR2,
  schema_name      IN VARCHAR2,
  table_name       IN VARCHAR2);
Parameter Specifies

policy_name

An existing policy

schema_name

The schema that cont ains the table

table_name

The table

Example:

The following statement disab les the HUMAN_RESOURCES policy on the EMP table in the SA_DEMO schema:

SA_POLICY_ADMIN.DISA
BLE_TABLE_POLICY('human_resources','sa_demo','emp');

Re-enabling a Policy with SA_POLICY_ADMIN.ENABLE_TABLE_POLICY

Syntax

PROCEDURE ENABLE_TABLE_POLICY (
  policy_name     IN VARCHAR2,

schema_name     IN VARCHAR2,
  table_name      IN VARCHAR2);

schema_name

Parameter Specifies

policy_name

An existing policy

The schema that contains the table

table_name

The table

Example:
< /a>

The following statement re-enables the HUMAN_RESOURCES policy on the EMP table in the SA_DEMO schema:

SA_POLICY_ADMIN.ENABLE_TABLE_POLICY('human_resources','sa_demo','emp');
< !--TOC=h1-"1011532"-->

Administering Policies on Schemas wit h SA_POLICY_ADMIN

To administer policies on schemas, a user must hav e EXECUTE privilege on the SA_POLICY_ADMIN package, and must have been granted the policy_DBA role. Authorize d users can also use the Oracle Policy Manager to perform these functions.

This section con tains these topics:

Applying a Policy with SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY

In addition to applying a polic y to individual tables, you can apply a policy at the schema level. The APPLY_SCHEMA_POLICY procedure applies the specified policy to all of the existing tables in a schema (that is, to those which do not already have the policy applied) and enables the policy for t hese tables. Then, whenever a new table is created in the schema, the policy is automatically applied to that table, using the schema 's default options. No changes are made to existing tables in the schema that already have the policy applied.

Syntax

PROCEDURE APPLY_SCHEMA_POLICY (
  policy
_name        IN VARCHAR2,
  schema_name        IN VARCHAR2,
  default_options    IN VARCH
AR2 DEFAULT NULL);
Parameter Specifies

policy_name

An existing po licy

schema_name

The schema that contains the table

default_options

The default options to be used for tab les in the schema.

If the default_options parameter is NULL, then the policy's default options will be used to apply the policy to the tables in the schema.

Altering Enforcement Optio ns: SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY

The ALTER_SCHEMA_POLICY proc edure changes the default enforcement options for the policy. Any new tables created in the schema will automatically have the new en forcement options applied; existing tables in the schema are not affected.

Syntax

PROCEDURE ALTER_SCHEMA_POLICY ( policy_name IN VARCHAR2, schema_name IN VARCHAR2, default_options IN VARCHAR2); < /a>

To change enforcement options on a table (rather than a schema) you must first drop the policy from the table, make the change, and then re-apply the policy.

If you alter the enfo rcement options on a schema, this will take effect the next time a table is created in the schema. As a result, different tables with in a schema may have different policy enforcement options in force.

Removing a Policy with SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY

The REMOVE_SCHEMA_POLICY procedure removes the specified policy from a schema. The policy will be removed from all of the tables in the schema and, optionally, the label column for the policy will be dropped from al l of the tables.

Syntax

PROCEDURE REMOVE_SCHEMA_POLICY (
  policy_name     IN VARCHAR2,
  schema_name     IN VARCHAR2,
  drop_column     IN BOOL
EAN DEFAULT FALSE);
Parameter Specifies

policy_name< /em>

An existing policy

schema_name

The schema that contains the table

default_options

The default options to be used for new tables in the schema.
Parameter Specifies< /strong>

policy_name

An existing p olicy

schema_name

The schema that contains the table< /p>

drop_column

If TRUE, the policy's column will be drop ped from the tables; otherwise, the column will remain.

Disabling a Policy with SA_POLICY_ADMIN.DISABLE_SCHEMA_POLIC Y

The DISABLE_SCHEMA_POLICY procedure disables the enforcement of th e policy for all of the tables in the specified schema, without changing the enforcement options, labeling function, or predicate val ues. It removes the RLS predicate and DML triggers from all the tables in the schema.

Syntax

PROCEDURE DISABLE_SCHEMA_POLICY (
  policy_name    IN VARCHAR2,
  schema_
name    IN VARCHAR2);
Parameter Specifie s

policy_name

An existing policy

schema_name

The schema that contains the tabl e

Re-Enabling a Policy with SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY

The ENABLE_SCHEMA_POLICY procedure re-enables the current enforcement options, labeling function, and predicate for the tables in the specified schema by re-applying the RLS predicate and DML triggers.

Syntax

PROCEDURE ENABLE_TABLE_POLICY (
  policy_name    IN VARCHAR2,
  schema_name
   IN VARCHAR2);
Parameter Specifies
< p class="TB">policy_name

An existing poli cy

schema_name

The schema that contains the table

The result is like enabling a policy for a table, but it covers all tables in the schema.

Policy Issues for Schemas

Note the following aspects of using Oracle Label Security policies with schemas:

  • If you app ly a policy to an empty schema, then every time you create a table within that schema, the policy is applied. Once the policy is appl ied to the schema, the default options you choose are applied to every table added.
  • If you remove the policy from a table so that it is unprotected, and then execute SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY, the tab le will remain unprotected. If you wish to protect the table once again, you must apply the policy to the table, or re-apply the poli cy to the schema.

If you apply a policy to a schema that already contains tables prot ected by the policy, then all future tables will have the new options that were specified when you applied the policy. The existing t ables will keep the options they already had.
Go to previous page
Previous		 Go to next page
Next
Oracle
Copyright © 2000, 2003 Oracle Corporation
All Ri ghts Reserved.
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Con tents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Feedback