| Oracle® Label Security Administrator's Guide 11g Release 2 (11.2) Part Number E10745-02 |
|
|
PDF · Mobi · ePub |
| Oracle® Label Security Administrator's Guide 11g Release 2 (11.2) Part Number E10745-02 |
|
|
PDF · Mobi · ePub |
When Oracle Label Security is used with Oracle Internet Directory, security administrators can use certain commands to create and alter label security attributes stored in the directory.
Note:
Starting this release, you can also use the graphical user interface provided by Oracle Enterprise Manager Database Control to manage Oracle Label Security. Detailed documentation can be found in Oracle Enterprise Manager help.This Appendix describes these commands and the parameters they require. They perform updates, inserts and deletes of entries in the directory and are implemented through a script named olsadmintool, which you call from $ORACLE_HOME/bin/olsadmintool. This Appendix contains the following sections and tables:
Table B-1, "Oracle Label Security Commands in Categories" lists all the commands, in categories, with links to their explanations. Some of these commands replace PL/SQL procedures (indicated in Table B-2, "olsadmintool Commands Linked to Their Explanations") that are used for the indicated purposes when Oracle Label Security is used without Oracle Internet Directory. Sites already using Oracle Label Security that add Oracle Internet Directory must replace the use of those PL/SQL procedures by switching to use these new commands instead.
Table B-2, "olsadmintool Commands Linked to Their Explanations" then lists the commands alphabetically, with links to their explanations.
Command Explanations, after Table B-2, "olsadmintool Commands Linked to Their Explanations", provides the individual explanations and examples of the commands and their parameters, in alphabetic order.
Relating Parameters to Commands for olsadmintool follows Table B-2, "olsadmintool Commands Linked to Their Explanations" with Summaries in Table B-3, "Summary: olsadmintool Command Parameters" and Table B-4, "Summary of Profile and Default Command Parameters". These tables present summaries of the commands' use of parameters by listing the commands and their parameters in tabular format, enabling you to see patterns of parameter usage.
Table B-3, "Summary: olsadmintool Command Parameters" gives a detailed explanation for each parameter, in alphabetic order and lists the commands in which it is used.
Examples of Using olsadmintool shows typical uses of the tool and the results of the specific examples shown.
Table B-1 Oracle Label Security Commands in Categories
| Command Category | Purpose of Command | Command | Replaces PL/SQL Statement |
|---|---|---|---|
|
Policies |
olsadmintool createpolicy |
SA_SYSDBA.CREATE_POLICY |
|
|
olsadmintool alterpolicy |
SA_SYSDBA.ALTER_POLICY |
||
|
olsadmintool droppolicy |
SA_SYSDBA.DROP_POLICY |
||
|
olsadmintool addpolcreator |
None; new |
||
|
olsadmintool droppolcreator |
None; new |
||
|
Levels in a Policy |
olsadmintool createlevel |
SA_COMPONENTS.CREATE_LEVEL |
|
|
olsadmintool alterlevel |
SA_COMPONENTS.ALTER_LEVEL |
||
|
olsadmintool droplevel |
SA_COMPONENTS.DROP_LEVEL |
||
|
Groups in a Policy |
olsadmintool creategroup |
SA_COMPONENTS.CREATE_GROUP |
|
|
olsadmintool altergroup |
SA_COMPONENTS.ALTER_GROUP |
||
|
(also a group parent) |
olsadmintool altergroupparent |
SA_COMPONENTS.ALTER_GROUP_PARENT |
|
|
olsadmintool dropgroup |
SA_COMPONENTS.DROP_GROUP |
||
|
Compartments in a Policy |
olsadmintool createcompartment |
SA_COMPONENTS.CREATE_COMPARTMENT |
|
|
olsadmintool altercompartment |
SA_COMPONENTS.ALTER_COMPARTMENT |
||
|
olsadmintool dropcompartment |
SA_COMPONENTS.DROP_COMPARTMENT |
||
|
Data Labels |
olsadmintool createlabel |
SA_LABEL_ADMIN.CREATE_LABEL |
|
|
olsadmintool alterlabel |
SA_LABEL_ADMIN.ALTER_LABEL |
||
|
olsadmintool droplabel |
SA_LABEL_ADMIN.DROP_LABEL |
||
|
Users |
olsadmintool adduser |
None; new |
|
|
olsadmintool dropuser |
SA_USER_ADMIN.DROP_USER_ACCESS |
||
|
Profiles |
olsadmintool createprofile |
Replaces the use of several methods. Foot 1 |
|
|
olsadmintool listprofile |
None; new |
||
|
olsadmintool describeprofile |
None; new |
||
|
olsadmintool dropprofile |
None; new |
||
|
Policy Administrators |
olsadmintool addadmin |
None; new |
|
|
olsadmintool dropadmin |
None; new |
||
|
Policy Access |
olsadmintool addpolaccess |
None; new |
|
|
olsadmintool droppolaccess |
None; new |
||
|
Auditing |
olsadmintool audit |
SA_AUDIT_ADMIN.AUDIT |
|
|
olsadmintool noaudit |
SA_AUDIT_ADMIN.NOAUDIT |
||
|
Help |
Get Help for olsadmintool |
olsadmintool command --help |
None; new |
Footnote 1 Replaces several methods in SA_USER_ADMIN: SET_LEVELS, SET_USER_PRIVILEGES, and SET_DEFAULT_LABEL
Table B-2 olsadmintool Commands Linked to Their Explanations
| Purpose of Command (Links in Alphabetical Order) | Command |
|---|---|
|
olsadmintool adduser |
|
|
olsadmintool addadmin |
|
|
olsadmintool addpolcreator |
|
|
olsadmintool altercompartment |
|
|
olsadmintool altergroup |
|
|
olsadmintool altergroupparent |
|
|
olsadmintool alterlabel |
|
|
olsadmintool alterlevel |
|
|
olsadmintool alterpolicy |
|
|
olsadmintool noaudit |
|
|
olsadmintool createcompartment |
|
|
olsadmintool creategroup |
|
|
olsadmintool createlabel |
|
|
olsadmintool createlevel |
|
|
olsadmintool createprofile |
|
|
olsadmintool createpolicy |
|
|
olsadmintool describeprofile |
|
|
olsadmintool dropcompartment |
|
|
olsadmintool dropgroup |
|
|
olsadmintool droplabel |
|
|
olsadmintool droplevel |
|
|
olsadmintool droppolicy |
|
|
olsadmintool dropprofile |
|
|
olsadmintool dropuser |
|
|
olsadmintool dropadmin |
|
|
olsadmintool droppolcreator |
|
|
olsadmintool <command name> --help |
|
|
olsadmintool listprofile |
|
|
olsadmintool audit |
In the command explanations that follow, some parameters are optional, which is indicated by enclosing such a parameter within brackets. The two most common examples are [ -b <admin context> ] and [-p <port>], indicating that it is optional to specify either the administrative context for the command or the port through which to connect to Oracle Internet Directory. (Default port is 389.)
The use of two dashes (--, no space) is required for all parameters other than b, h, p, D, and w, which are preceded by a single dash. The double dash indicates the need to specify the full or long version of the name or parameter being used. If any such name or parameter contains spaces, it must be enclosed by double quotation marks, for example, "this is an extremely long name or parameter."
Each command appears in this listing on multiple lines for readability, but in reality, would be given out as a single long string on the command line.
olsadmintool adduser --polname <policy name> --profname <profilename> --userdn <enterprise user DN>[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the adduser command Use the adduser command to add an enterprise user to a profile within a policy. Provide the profile and policy names and the user DN.Foot 1 Enterprise users are normal Oracle Internet Directory users with the additional capability of connecting to the database. Users added to a profile must be enterprise users.
Example of the adduser command
olsadmintool adduser --polname tradesecret --profname topsales --userdn "cn=perot" -b "cn=EDS" -h ford -p 1890 -D cn=lbacsys -w lbacsyspwrd
Note:
If you have users in Oracle Internet Directory that have been imported from a third party directory, then you need to set the
objectclass attribute for these users to orcluser before running the olsadmintool adduser command.See Also:
Rxefer to the Oracle Database Advanced Security Administrator's Guide, Chapter 13, Administering Enterprise User Security, for further concepts, tools, steps, and procedures.olsadmintool addadmin --polname <policy name> --admindn <admin DN> [ -b <admin context>] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the addadmin command
Use the addadmin command to add an enterprise user to the administrative group for a policy, so that the user is able to create, modify, or delete the specified policy's metadata. Provide the policy name and the new administrator's DN. This group should contain only enterprise users.
Example of the addadmin command
olsadmintool addadmin --polname defense --admindn "cn=scott,c=us" -h yippee -D cn=lbacsys -w lbacsys
olsadmintool addpolcreator --userdn <user DN> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the addpolcreator command
Use the addpolcreator command to enable the specified user to create policies. Provide the DN for the user.
Example of the addpolcreator command
olsadmintool addpolcreator --userdn "cn=scott" -h yippee -D cn=lbacsys -w lbacsys
olsadmintool altercompartment --polname <policy name> --shortname <short compartment name> --longname <new long compartment name> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the altercompartment command Use the altercompartment command to change the long name of a compartment. Provide the name of the policy, the short name of the compartment, and the new long name of the compartment.
Example of the altercompartment command
olsadmintool altercompartment --polname defense --shortname A --longname "Allied Forces" -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool altergroup --polname <policy name> --shortname <short group name> --longname <"new long group name"> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the altergroup command Use the altergroup command to change the long name for a group component or parent group. Provide the name of the policy, the short name of the group, and the long name of the group.
Example of the altergroup command
olsadmintool altergroup --polname defense --shortname US --longname "United States of America" -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool altergroupparent --polname <policy name> --shortname <short group name> [--parentname <new parent group name> ] [--clearparent] --longname <"new long group name"> [--parentname <new short group name> ] [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the altergroupparent command Use the altergroupparent command to change or remove the parent group of a group. Provide the name of the policy, the short name of the group, and either the short name of the parent group or the clearparent flag, but not both.
Examples of the altergroupparent command
olsadmintool altergroupparent --polname defense --shortname US --parentname "Earth" -h yippee -p 5678 -D cn=defense_admin -w Easy2rem or olsadmintool altergroupparent --polname defense --shortname US --clearparent -h yippee -p 5678 -D cn=defense_admin -w Easy2rem
olsadmintool alterlabel --polname <policy name> --tag <tag number> --value <new label value> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the alterlabel command Use the alterlabel command to change the character string defining the label associated with a label tag. Provide the policy name, the numeric tag of the label, and the new character string representing the label.
Example of the alterlabel command
olsadmintool alterlabel --polname defense --tag 100 --value "TS:A:US" -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool alterlevel --polname <policy name> --shortname <short level name> --longname <"new long level name"> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the alterlevel command Use the alterlevel command to change the long name of a level. Provide the name of the policy, the short name of the level, and the new long name of the level.
Example of the alterlevel command
olsadmintool alterlevel --polname defense --shortname TS --longname "VERY TOP SECRET" -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool alterpolicy --name <policy name> --options <new options> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password> where <new options> can be any combination of the following entries: INVERSE_GROUP, HIDE, LABEL_DEFAULT, LABEL_UPDATE, CHECK_CONTROL, READ_CONTROL,WRITE_CONTROL,INSERT_CONTROL, DELETE_CONTROL, UPDATE_CONTROL, ALL_CONTROL, or NO_CONTROL
Description of the alterpolicy command Use the alterpolicy command to alter the options of a policy. Provide the name of the policy and the new options.
Example of the alterpolicy command
olsadmintool alterpolicy --name defense --options "READ_CONTROL,INSERT_CONTROL" -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool noaudit --polname <policy name> --options <audit option name> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password> where <audit option name> can be any combination of APPLY, REMOVE, SET, PRIVILEGE
Description of the noaudit command Use the noaudit command to cancel the audit options for a policy. Provide the policy name and the options that are no longer to be audited.
Example of the noaudit command
olsadmintool noaudit --polname defense --options "APPLY,PRIVILEGES" -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool createcompartment --polname <policy name> --tag <tag number> --shortname <short compartment name> --longname <"long compartment name"> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the createcompartment command Use the createcompartment command to create a new compartment component. Provide the name of the policy, the tag numeric value of the compartment, the short name of the compartment, and the long name of the compartment.
Example of the createcompartment command
olsadmintool createcompartment --polname defense --tag 100 --shortname A --longname Alpha -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool creategroup --polname <policy name> --tag <tag number> --shortname <short group name> --longname <"long group name"> [--parentname <parent group name>] [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the creategroup command Use the creategroup command to create a new group component. Provide the name of the policy, the tag numeric value of the group, the short name of the group, the long name of the group, and the parent group name (optional).
Example of the creategroup command
olsadmintool creategroup --polname defense --tag 55 --shortname US --longname "United States" -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool createlabel --polname <policy name> --tag <tag number> --value <label value> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the createlabel command Use the createlabel command to create a valid data label. Provide the policy name, the numeric tag of the label to be created, and the character string representation of the label.
Example of the createlabel command
olsadmintool createlabel --polname defense --tag 100 --value "TS:A,B:US,CA" -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool createlevel --polname <policy name> --tag <tag number> --shortname <short level name> --longname <"long level name"> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the createlevel command Use the createlevel command to create a new level component. Provide the name of the policy, the tag numeric value, the short name of the level, and the long name of the level.
Example of the createlevel command
olsadmintool createlevel --polname defense --tag 100 --shortname TS --longname "TOP SECRET" -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool createprofile --polname <policy name> --profname <profile name> --maxreadlabel <max read label> --maxwritelabel <max write label> --minwritelabel <min write label> --defreadlabel <default read label> --defrowlabel <default row label> --privileges <privileges separated by comma> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the createprofile command Use the createprofile command to create a new profile. Provide the policy name, the profile name, and either privileges, labels, or both privileges and labels. (A user profile can have either null label information or null privilege information, but not both null at the same time.) For labels, specify the maximum label users in this profile can use to read data, the maximum label users in this profile can use to write data, the minimum label users in this profile can use to write data, the default label for reading, the default row label for writing. For privileges, enclose in quotation marksthe list of privileges, separated by commas, for members of this profile.
Example of the createprofile command
olsadmintool createprofile --polname topsecret --profname topsales --maxreadlabel "TS:A,B:US,CA" --maxwritelabel "TS:A,B:US,CA" --minwritelabel "C" --defreadlabel "TS:A,B:US,CA" --defrowlabel "C:A,B:US,CA" --privileges "READ,COMPACCESS,WRITEACROSS" -b EDS -h ford -p 1890 -D cn=lbacsys -w lbacsyspwrd
olsadmintool createpolicy --name <policy name> --colname <column name> --options <options separated by commas> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password> where <new options> can be any combination of the following entries: INVERSE_GROUP, HIDE, LABEL_DEFAULT, LABEL_UPDATE, CHECK_CONTROL, READ_CONTROL, WRITE_CONTROL,INSERT_CONTROL, DELETE_CONTROL, UPDATE_CONTROL, ALL_CONTROL, or NO_CONTROL
Description of the createpolicy command Use the createpolicy command to create a policy. Provide the name of the policy, the name of its label column, and the options.
Example of the createpolicy command
olsadmintool createpolicy --name defense --colname defense_col --options "READ_CONTROL,UPDATE_CONTROL" -h yippee -p 389 -D cn=defense_admin -w Easy2rem
olsadmintool describeprofile --polname <policy name> --profname <profile name> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the describeprofile command
Use the describeprofile command to see the contents of the specified profile in the specified policy. Provide the policy name and the name of the profile.
Example of the describeprofile command
olsadmintool describeprofile --polname defense --profname contractors -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool dropcompartment --polname <policy name> --shortname <short compartment name> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the dropcompartment command Use the dropcompartment command to remove a compartment component. Provide the name of the policy and the short name of the compartment.
Example of the dropcompartment command
olsadmintool dropcompartment --polname defense --shortname A -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool dropgroup --polname <policy name> --shortname <short group name> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the dropgroup command Use the dropgroup command to remove a group component. Provide the policy name and the short group name.
Example of the dropgroup command
olsadmintool dropgroup --polname defense --shortname US -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool droplabel --polname <policy name> --value <label value> -h yippee [-p <port>] -D <bind DN> -w <bind password>
Description of the droplabel command Use the droplabel command to drop a label from the policy. Provide the policy name and the string representation of the label.
Example of the droplabel command
olsadmintool droplabel --polname defense --value "TS:A:US" h yippee -D cn=defense_admin -w Easy2rem
olsadmintool droplevel --polname <policy name> --shortname <short level name> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the droplevel command Use the droplevel command to remove a level component from a specified policy. Provide the name of the policy and the short name of the level.
Example of the droplevel command
olsadmintool droplevel --polname defense --shortname TS -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool droppolicy --name <policy name> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the droppolicy command Use the droppolicy command to drop a policy. Provide the name of the policy to be dropped. For directory-enabled installations of Oracle Label Security, refer to "Subscribing Policies in Directory-Enabled Label Security".
Example of the droppolicy command
olsadmintool droppolicy --name defense -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool dropprofile --polname <policy name> --profname <profile name> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the dropprofile command Use the dropprofile command to remove the specified profile. Provide the policy name and the name of the profile to be dropped.
Note:
Dropping a profile removes the authorization on that policy for all the users in the dropped profile. The users will be unable to see data protected by that policy.Example of the dropprofile command
olsadmintool dropprofile --name defense --profname employees -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool dropuser --polname <policy name> --profname <profilename> --userdn <enterprise user DN> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the dropuser command Use the dropuser command to drop a user from the specified profile in the specified policy. Provide the policy name, the name of the profile, and the DN of the user.
Example of the dropuser command
olsadmintool dropuser --polname defense --profname contractors --userdn "cn=hanssen,c=us" -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool dropadmin --polname <policy name> --admindn <admin DN> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the dropadmin command Use the dropadmin command to remove an enterprise user from the administrative group of a policy, so that the user is no longer able to create, modify, or delete the specified policy's metadata. Provide the policy name and the DN of the administrator to be removed from the administrative group.
Example of the dropadmin command
olsadmintool dropadmin --polname defense --admindn "cn=scott,c=us" -h yippee -D cn=lbacsys -w lbacsys
olsadmintool droppolcreator --userdn <user DN> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the droppolcreator command Use the droppolcreator command to cancel the ability of the specified user to create policies. Provide the user's DN.
Example of the droppolcreator command
olsadmintool droppolcreator --userdn "cn-scott,c=us" -b UA -h yippee -p 1890 -D <bind DN> -w <bind password>
Get Help for an olsadmintool Command
olsadmintool <command name> --help
olsadmintool listprofile --polname <policy name> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the listprofile command Use the listprofile command to see a list of all profiles in a given policy. Provide the policy name.
Example of the listprofile command
olsadmintool listprofile --polname defense -b CIA -h yippee -D cn=defense_admin -w Easy2rem
olsadmintool audit --polname <policy name> --options <audit option name> --type <audit option type> --success <audit success type> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password> where <audit option name> can be any combination of APPLY, REMOVE, SET, PRIVILEGE, type can be "session" or "access", and success can be "successful", "not successful" or "both".
Description of the audit command Use the audit command to set the audit options for a policy. Provide the policy name, the options to be audited, the type of audit, and the type of success to be audited.
olsadmintool audit --polname defense --options "APPLY,PRIVILEGE" --type session --success success -h yippee -D cn=defense_admin -w Easy2rem
All olsadmintool commands must specify connection parameters: the OID host, the bind DN, the bind password, and optionally, the port through which the connection to Oracle Internet Directory is to be made. (The default port is 389.)
All olsadmintool commands may specify, as needed, the subscriber/administrative-context using the -b flag.
The fact that specifying a parameter is optional, such as a port or an administrative context, is shown by enclosing the parameter within brackets. The two most common examples are [ -b <admin context> ] and [-p <port>].
Since every command must specify a host, bind DN, and password, and may, if needed, also specify an administrative context, Table B-3, "Summary: olsadmintool Command Parameters" uses the abbreviation CON to represent all of these connection parameters as a group:
[ -b <admin context> ] h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Table B-3, "Summary: olsadmintool Command Parameters" summarizes the commands in the following categories:
Policies: creating, altering, or dropping policies or their components, that is, levels, groups, and compartments
Data labels: creating, altering, or dropping them
Administrators and policy creators: adding or dropping them
Users: adding or dropping users from a profile
Auditing options: setting the options for what to audit for a policy
Profiles: creating, listing, describing, or dropping them
Default read or row labels: setting them
In Table B-3, "Summary: olsadmintool Command Parameters" and Table B-4, "Summary of Profile and Default Command Parameters", the column headings show only the parameters, not the keywords that must precede them. For example, Table B-3, "Summary: olsadmintool Command Parameters" shows policyname and column-name as parameters for the createpolicy command, without showing the keywords that must precede them (--name and --colname). These keywords are shown as required in each of the individual command descriptions, such as at Create Policy.
Table B-3, "Summary: olsadmintool Command Parameters" explains the individual parameters that are used as column headings in the summaries of Table B-3, "Summary: olsadmintool Command Parameters" and Table B-4, "Summary of Profile and Default Command Parameters".
In all these tables:
X means required, and O means unused or omitted.
OptionsP means policy enforcement options, that is, any combination of the following entries, separated by a comma:
INVERSE_GROUP
HIDE
LABEL_DEFAULT
LABEL_UPDATE
CHECK_CONTROL
READ_CONTROL
WRITE_CONTROL
INSERT_CONTROL
DELETE_CONTROL
UPDATE_CONTROL
ALL_CONTROL
NO_CONTROL
OptionsA means audit options, that is, any comma-separated combination of the following entries: SET, APPLY, REMOVE, or PRIVILEGE.
Table B-3 Summary: olsadmintool Command Parameters
| Command Category | Commands & Parameters | ||||||
|---|---|---|---|---|---|---|---|
|
Policies |
Command |
policy name |
column- name |
optionsP |
CON |
||
|
olsadmintool createpolicy |
X |
X |
X |
X |
|||
|
olsadmintool alterpolicy |
X |
O |
X |
X |
|||
|
olsadmintool droppolicy |
X |
O |
O |
X |
|||
|
Within a Policy, Create: |
Command |
policy name |
tag |
short name |
long name |
CON |
parent name |
|
a level |
olsadmintool createlevel |
X |
X |
X |
X |
X |
O |
|
a group |
olsadmintool creategroup |
X |
X |
X |
X |
X |
[ X ] |
|
a compartment |
olsadmintool createcompartment |
X |
X |
X |
X |
X |
O |
|
Within a Policy, Alter: |
|||||||
|
a level |
olsadmintool alterlevel |
X |
O |
u |
u |
u |
O |
|
a group or group parent |
olsadmintool altergroup |
X |
O |
X |
X |
X |
O |
|
olsadmintool altergroupparent |
X |
O |
X |
O |
X |
[X] |
|
|
Command |
policy name |
tag |
short name |
long name |
CON |
parent name |
|
|
a compartment |
olsadmintool altercompartment |
X |
O |
X |
X |
X |
O |
|
Within a Policy, Drop: |
|||||||
|
level |
olsadmintool droplevel |
X |
O |
X |
O |
X |
O |
|
group |
olsadmintool dropgroup |
X |
O |
X |
O |
X |
O |
|
compartment |
olsadmintool dropcompartment |
X |
O |
X |
O |
X |
O |
|
Data Labels |
Command |
policy name |
tag |
value |
CON |
||
|
Create label |
olsadmintool createlabel |
X |
X |
X |
X |
||
|
Alter data label |
olsadmintool alterlabel |
X |
X |
X |
X |
||
|
Drop data label |
olsadmintool droplabel |
X |
O |
X |
X |
||
|
Policy Administrators |
Command |
policy name |
userDN |
CON |
|||
|
Add an Admin |
olsadmintool addadmin |
X |
X |
X |
|||
|
Drop an Admin |
olsadmintool dropadmin |
X |
X |
X |
|||
|
Policy Creation |
olsadmintool addpolcreator |
O |
X |
X |
|||
|
|
O |
X |
X |
||||
|
Users |
Command |
policy name |
profile name |
userDN |
CON |
||
|
Add a User |
olsadmintool adduser |
X |
X |
X |
X |
||
|
Drop a User |
|
X |
X |
X |
X |
||
|
Auditing |
olsadmintool audit |
X |
optionsA |
type |
success |
CON |
|
|
olsadmintool noaudit |
X |
X |
X |
X |
X |
||
|
Help on olsadmintool |
olsadmintool <commandname> -- help |
O |
O |
O |
O |
O |
Table B-4 Summary of Profile and Default Command Parameters
| Profile Action | Profile Command | Policy Name | Profile Name | Max Read Label | Max Write Label | Min Write Label | Def Read Label | Def Row Label | Priv's | CON |
|---|---|---|---|---|---|---|---|---|---|---|
|
olsadmin tool create profile |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
olsadmin tool list profile |
X |
O |
O |
O |
O |
O |
O |
O |
X |
|
|
olsadmin tool describe profile |
X |
X |
O |
O |
O |
O |
O |
O |
X |
|
|
olsadmin tool drop profile |
X |
X |
O |
O |
O |
O |
O |
O |
X |
Footnote 1 In createprofile, specifying both privileges and labels is not required: a profile can specify labels, privileges, or both.
The subsections that follow illustrate using the olsadmintool commands in typical tasks needed to set up Oracle Label Security in an Oracle Internet Directory environment. Each command appears in this listing on multiple lines for readability, but in reality, would be given out as a single long string on the command line. The summarized results of carrying out all these commands appear in Results of These Examples, which follows the last example.
ORACLE_HOME/bin/olsadmintool addpolcreator --userdn "cn=snamudur,c=us" -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=lbacsys,c=us" -w lbacsys
ORACLE_HOME/bin/olsadmintool createpolicy --name Policy1 --colname pol1 --options READ_CONTROL,WRITE_CONTROL -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=snamudur,c=us" -w snamudur ORACLE_HOME/bin/olsadmintool createpolicy --name Policy2 --colname pol2 --options READ_CONTROL -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=lbacsys,c=us" -w lbacsys
ORACLE_HOME/bin/olsadmintool addadmin --polname Policy1 --admindn "cn=shwong,c=us" -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=snamudur,c=us" -w snamudur ORACLE_HOME/bin/olsadmintool addadmin --polname Policy2 --admindn "cn=shwong,c=us" -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=lbacsys,c=us" -w lbacsys
ORACLE_HOME/bin/olsadmintool createlevel --polname Policy1 --tag 100 --shortname TS --longname "TOP SECRET" -b "ou=Americas,o=Oracle, c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong ORACLE_HOME/bin/olsadmintool createlevel --polname Policy1 --tag 99 --shortname S --longname SECRET -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong ORACLE_HOME/bin/olsadmintool createlevel --polname Policy1 --tag 98 --shortname U --longname UNCLASSIFIED -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong
ORACLE_HOME/bin/olsadmintool createcompartment --polname Policy1 --tag 100 --shortname A --longname ALPHA -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 D "cn=shwong,c=us" -w shwong ORACLE_HOME/bin/olsadmintool createcompartment --polname Policy1 --tag 99 --shortname B --longname BETA -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong
ORACLE_HOME/bin/olsadmintool creategroup --polname Policy1 --tag 100 --shortname G1 --longname GROUP1 -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong ORACLE_HOME/bin/olsadmintool creategroup --polname Policy1 --tag 99 --shortname G2 --longname GROUP2 -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong ORACLE_HOME/bin/olsadmintool creategroup --polname Policy1 --tag 98 --shortname G3 --longname GROUP3 -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong
ORACLE_HOME/bin/olsadmintool createlabel --polname Policy1 --tag 100 --value TS:A:G1 -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong ORACLE_HOME/bin/olsadmintool createlabel --polname Policy1 --tag 101 --value TS:A,B:G2 -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong
ORACLE_HOME/bin/olsadmintool createprofile --polname Policy1 --profname Profile1 --maxreadlabel TS:A:G1 --maxwritelabel TS:A:G1 --minwritelabel U:: --defreadlabel U:A:G1 --defrowlabel U:A:G1 --privileges WRITEUP,READ -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong
ORACLE_HOME/bin/olsadmintool adduser --polname Policy1 --profname Profile1 --userdn cn=nina,ou=Asia,o=microsoft,l=seattle,st=WA,c=US -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong
ORACLE_HOME/bin/olsadmintool adduser --polname Policy1 --profname Profile1 --userdn cn=daniel,ou=France,o=oracle,l=madison,st=WI,c=US -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong
ORACLE_HOME/bin/olsadmintool audit --polname Policy1 --option "SET,APPLY" --type SESSION --success BOTH -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong
As a result of running the sets of olsadmintool commands outlined, this sample Oracle Label Security site has the following structure:
Policy creators: User snamudur
Policies: Policy1 and Policy2.
Policy Administrators: User shwong
Levels, Compartments, and Groups: Refer to Table B-5, "Label Component Definitions from Using olsadmintool Commands".
Table B-5 Label Component Definitions from Using olsadmintool Commands
| Label Component | Tag | Short Name | Long Name |
|---|---|---|---|
|
Level |
100 |
TS |
TOP SECRET |
|
99 |
S |
SECRET |
|
|
98 |
U |
UNCLASSIFIED |
|
|
Compartment |
100 |
A |
ALPHA |
|
99 |
B |
BETA |
|
|
Group |
100 |
G1 |
GROUP1 |
|
99 |
G2 |
GROUP2 |
|
|
98 |
G3 |
GROUP3 |
Data labels: Tag 100 for TS:A:G1 and tag 101 for TS:A,B:G2
Users: Nina, from the Asia group of Microsoft, based in Seattle, Washington, managed under the Americas organization of the US Oracle organization, and Daniel, from the France group of Oracle in Madison, Wisconsin, managed under the same organization.
Profiles: Refer to Table B-6, "Contents of Profile1 from Using olsadmintool Commands".
Table B-6 Contents of Profile1 from Using olsadmintool Commands
| Profile Element | Contents | Long-name Expansion or Meaning |
|---|---|---|
|
MaxReadLabel |
TS:A:G1 |
TOP SECRET:ALPHA:GROUP1 |
|
MaxWriteLabel |
TS:A:G1 |
TOP SECRET:ALPHA:GROUP1 |
|
MinWriteLabel |
U:: |
UNCLASSIFIED (not restricted to any compartments or groups) |
|
DefReadLabel |
U:A:G1 |
UNCLASSIFIED:ALPHA:GROUP1 |
|
DefRowLabel |
U:A:G1 |
UNCLASSIFIED:ALPHA:GROUP1 |
|
Privileges |
WRITE_UP, READ |
User can read any row and raise the level of rows the user writes. |
Auditing options: SET, APPLY, SESSION, and BOTH
Footnote Legend
Footnote 1: Command FootnoteEvery command must include the directory host name, the bind DN, and the bind password. Any command may, as needed, also supply the subscriber administrative context (optional), the directory port number (also optional), or both. See also Table B-3, "Summary: olsadmintool Command Parameters" for additional details on these parameters.
|
 Copyright © 2000, 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|