Using Oracle Label Sec urity Privileges

Privileges Defined by Oracle Label Security Policies

Special Access Privileges

READ

FULL

COMPACCESS

PROFILE_ACCESS

Special Row Label Privileges

WRITEUP

WRITEDOWN

WRITEACROSS

System Privileges, Object Privileges, a nd Policy Privileges

Access Mediation and Views

< a href="accpriv.htm#1008091">Access Mediation and Program Unit Execution

Acc ess Mediation and Policy Enforcement Options

Working with Multiple Oracle Label Security Policies

Multiple Oracle Label Security Policies in a Single Database

Multiple Oracle Label Security Policies in a Distributed Environment

4 Working with Labeled Data

The Policy Label Column and Label Tags

The Policy Label Column

Hiding the Policy Label Column

Example 1: Numeric Column Datatype (NUMBER)

Example 2: Numeric Column Datatype with Hidden Co lumn

Label Tags

Manually Defining Label Tags to Order Labels

Manual ly Defining Label Tags to Manipulate Data

Automatically Generated Label Tag s

Assigning Labels to Data Rows

Presenting the Label

Converting a Character String to a Label Tag, with CHAR_TO_LABEL

Converting a Label Tag to a Character String, with LABEL_TO_CHAR

LABEL_TO_CHAR Examples

R etrieving All Columns from a Table When Policy Label Column Is Hidden

Filtering Data Using Labels

Using Numeric Label Tags in WHERE Clauses

Ordering Labeled Dat a Rows

Ordering by Character Representation of Label

Determining Upper and Lower Bounds of Labels

Finding Least Upper Bound with LEAST_UBOUND

Finding Gr eatest Lower Bound with GREATEST_LBOUND

Merging Labels with the M ERGE_LABEL Function

Inserting Labeled Data

Inserting Labels Using CHAR_TO_LABEL

Inserting Labels Using Numeric Label Tag Values

Inserting Data Without Specifying a Label

Inserting Data Wh en the Policy Label Column Is Hidden

Inserting Labels Using TO_DATA_LABEL

Changing Your Session and Row Labels with SA_ SESSION

SA_SESSION Functions to Change Session and Row Labels

Changing the Session Label with SA_SESSION.SET_LABEL
Changing the Row Label with SA_SESSION.SET_ROW_LABEL

Restoring Label Defaults with SA_SESSION.RESTORE_DEFAULT_LABELS

Saving Label Defaults with SA_SESSION.SAVE_DEFAULT_LABELS

Vie wing Session Attributes with SA_SESSION Functions

USER_SA_SE SSION View to Return All Security Attributes

Functions to Return Individual Security Attributes

5 Oracle Label Security Using Oracle Internet Directory

Introducing Label Management on Oracle Internet Directory

Configuring Oracle Internet Directory-Enabled Label Security

Registering a Database and Configuring OID-enabled OLS

Task 1. Configure Your Oracle Home for Directory Usage.

Task 2 : Configure the Database for OID-Enabled OLS

Alternate Method for Task 2, Configuring Database for OID-Enabled OLS

T ask3: Set the DIP Password and Connect Data

Unregistering a Databas e with OID-enabled OLS

Oracle Label Security P rofiles

Integrated Capabilities When Label Secu rity Uses the Directory

Oracle Label Security P olicy Attributes in Oracle Internet Directory

R estrictions on New Data Label Creation

Two Type s of Administrators

Bootstrapping Databases

Synchronizing the Database and Oracle Internet Dir ectory

Directory Integration Platform (DIP) Provision ing Profiles

Disabling, Changing, and Enabling a Provisioning Profile

Security Roles and Permitted Actions

Superseded PL/SQL Statements

Procedures for Policy Administrators Only

6 Creating an Oracle Label Security Policy

Oracle Label Security Administrative Tas k Overview

Step 1: Create the Policy

Step 2: Define the Components of the Labels

Step 3: Identify the Set of Valid Data Labels

Step 4: Apply th e Policy to Tables and Schemas

Step 5: Authorize Users

Step 6: Create and Authorize Trusted Program Units (Optional)

Step 7: Configure Auditing (Optional)

Organizing the Duties of Oracle Label Security Administrators

Choosing an Oracle Label Security Administrative Interface

Oracle Label Security Packages

Oracle Label Security Demonstration File

Oracle Po licy Manager

Using the SA_SYSDBA Package to Manage Security Policies

Who Can Use the SA_SYSDBA Package

Who Can Administer a Policy

Valid Characters for Policy Specifications

Creating a Po licy with SA_SYSDBA.CREATE_POLICY

Modifying Policy Options with SA_SYSDBA.A LTER_POLICY

Disabling a Policy with SA_SYSDBA.DISABLE_POLICY

Enabling a Policy with SA_SYSDBA.ENABLE_POLICY

Removing a Policy with SA_SYSDBA.DROP_POLICY

Using the SA_COMPONENTS Package to Define Label Components

Using Overloaded Procedures

Creating a Level with SA_COMPONENTS.CREATE_LEVEL

Modifying a Level with SA_COMPONENTS.ALTER_LEVEL

Removing a Level with SA_COMPONENTS.DROP_LEVEL

Creating a Compartment with SA_COMPONENTS.CREATE_COMPARTMENT

Modifying a Compartment with SA_COMPONENTS.ALTER_COMPARTMENT

Removing a Compartment with SA_COMPONENTS.DROP_COMPARTMENT

Creating a Gr oup with SA_COMPONENTS.CREATE_GROUP

Modifying a Group with SA_COMPONENTS.AL TER_GROUP

Modifying a Group Parent with SA_COMPONENTS.ALTER_GROUP_PARENT

Removing a Group with SA_COMPONENTS.DROP_GROUP

Using the SA_LABEL_ADMIN Package to Specify Valid Labels

Creating a Valid Data Label with SA_LABEL_ADMIN.CREATE_LABEL

Modifying a Label with SA_LABEL_ADMIN.ALTER_LABEL

Deleting a Label with SA_LABEL_ADMIN.DROP_LABEL

7 Administering User Labels and Privileges

Introduction to User Label and Privilege Management

Managing User Labels by Component, with SA_USER_ADMIN

SA_USER_ADMIN.SET_LEVELS

< a href="admpriv.htm#1012266">SA_USER_ADMIN.SET_COMPARTMENTS

SA_USER_ADMIN.SE T_GROUPS

SA_USER_ADMIN.ALTER_COMPARTMENTS

SA_USER_ADMIN.ADD_COMPARTMENTS

SA_USER_ADMIN.DROP_COM PARTMENTS

SA_USER_ADMIN.DROP_ALL_COMPARTMENTS

SA_USER_ADMIN.ADD_GROUPS

SA_USER_ADMIN.ALTER_GROU PS

SA_USER_ADMIN.DROP_GROUPS

SA_USER_ADMIN.DROP_ALL_GROUPS

Manag ing User Labels by Label String, with SA_USER_ADMIN

SA_USER_ADMIN.SET_USER_LABELS

SA_USER_ADMIN.SET_DEFAULT_LABEL

SA_USER_ADMIN.SET_ROW_LABEL

SA_US ER_ADMIN.DROP_USER_ACCESS

Managing User Privi leges with SA_USER_ADMIN.SET_USER_PRIVS

Settin g Labels & Privileges with SA_SESSION.SET_ACCESS_PROFILE

Returning User Name with SA_SESSION.SA_USER_NAME

Using Oracle Label Security Views

View to Display All User Security Attributes: DBA_SA_USERS

Views to Display User Authorizations by Component

8 Implementing Policy Enforcement Options and Labeling Functions

Choosing Policy Options

Overview of Policy Enforcement Options

The HIDE Pol icy Column Option

The Label Management Enforcement Options

LABEL_DEFAULT: Using the Session's Default Row Label

LABEL_UPDATE: Changing Data Labels

CHECK_CON TROL: Checking Data Labels

The Access Control Enforcement Options< /a>

READ_CONTROL: Reading Data

WRITE_CONTROL: Writing Data

INSERT_CONTROL, UPDATE_CO NTROL, and DELETE_CONTROL

The Overriding Enforcement Options
Guidelines for Using the Policy Enforcement Options

Exemptions from Oracle Label Security Policy Enforcement

Viewing Policy Options on Tables and Schemas

Using a Labeling Function

Labeling Data Row s under Oracle Label Security

Understanding Labeling Functions in Oracle Lab el Security Policies

Creating a Labeling Function for a Policy

Specifying a Labeling Function in a Policy

Inserting Labeled Data Using Policy Options and Labeling Functions

Evaluating Enforcement Control Options and INSERT

Inserting Labels When a Labeling Function is Specified

Inserting Child Rows into Tables with Declarative Referential Integrity Enabled

Updating Labeled Data Using Policy Options and Labeling Functions

Updating Labels Using CHAR_TO_LABEL

Evaluating Enforcement Control Options and UPDATE

Updatin g Labels When a Labeling Function Is Specified

Updating Child Rows in Tables with Declarative Referential Integrity Enabled

Deleting Labeled Data Using Policy Options and Labeling Functions

Using a SQL Predicate with an Oracle Label Security Policy

Modifying an Oracle Label Security Policy with a SQL Predicate

Affecting Oracle Label Security Policies with Multiple SQL Predicates

< a href="admpolcy.htm#1011245">9 Applying Policies to Tables and Schemas

Policy Administration Terminology< /dd>
Subscribing Policies in Directory-Enabled Label Security

Subscribing to a Policy with SA_POLICY_ADMIN.POLICY_ SUBSCRIBE

Syntax

Unsubscribing to a Policy with SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE

Syntax

Policy Administration Functions for Tables and Schemas

Administering Policies on Tables Using SA_POLICY_ADMIN
< dd class="H2TOC">Applying a Policy with SA_POLICY_ADMIN.APPLY_TABLE_POLICY

Syntax

Removing a Policy with SA_POLICY_ADMIN.REMOVE_TABLE_POLICY

Syntax

Disabling a Policy with SA_POLICY_ADMIN.D ISABLE_TABLE_POLICY

Syntax

Re-enabling a Policy with SA_POLICY_ADMIN.ENABLE_TABLE_POLICY

Syntax

Administering Policies on Schemas with SA_POLICY_ADMIN

Applying a Policy with SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY

Syntax

Altering Enforc ement Options: SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY

Syntax

Removing a Policy with SA_POLICY_ADMI N.REMOVE_SCHEMA_POLICY

Syntax

Disabling a Policy with SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY

Syntax

Re-Enabling a Poli cy with SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY

Syntax

Policy Issues for Schemas

10 Administering and Using Trusted Stored Program Units

Introduction to Trusted Stored Pro gram Units

How a Trusted St ored Program Unit Executes

Trusted Stored Program Unit Example

Managing Program Unit Privileges with SET_PROG _PRIVS

Creating and Compiling Trusted Stored Program Units

Creating Trusted Stored Program Units

Setting Privileges for Trusted Stored Program Units

Re-Compiling Trusted Stored Program Units

Recreating Trusted Stored Program Units

Executing Trusted Stored Program Units

Using SA_UTL Functions to Set and Ret urn Label Information

Viewing Session Label and Row Label Using SA_UTL

SA_UTL.NUMERIC_LABEL

SA_UTL.NUMERIC_ROW_LABEL

SA_UTL.DATA _LABEL

Setting the Session Label and Row Label Using SA_UTL

SA_UTL.SET_LABEL

SA_UTL.SET_ROW_LABEL

Returning Greatest Lower Bound and Least Upper Bound

GREATEST_LBOUND

LEAST_UBOUND

11 Auditing Under Oracle Label Security

~~Overview of Oracle Label Security Auditing~~

Enabling Systemwide Auditing: AUDIT_TRAIL Initialization Parameter

Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN

Auditing Options for Oracle Label Security

Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.AUDIT

Disabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.NOAUDIT

Examining Audit Options with the DBA_SA_AUDIT_OPTIONS View

Managing Policy Label Auditing

Policy Label Auditing with SA_AUDIT_ADMIN.AUDIT_LABEL

Disabling Policy Label A uditing with SA_AUDIT_ADMIN.NOAUDIT_LABEL

Finding Label A udit Status with AUDIT_LABEL_ENABLED

C reating and Dropping an Audit Trail View for Oracle Label Security

Creating a View with SA_AUDIT_ADMIN.CREATE_VIEW

Dropping the View with SA_AUDIT_ADMIN.DROP_VIEW

Oracle Label Sec urity Auditing Tips

Strategy for Setting SA_AUDIT_ADMI N Options

Auditing Privileged Operations

12 Using Oracle Label Security with a Distributed Da tabase

An Oracle Label Secur ity Distributed Configuration

Connecting to a Remote Database Under Oracle Label Security

Establishing Session Label and Row Label for a Remote Session

Setting Up Labels in a Distributed Environment

Setting Label Tags in a Distributed Environment

Setting Numeri c Form of Label Components in a Distributed Environment

Using Oracle Label Security Policies in a Distributed Environment

Using Replication with Oracle Label Security

Introduction to Replication Under Oracle Label Security

Replication Functionality Supported by Oracle Label Security

Row Level Security Restriction on Replication Under Oracle Label Security

Contents of a Materialized View

How Materi alized View Contents Are Determined

Complete Materialized Views
Partial Materialized Views

Requirements for Creating Materialized Views Under Oracle Label Security

Requirements for the REPADMIN Account

Requirements fo r the Owner of the Materialized View

Requirements for Creating Partial Mult ilevel Materialized Views

Requirements for Creating Complete Multilevel Mat erialized Views

How to Refresh Materialized Views

13 Performing DBA Functions Un der Oracle Label Security

Us ing the Export Utility with Oracle Label Security

Using the Import Utility with Oracle Label Security

Requirements for Import Under Oracle Label Security

Pr eparing the Import Database

Verifying Import User Authorizations

Defining Data Labels for Import

Importing Labeled Data Without Installing Oracle Label Security

Importing Unlabeled Data

Importing Tables with Hidden Columns
< /dl>

Using SQL*Loader with Oracle Label Security

Requirements for Using SQL*Loader Under Oracle Label Securit y

Oracle Label Security Input to SQL*Loader

Performance Tips for Oracle Label Security

Using ANALYZE to Improve Oracle Label Security Performance

Creating Indexes on the Policy Label Column

Planning a Label Tag Strategy to Enhance Performance

Partitioning Data B ased on Numeric Label Tags

Creating Addition al Databases After Installation

14 Releasability Using Inverse Groups

Introduction to Inverse Groups and Releasability

Comparing Standard Groups and Inverse Groups

How Inverse Groups Work

Impleme nting Inverse Groups with the INVERSE_GROUP Enforcement Option

Inverse Groups and Label Components

Computed Labels with Inverse Groups

Computed Session Labels with Inverse Groups

Inverse Groups and Computed Max Read Groups and Max Write Groups

Inverse Groups and Hierarchical Structure

Inverse Groups and User Privileges

Algorithm for Read Access wit h Inverse Groups

Algorithm for Write Access wit h Inverse Groups

Algorithms for COMPACCESS Priv ilege with Inverse Groups

Session Labels and In verse Groups

Setting Initial Session/Row Labels for S tandard or Inverse Groups

Standard Groups: Rules for Changing Initial Session/Row Labels

Inverse Groups: Rules for Changing Initial Session /Row Labels

Setting Current Session/Row Labels for Standard or Inve rse Groups

Standard Groups: Rules for Changing Current Session /Row Labels

Inverse Groups: Rules for Changing Current Session/Row Labels

Examples of Session Labels and Inverse Groups

Inverse Groups Example 1

Inver se Groups Example 2

Changes in Behav ior of Procedures with Inverse Groups

SYSDBA.CREATE_P OLICY with Inverse Groups

SYSDBA.ALTER_POLICY with Inverse Groups
SA_USER_ADMIN.ADD_GROUPS with Inverse Groups

SA_USER_ADMIN.ALTER_GROUPS with Inverse Groups

SA_USER_ADMIN.SET _GROUPS with Inverse Groups

SA_USER_ADMIN.SET_USER_LABELS with Inverse Groups

SA_USER_ADMIN.SET_DEFAULT_LABEL with Inverse Groups

SA_USER_ADMIN.SET_ROW_LABEL with Inverse Groups

SA_COMPONENTS.CREATE_GROUP with Inverse Groups

SA_COMPONENTS.ALTER_GROUP_P ARENT with Inverse Groups

SA_SESSION.SET_LABEL with Inverse Groups
< dd class="H2TOC">SA_SESSION.SET_ROW_LABEL with Inverse Groups
LEAST_UBOUND with Inverse Groups

GREATEST_LBOUND with Inverse G roups

Dominance Rules for Labels with Inverse Groups

A Advanced To pics in Oracle Label Security

An alyzing the Relationships Between Labels

Dominant and D ominated Labels

Non-Comparable Labels

Using Dominance Functions

DOMINATES Standalone Func tion

STRICTLY_DOMINATES Standalone Function

DOMINATED_BY Standalone Function

STRICTLY_DOMINATED_BY Stand alone Function

SA_UTL.DOMINATES

SA_UTL.STRICTLY_DOMINATES

SA_UTL.DOMINATED_BY

SA_UTL.STRICTLY_DOMINATED_BY

OCI Interface for Setting Session Labels

OCIAttrSet

OCIAttrGet

OCIParamGet

OCIAttrSet

OCI Example

B Comma nd-line Tools for Label Security Using Oracle Internet Directory

Command Explanations

Relating Parameters to Commands for olsadmintool

S ummaries

Examples of Using olsadmintool

Make Other Users Policy Creators
Create Policies With Valid Options

Create Policy Administrators

Create Some Levels

Create Some Compartments

Create Some Groups

Create Some Labels

Create A Profi le

Add A User To The Above Profile

Add Another User To The Above Profile

Set Some Audit Options

Results of These Examples

C Reference

Oracle Label Security Data Dictionary Tables and Views

Oracle9i Data Dictionary Tables
< dd class="H2TOC">Oracle Label Security Data Dictionary Views

ALL_SA_AUDIT_OPTIONS

ALL_SA_COMPARTMENTS

ALL_SA_DATA_LABELS

ALL_SA_GROUPS
ALL_SA_LABELS

ALL_SA_LEVELS

ALL_SA_POLICIES

ALL_SA_PROG_ PRIVS

ALL_SA_SCHEMA_POLICIES

ALL_SA_TABLE_POLICIES

ALL_SA_USERS

ALL_SA_USER_LABELS

ALL_SA_USER_LEVELS

ALL_SA_USER_PRIVS

DBA_SA_AUDIT_OPTIONS

DBA_SA_COMPARTMENTS

DBA_SA_DATA_LABELS

DBA_SA_GROUPS

DBA_SA_GRO UP_HIERARCHY

DBA_SA_LABELS

DBA_SA_LEVELS

DBA_SA_POLICIES

DBA_SA_PROG_PRIVS

DBA_SA_SCHEMA_POLICIES

DBA_SA_TABLE_POLICIES

DBA_SA_USERS

DBA_SA_USER_COMPARTMENTS

DBA_SA_USER_GROUPS

DBA_SA_USER_LABELS

DBA_SA_U SER_LEVELS

DBA_SA_USER_PRIVS

Oracle Label Security Auditing Views

Restrictions in Oracle Label Security

CREATE TABLE A S SELECT Restriction in Oracle Label Security

Label Tag Restriction
Export Restriction in Oracle Label Security

Oracle Label Security Deinstallation Restriction

Shared Schema Support< /a>

Hidden Columns Restriction

Installing Oracle Label Security

Oracle Label Security and the SYS.AUD$ Table

Removing Oracle Label Security

Index

Contents

Title and Copyright Information

Send Us Your Comments

Preface

1 Introduction to Oracle Label Security

2 Understanding Data Labels and User Labels

3 Understanding Access Controls and Privileges

4 Working with Labeled Data

5 Oracle Label Security Using Oracle Internet Directory

7 Administering User Labels and Privileges

8 Implementing Policy Enforcement Options and Labeling Functions

< a href="admpolcy.htm#1011245">9 Applying Policies to Tables and Schemas

10 Administering and Using Trusted Stored Program Units

11 Auditing Under Oracle Label Security

12 Using Oracle Label Security with a Distributed Da tabase

13 Performing DBA Functions Un der Oracle Label Security

14 Releasability Using Inverse Groups

A Advanced To pics in Oracle Label Security

B Comma nd-line Tools for Label Security Using Oracle Internet Directory

C Reference

Index