You can use the DBMS_MACADM
PL/SQL package to manage Oracle Label Security labels and policies in Oracle Database Vault.
Topics:
Table 18-1 lists procedures within the DBMS_MACADM
package that you can use to configure Oracle Label Security policies for Oracle Database Vault. Only users who have been granted the DV_OWNER
or DV_ADMIN
role can use these procedures.
Table 18-1 DBMS_MACADM Oracle Label Security Configuration Procedures
Procedure | Description |
---|---|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label |
|
Labels an identity within an Oracle Label Security policy |
|
Deletes all Oracle Database Vault objects related to an Oracle Label Security policy. |
|
Removes the factor from contributing to the Oracle Label Security label |
|
Removes the label from an identity within an Oracle Label Security policy |
|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label |
See Also:
Chapter 10, "Integrating Oracle Database Vault with Other Oracle Products," for detailed information about factors
"CREATE_RULE Procedure" for an example of how to create a rule expression that uses the OLS_LABEL_DOMINATES
function to check the dominance of the current session label
Chapter 19, "Oracle Database Vault Utility APIs," for a set of general-purpose utility procedures that you can use with Oracle Label Security policy procedures
The CREATE_MAC_POLICY
procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.
DBMS_MACADM.CREATE_MAC_POLICY( policy_name IN VARCHAR2, algorithm IN VARCHAR2);
Table 18-2 CREATE_MAC_POLICY Parameters
Parameter | Description |
---|---|
|
Name of an existing policy. To find existing policies in the current database instance, query the |
|
Merge algorithm for cases when Oracle Label Security has merged two labels. Enter the code listed in Table 18-3 that corresponds to the merge algorithm you want. For example, enter For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide. |
Table 18-3 Oracle Label Security Merge Algorithm Codes
Code | Value |
---|---|
|
Maximum Level/Union/Union |
|
Maximum Level/Intersection/Union |
|
Maximum Level/Minus/Union |
|
Maximum Level/Null/Union |
|
Maximum Level/Union/Intersection |
|
Maximum Level/Intersection/Intersection |
|
Maximum Level/Minus/Intersection |
|
Maximum Level/Null/Intersection |
|
Maximum Level/Union/Minus |
|
Maximum Level/Intersection/Minus |
|
Maximum Level/Minus/Minus |
|
Maximum Level/Null/Minus |
|
Maximum Level/Union/Null |
|
Maximum Level/Intersection/Null |
|
Maximum Level/Minus/Null |
|
Maximum Level/Null/Null |
|
Minimum Level/Union/Union |
|
Minimum Level/Intersection/Union |
|
Minimum Level/Minus/Union |
|
Minimum Level/Null/Union |
|
Minimum Level/Union/Intersection |
|
Minimum Level/Intersection/Intersection |
|
Minimum Level/Minus/Intersection |
|
Minimum Level/Null/Intersection |
|
Minimum Level/Union/Minus |
|
Minimum Level/Intersection/Minus |
|
Minimum Level/Minus/Minus |
|
Minimum Level/Null/Minus |
|
Minimum Level/Union/Null |
|
Minimum Level/Intersection/Null |
|
Minimum Level/Minus/Null |
|
Minimum Level/Null/Null |
BEGIN DBMS_MACADM.CREATE_MAC_POLICY( policy_name => 'Access Locations', algorithm => 'HUU'); END; /
The CREATE_POLICY_LABEL
procedure labels an identity within an Oracle Label Security policy.
DBMS_MACADM.CREATE_POLICY_LABEL( identity_factor_name IN VARCHAR2, identity_factor_value IN VARCHAR2, policy_name IN VARCHAR2, label IN VARCHAR2);
Table 18-4 CREATE_POLICY_LABEL Parameters
Parameter | Description |
---|---|
|
Name of the factor being labeled. To find existing factors in the current database instance, query the To find factors that are associated with Oracle Label Security policies, use |
|
Value of identity for the factor being labeled. To find the identities of existing factors in the current database instance, query the |
|
Name of an existing policy. To find existing policies in the current database instance, query the |
|
Oracle Label Security label name. To find existing policy labels for factor identifiers, query the |
BEGIN DBMS_MACADM.CREATE_POLICY_LABEL( identity_factor_name => 'App_Host_Name', identity_factor_value => 'Sect2_Fin_Apps', policy_name => 'Access Locations', label => 'Sensitive'); END; /
The DELETE_MAC_POLICY_CASCADE
procedure deletes all Oracle Database Vault objects related to an Oracle Label Security policy.
DBMS_MACADM.DELETE_MAC_POLICY_CASCADE( policy_name IN VARCHAR2);
Table 18-5 DELETE_MAC_POLICY_CASCADE Parameter
Parameter | Description |
---|---|
|
Name of an existing policy. To find existing policies in the current database instance, query the |
EXEC DBMS_MACADM.DELETE_MAC_POLICY_CASCADE('Access Locations');
The DELETE_POLICY_FACTOR
procedure removes the factor from contributing to the Oracle Label Security label.
DBMS_MACADM.DELETE_POLICY_FACTOR( policy_name IN VARCHAR2, factor_name IN VARCHAR2);
Table 18-6 DELETE_POLICY_FACTOR Parameters
Parameter | Description |
---|---|
|
Name of an existing policy. To find existing policies in the current database instance, query the |
|
Name of factor associated with the Oracle Label Security label. To find factors that are associated with Oracle Label Security policies, query |
BEGIN DBMS_MACADM.DELETE_POLICY_FACTOR( policy_name => 'Access Locations', factor_name => 'App_Host_Name'); END; /
The DELETE_POLICY_LABEL
procedure removes the label from an identity within an Oracle Label Security policy.
DBMS_MACADM.DELETE_POLICY_LABEL( identity_factor_name IN VARCHAR2, identity_factor_value IN VARCHAR2, policy_name IN VARCHAR2, label IN VARCHAR2);
Table 18-7 DELETE_POLICY_LABEL Parameters
Parameter | Description |
---|---|
|
Name of the factor that was labeled. To find existing factors in the current database instance that are associated with Oracle Label Security policies, query |
|
Value of identity for the factor that was labeled. To find the identities of existing factors in the current database instance, query the |
|
Name of an existing policy. To find existing policies in the current database instance, query the |
|
Oracle Label Security label name. To find existing policy labels for factor identifiers, query the |
BEGIN DBMS_MACADM.DELETE_POLICY_LABEL( identity_factor_name => 'App_Host_Name', identity_factor_value => 'Sect2_Fin_Apps', policy_name => 'Access Locations', label => 'Sensitive'); END; /
The UPDATE_MAC_POLICY
procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.
DBMS_MACADM.UPDATE_MAC_POLICY( policy_name IN VARCHAR2, algorithm IN VARCHAR2);
Parameter | Description |
---|---|
|
Name of an existing policy. To find existing policies in the current database instance, query the |
|
Merge algorithm for cases when Oracle Label Security has merged two labels. See Table 18-3 for listing of the available algorithms. For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide. |
BEGIN DBMS_MACADM.UPDATE_MAC_POLICY( policy_name => 'Access Locations', algorithm => 'LUI'); END; /