Table of Contents
- Title and Copyright Information
- Preface
- Changes in This Release for Oracle Label Security Administrator's Guide
-
Part I Getting Started with Oracle Label Security
-
1
Introduction to Oracle Label Security
- About Oracle Label Security
- Benefits of Oracle Label Security
- Who Has Privileges to Use Oracle Label Security?
- Duties of Oracle Label Security Administrators
- Components of Oracle Label Security
- Oracle Label Security Architecture
- Oracle Label Security Administrative Interfaces
- Oracle Label Security Demonstration File
- How Oracle Label Security Works with Other Oracle Products
- 2 Understanding Data Labels and User Labels
-
3
Access Controls and Privileges
- Access Mediation
- How the Session Label and Row Label Work
- How User Authorizations Work
- Evaluation of Labels for Access Mediation
- Oracle Label Security Privileges
- Working with Multiple Oracle Label Security Policies
-
1
Introduction to Oracle Label Security
-
Part II Using Oracle Label Security Functionality
- 4 Registering and Logging in to Oracle Label Security
-
5
Creating an Oracle Label Security Policy
- About Creating Oracle Label Security Policies
- Step 1: Create the Label Security Policy Container
-
Step 2: Create Data Labels for the Label Security Policy
- About Data Labels
- About Policy Level Sensitivity Components
- Creating a Policy Level Component
- About Policy Compartment Components
- Creating a Policy Compartment Component
- About Policy Group Components
- Creating a Policy Data Label Group
- About Associating the Policy Components with a Named Data Label
- Associating the Policy Components with a Named Data Label
- Step 3: Authorize Users for the Label Security Policy
- Step 4: Grant Privileges to Users and Trusted Stored Program Units
- Step 5: Apply the Policy to a Database Table or Schema
- Step 6: Add Policy Labels to Table Rows
- Step 7: (Optional) Configure Auditing
- Using Oracle Label Security Policies and Oracle Flashback Data Archive
-
Using Enterprise Manager Cloud Control to Create an OLS Policy
- Creating the Label Security Policy Container Using Cloud Control
- Creating Policy Components Using Cloud Control
- Creating Data Labels for the Policy Using Cloud Control
- Authorizing, Granting Privileges, and Auditing Users for a Policy Using Cloud Control
- Granting Privileges to Trusted Program Units Using Cloud Control
- Applying a Policy to a Database Table with Cloud Control
- Applying Policy Labels to Table Rows Using Cloud Control
- Auditing Oracle Label Security Policies Using Cloud Control
-
6
Working with Labeled Data
- How Policy Label Column and Label Tags Work
- Assignments of Labels to Data Rows
- Presenting the Label
- Filtration of Data Using Labels
- Inserting Labeled Data
- Changing Session and Row Labels
-
7
Oracle Label Security Using Oracle Internet Directory
- About Label Management on Oracle Internet Directory
-
Configuring Oracle Internet Directory-Enabled Label Security
- About Configuring Oracle Internet Directory-Enabled Label Security
- Granting Permissions for Configuring OID-Enabled Oracle Label Security
- Registering a Database and Configuring OID-Enabled Oracle Label Security
- Unregisteration of a Database with OID-Enabled Oracle Label Security
- Removing Directory-Enabled Oracle Label Security from Database
- Oracle Label Security Profiles
- Integrated Capabilities When Label Security Uses the Directory
- Oracle Label Security Policy Attributes in Oracle Internet Directory
- Subscription of Policies in Directory-Enabled Label Security
- Restrictions on New Data Label Creation
- Administrator Duties for Oracle Internet Directory and Oracle Label Security
- Bootstrapping Databases
-
Synchronizing the Database and Oracle Internet Directory
- About Synchronizing the Database and Oracle Internet Directory
- Oracle Directory Integration and Provisioning (DIP) Provisioning Profiles
- Modifying a Provisioning Profile
- Changing the Database Connection Information for a Provisioning Profile
- Configuring OID-Enabled Oracle Label Security with Oracle Data Guard
- Security Roles and Permitted Actions
- Superseded PL/SQL Statements When OID Is Enabled with OLS
- Oracle Label Security Procedures for Policy Administrators
-
Part III Oracle Label Security Tutorials
-
8
Tutorial: Configuring Levels in Oracle Label Security
- About This Tutorial
- Step 1: Create a Role and User Accounts
- Step 2: Create the Oracle Label Security Policy Container
- Step 3: Create the Two Level Components for the Oracle Label Security Policy
- Step 4: Create the Data Labels for the Levels
- Step 5: Set User Authorizations for the Oracle Label Security Policy
- Step 6: Apply the Oracle Label Security Policy to the HR Schema
- Step 7: Add the Policy Labels to the HR.EMPLOYEES Table Data
- Step 8: Test the Oracle Label Security Policy
- Step 9: Optionally, Remove the Oracle Label Security Policy Components
-
9
Tutorial: Configuring Compartments in Oracle Label Security
- About This Tutorial
- Step 1: Create an Account for Lily Leagull
- Step 2: Authorize Lily Leagull for the HIGHLY_SENSITIVE Level
- Step 3: Create Two Compartments for the Oracle Label Security Policy
- Step 4: Create the Data Labels for the Compartments
- Step 5: Assign the Labels to the Users
- Step 6: Add the Policy Labels to the HR.EMPLOYEES Table Data
- Step 7: Test the Oracle Label Security Policy
- Step 8: Optionally, Remove the Oracle Label Security Policy Components
-
10
Tutorial: Configuring Groups in Oracle Label Security
- About This Tutorial
- Step 1: Create a Role and User Accounts
- Step 2: Create the Oracle Label Security Policy Container
- Step 3: Create and Authorize a Level Component for the Oracle Label Security Policy
- Step 4: Create and Authorize Groups for the Oracle Label Security Policy
- Step 5: Apply and Authorize the Policy to the Table
- Step 6: Add the Policy Labels to the OE.CUSTOMERS Table Data
- Step 7: Test the Oracle Label Security Policy
- Step 8: Optionally, Remove the Oracle Label Security Policy Components
-
8
Tutorial: Configuring Levels in Oracle Label Security
-
Part IV Administering an Oracle Label Security Application
-
11
Implementing Policy Enforcement Options and Labeling Functions
-
Oracle Label Security Policy Enforcement Options
- About Policy Enforcement Options
- Levels of Policy Enforcement Options
- Categories of Policy Enforcement Options
- Relationships of Policy Enforcement Options
- How the HIDE Policy Column Option Works
- How the Label Management Enforcement Options Work
- How the Access Control Enforcement Options Work
- How the Overriding Enforcement Options Work
- Guidelines for Using the Policy Enforcement Options
- Exemptions from Oracle Label Security Policy Enforcement
- Data Dictionary Views for Viewing Policy Options on Tables and Schemas
- Labeling Functions
- Inserting Labeled Data Using Policy Options and Labeling Functions
- Updating Labeled Data Using Policy Options and Labeling Functions
- Deletion of Labeled Data Using Policy Options and Labeling Functions
- SQL Predicates with an Oracle Label Security Policy
-
Oracle Label Security Policy Enforcement Options
- 12 Administering and Using Trusted Stored Program Units
- 13 Auditing Under Oracle Label Security
-
14
Using Oracle Label Security with a Distributed Database
- About the Oracle Label Security Distributed Configuration
- How Connections to a Remote Database Under Oracle Label Security Work
- Session Labels and Row Labels in Remote Sessions
- Labels in a Distributed Environment
- Oracle Label Security Policies in a Distributed Environment
- Replication with Oracle Label Security
-
15
Performing DBA Functions Under Oracle Label Security
- Oracle Data Pump Export Use with Oracle Label Security
- Data Pump Import Use with Oracle Label Security
- SQL*Loader Use with Oracle Label Security
- Performance Tips for Oracle Label Security
- Creation of Additional Databases After Installation
- Oracle Label Security Upgrades and Downgrades
-
16
Releasability Using Inverse Groups
- About Inverse Groups and Releasability
- Comparison of Standard Groups and Inverse Groups
- How Inverse Groups Work
- Algorithm for Read Access with Inverse Groups
- Algorithm for Write Access with Inverse Groups
- Algorithms for COMPACCESS Privilege with Inverse Groups
- Session Labels and Inverse Groups
-
Changes in Behavior of Procedures with Inverse Groups
- SA_SYSDBA.CREATE_POLICY with Inverse Groups
- SA_SYSDBA.ALTER_POLICY with Inverse Groups
- SA_USER_ADMIN.ADD_GROUPS with Inverse Groups
- SA_USER_ADMIN.ALTER_GROUPS with Inverse Groups
- SA_USER_ADMIN.SET_GROUPS with Inverse Groups
- SA_USER_ADMIN.SET_USER_LABELS with Inverse Groups
- SA_USER_ADMIN.SET_DEFAULT_LABEL with Inverse Groups
- SA_USER_ADMIN.SET_ROW_LABEL with Inverse Groups
- SA_COMPONENTS.CREATE_GROUP with Inverse Groups
- SA_COMPONENTS.ALTER_GROUP_PARENT with Inverse Groups
- SA_SESSION.SET_LABEL with Inverse Groups
- SA_SESSION.SET_ROW_LABEL with Inverse Groups
- LEAST_UBOUND with Inverse Groups
- GREATEST_LBOUND with Inverse Groups
- Dominance Rules for Labels with Inverse Groups
-
11
Implementing Policy Enforcement Options and Labeling Functions
-
Appendixes
- A Disabling, Enabling, Uninstalling, and Reinstalling Oracle Label Security
-
B
Advanced Topics in Oracle Label Security
-
Analyzing the Relationships Between Labels
- About Dominant and Dominated Labels
- Non-Comparable Labels
-
Using Dominance Functions
- About the Dominance Functions
- OLS_DOMINATES Standalone Function
- OLS_LABEL_DOMINATES Standalone Function
- OLS_STRICTLY_DOMINATES Standalone Function
- OLS_DOMINATED_BY Standalone Function
- OLS_STRICTLY_DOMINATED_BY Standalone Function
- SA_UTL.DOMINATES
- SA_UTL.STRICTLY_DOMINATES
- SA_UTL.DOMINATED_BY
- SA_UTL.STRICTLY_DOMINATED_BY
- Queries for Audited Oracle Label Security Session Labels
- Oracle Call Interface for Setting Session Labels
-
Analyzing the Relationships Between Labels
-
C
Command-line Tools for Label Security Using Oracle Internet Directory
- About the Command-line Oracle Label Security Tools
- Oracle Label Security Commands in Categories
-
olsadmintool Command Reference
- About the olsadmintool Commands
- olsadmintool addadmin
- olsadmintool addpolcreator
- olsadmintool adduser
- olsadmintool altercompartent
- olsadmintool altergroup
- olsadmintool altergroupparent
- olsadmintool alterlabel
- olsadmintool alterlevel
- olsadmintool alterpolicy
- olsadmintool audit
- olsadmintool createcompartment
- olsadmintool creategroup
- olsadmintool createlabel
- olsadmintool createlevel
- olsadmintool createprofile
- olsadmintool createpolicy
- olsamindtool describeprofile
- olsadmintool dropadmin
- olsadmintool dropcompartment
- olsadmintool dropgroup
- olsadmintool droplabel
- olsadmintool droplevel
- olsadmintool droppolicy
- olsadmintool dropprofile
- olsadmintool droppolcreator
- olsadmintool dropuser
- olsadmintool --help
- olsadmintool listprofile
- olsadmintool noaudit
- Relating Parameters to Commands for olsadmintool
-
Examples of Using the olsadmintool Utility
- Example: Making Other Users Policy Creators
- Example: Creating Policies with Valid Options
- Example: Creating Policy Administrators
- Example: Creating Levels
- Example: Creating Compartments
- Example: Creating Groups
- Example: Creating Labels
- Example: Creating a Profile
- Example: Adding a User to a Profile
- Example: Adding Another User to a Profile
- Example: Setting Audit Options
- Results of These Examples
- olsoidsync Command Reference
- D Oracle Label Security in an Oracle RAC Environment
-
E
Oracle Label Security PL/SQL Packages
- SA_AUDIT_ADMIN Oracle Label Security Auditing PL/SQL Package
-
SA_COMPONENTS Label Components PL/SQL Package
- About the SA_COMPONENTS PL/SQL Package
- SA_COMPONENTS.ALTER_COMPARTMENT
- SA_COMPONENTS.ALTER_GROUP
- SA_COMPONENTS.ALTER_GROUP_PARENT
- SA_COMPONENTS.ALTER_LEVEL
- SA_COMPONENTS.CREATE_COMPARTMENT
- SA_COMPONENTS.CREATE_GROUP
- SA_COMPONENTS.CREATE_LEVEL
- SA_COMPONENTS.DROP_COMPARTMENT
- SA_COMPONENTS.DROP_GROUP
- SA_COMPONENTS.DROP_LEVEL
- SA_LABEL_ADMIN Label Management PL/SQL Package
-
SA_POLICY_ADMIN Policy Administration PL/SQL Package
- About the SA_POLICY_ADMIN PL/SQL Package
- SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY
- SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY
- SA_POLICY_ADMIN.APPLY_TABLE_POLICY
- SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY
- SA_POLICY_ADMIN.DISABLE_TABLE_POLICY
- SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY
- SA_POLICY_ADMIN.ENABLE_TABLE_POLICY
- SA_POLICY_ADMIN.POLICY_SUBSCRIBE
- SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE
- SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY
- SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
-
SA_SESSION Session Management PL/SQL Package
- About the SA_SESSION PL/SQL Package
- SA_SESSION.COMP_READ
- SA_SESSION.COMP_WRITE
- SA_SESSION.GROUP_READ
- SA_SESSION.GROUP_WRITE
- SA_SESSION.LABEL
- SA_SESSION.MAX_LEVEL
- SA_SESSION.MAX_READ_LABEL
- SA_SESSION.MAX_WRITE_LABEL
- SA_SESSION.MIN_LEVEL
- SA_SESSION.MIN_WRITE_LABEL
- SA_SESSION.PRIVS
- SA_SESSION.RESTORE_DEFAULT_LABELS
- SA_SESSION.ROW_LABEL
- SA_SESSION.SET_LABEL
- SA_SESSION.SA_USER_NAME
- SA_SESSION.SAVE_DEFAULT_LABELS
- SA_SESSION.SET_ACCESS_PROFILE
- SA_SESSION.SET_ROW_LABEL
- SA_SYSDBA Policy Management PL/SQL Package
-
SA_USER_ADMIN PL/SQL Package
- About the SA_USER_ADMIN PL/SQL Package
- SA_USER_ADMIN.ADD_COMPARTMENTS
- SA_USER_ADMIN.ADD_GROUPS
- SA_USER_ADMIN.ALTER_COMPARTMENTS
- SA_USER_ADMIN.ALTER_GROUPS
- SA_USER_ADMIN.DROP_ALL_COMPARTMENTS
- SA_USER_ADMIN.DROP_ALL_GROUPS
- SA_USER_ADMIN.DROP_COMPARTMENTS
- SA_USER_ADMIN.DROP_GROUPS
- SA_USER_ADMIN.DROP_USER_ACCESS
- SA_USER_ADMIN.SET_COMPARTMENTS
- SA_USER_ADMIN.SET_DEFAULT_LABEL
- SA_USER_ADMIN.SET_GROUPS
- SA_USER_ADMIN.SET_LEVELS
- SA_USER_ADMIN.SET_PROG_PRIVS
- SA_USER_ADMIN.SET_ROW_LABEL
- SA_USER_ADMIN.SET_USER_LABELS
- SA_USER_ADMIN.SET_USER_PRIVS
- SA_UTL PL/SQL Utility Functions and Procedures
-
F
Oracle Label Security Tables and Views
- Oracle Database Data Dictionary Tables
-
Oracle Label Security Data Dictionary Views
- ALL_SA_AUDIT_OPTIONS View
- ALL_SA_COMPARTMENTS
- ALL_SA_DATA_LABELS
- ALL_SA_GROUPS
- ALL_SA_LABELS
- ALL_SA_LEVELS
- ALL_SA_POLICIES
- ALL_SA_PROG_PRIVS
- ALL_SA_SCHEMA_POLICIES
- ALL_SA_TABLE_POLICIES
- ALL_SA_USERS
- ALL_SA_USER_LABELS
- ALL_SA_USER_LEVELS
- ALL_SA_USER_PRIVS
- DBA_SA_AUDIT_OPTIONS
- DBA_SA_COMPARTMENTS
- DBA_SA_DATA_LABELS
- DBA_SA_GROUPS
- DBA_SA_GROUP_HIERARCHY
- DBA_SA_LABELS
- DBA_SA_LEVELS
- DBA_SA_POLICIES
- DBA_SA_PROG_PRIVS
- DBA_SA_SCHEMA_POLICIES
- DBA_SA_TABLE_POLICIES
- DBA_SA_USERS
- DBA_SA_USER_COMPARTMENTS
- DBA_SA_USER_GROUPS
- DBA_SA_USER_LABELS
- DBA_SA_USER_LEVELS
- DBA_SA_USER_PRIVS
- DBA_OLS_STATUS
- USER_SA_SESSION
- Oracle Label Security User-Created Auditing View
- G Oracle Label Security Restrictions
-
H
Frequently Asked Questions about Oracle Label Security
- Who Uses Oracle Label Security?
- How Can Oracle Label Security Address My Security Needs?
- Should I Use Oracle Label Security to Protect All My Tables?
- What Is the Difference Between Oracle Virtual Private Database and Oracle Label Security?
- Can I Combine Oracle Virtual Private Database and Oracle Label Security?
- Can I Use Oracle Label Security with Oracle E-Business Suite?
- Can I Use Oracle Label Security with Oracle Database Vault?
- Does Oracle Label Security Provide Column-Level Access Control?
- Can I Base Secure Application Roles on Oracle Label Security?
- What Are Trusted Stored Program Units?
- Does VPD or OLS Add an Additional Column to the Protected Table?
- Why Should the Additional OLS Row Label Column Be Hidden?
- Index