18 Oracle Database Vault Oracle Label Security APIs

You can use the DBMS_MACADM PL/SQL package to manage Oracle Label Security labels and policies in Oracle Database Vault.

Topics:

About the DBMS_MACADM Oracle Label Security Procedures

Table 18-1 lists procedures within the DBMS_MACADM package that you can use to configure Oracle Label Security policies for Oracle Database Vault. Only users who have been granted the DV_OWNER or DV_ADMIN role can use these procedures.

Table 18-1 DBMS_MACADM Oracle Label Security Configuration Procedures

Procedure Description

CREATE_MAC_POLICY Procedure

Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label

CREATE_POLICY_LABEL Procedure

Labels an identity within an Oracle Label Security policy

DELETE_MAC_POLICY_CASCADE Procedure

Deletes all Oracle Database Vault objects related to an Oracle Label Security policy.

DELETE_POLICY_FACTOR Procedure

Removes the factor from contributing to the Oracle Label Security label

DELETE_POLICY_LABEL Procedure

Removes the label from an identity within an Oracle Label Security policy

UPDATE_MAC_POLICY Procedure

Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label


See Also:

CREATE_MAC_POLICY Procedure

The CREATE_MAC_POLICY procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.

Syntax

DBMS_MACADM.CREATE_MAC_POLICY(
  policy_name  IN VARCHAR2,
  algorithm    IN VARCHAR2);

Parameters

Table 18-2 CREATE_MAC_POLICY Parameters

Parameter Description

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DVSYS.DBA_DV_MAC_POLICY View".

algorithm

Merge algorithm for cases when Oracle Label Security has merged two labels. Enter the code listed in Table 18-3 that corresponds to the merge algorithm you want. For example, enter HUU to if you want to select the Maximum Level/Union/Union merge algorithm.

For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide.


Table 18-3 Oracle Label Security Merge Algorithm Codes

Code Value

HUU

Maximum Level/Union/Union

HIU

Maximum Level/Intersection/Union

HMU

Maximum Level/Minus/Union

HNU

Maximum Level/Null/Union

HUI

Maximum Level/Union/Intersection

HII

Maximum Level/Intersection/Intersection

HMI

Maximum Level/Minus/Intersection

HNI

Maximum Level/Null/Intersection

HUM

Maximum Level/Union/Minus

HIM

Maximum Level/Intersection/Minus

HMM

Maximum Level/Minus/Minus

HNM

Maximum Level/Null/Minus

HUN

Maximum Level/Union/Null

HIN

Maximum Level/Intersection/Null

HMN

Maximum Level/Minus/Null

HNN

Maximum Level/Null/Null

LUU

Minimum Level/Union/Union

LIU

Minimum Level/Intersection/Union

LMU

Minimum Level/Minus/Union

LNU

Minimum Level/Null/Union

LUI

Minimum Level/Union/Intersection

LII

Minimum Level/Intersection/Intersection

LMI

Minimum Level/Minus/Intersection

LNI

Minimum Level/Null/Intersection

LUM

Minimum Level/Union/Minus

LIM

Minimum Level/Intersection/Minus

LMM

Minimum Level/Minus/Minus

LNM

Minimum Level/Null/Minus

LUN

Minimum Level/Union/Null

LIN

Minimum Level/Intersection/Null

LMN

Minimum Level/Minus/Null

LNN

Minimum Level/Null/Null


Example

BEGIN
 DBMS_MACADM.CREATE_MAC_POLICY(
  policy_name  => 'Access Locations',
  algorithm    => 'HUU');
END;
/

CREATE_POLICY_LABEL Procedure

The CREATE_POLICY_LABEL procedure labels an identity within an Oracle Label Security policy.

Syntax

DBMS_MACADM.CREATE_POLICY_LABEL(
  identity_factor_name   IN VARCHAR2, 
  identity_factor_value  IN VARCHAR2, 
  policy_name            IN VARCHAR2, 
  label                  IN VARCHAR2); 

Parameters

Table 18-4 CREATE_POLICY_LABEL Parameters

Parameter Description

identity_factor_name

Name of the factor being labeled.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DVSYS.DBA_DV_FACTOR View".

To find factors that are associated with Oracle Label Security policies, use DVSYS.DBA_DV_MAC_POLICY_FACTOR, described in "DVSYS.DBA_DV_MAC_POLICY_FACTOR View".

identity_factor_value

Value of identity for the factor being labeled.

To find the identities of existing factors in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DVSYS.DBA_DV_IDENTITY View".

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DVSYS.DBA_DV_MAC_POLICY View".

label

Oracle Label Security label name.

To find existing policy labels for factor identifiers, query the DVSYS.DBA_DV_POLICY_LABEL view, described in "DVSYS.DBA_DV_POLICY_LABEL View".


Example

BEGIN
 DBMS_MACADM.CREATE_POLICY_LABEL(
  identity_factor_name   => 'App_Host_Name', 
  identity_factor_value  => 'Sect2_Fin_Apps', 
  policy_name            => 'Access Locations', 
  label                  => 'Sensitive'); 
END;
/

DELETE_MAC_POLICY_CASCADE Procedure

The DELETE_MAC_POLICY_CASCADE procedure deletes all Oracle Database Vault objects related to an Oracle Label Security policy.

Syntax

DBMS_MACADM.DELETE_MAC_POLICY_CASCADE(
  policy_name  IN VARCHAR2); 

Parameters

Table 18-5 DELETE_MAC_POLICY_CASCADE Parameter

Parameter Description

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DVSYS.DBA_DV_MAC_POLICY View".


Example

EXEC DBMS_MACADM.DELETE_MAC_POLICY_CASCADE('Access Locations'); 

DELETE_POLICY_FACTOR Procedure

The DELETE_POLICY_FACTOR procedure removes the factor from contributing to the Oracle Label Security label.

Syntax

DBMS_MACADM.DELETE_POLICY_FACTOR(
  policy_name  IN VARCHAR2, 
  factor_name  IN VARCHAR2); 

Parameters

Table 18-6 DELETE_POLICY_FACTOR Parameters

Parameter Description

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DVSYS.DBA_DV_MAC_POLICY View".

factor_name

Name of factor associated with the Oracle Label Security label.

To find factors that are associated with Oracle Label Security policies, query DVSYS.DBA_DV_MAC_POLICY_FACTOR, described in "DVSYS.DBA_DV_MAC_POLICY_FACTOR View".


Example

BEGIN
 DBMS_MACADM.DELETE_POLICY_FACTOR(
  policy_name  => 'Access Locations', 
  factor_name  => 'App_Host_Name'); 
END;
/

DELETE_POLICY_LABEL Procedure

The DELETE_POLICY_LABEL procedure removes the label from an identity within an Oracle Label Security policy.

Syntax

DBMS_MACADM.DELETE_POLICY_LABEL(
  identity_factor_name   IN VARCHAR2, 
  identity_factor_value  IN VARCHAR2, 
  policy_name            IN VARCHAR2, 
  label                  IN VARCHAR2); 

Parameters

Table 18-7 DELETE_POLICY_LABEL Parameters

Parameter Description

identity_factor_name

Name of the factor that was labeled.

To find existing factors in the current database instance that are associated with Oracle Label Security policies, query DVSYS.DBA_DV_MAC_POLICY_FACTOR, described in "DVSYS.DBA_DV_MAC_POLICY_FACTOR View".

identity_factor_value

Value of identity for the factor that was labeled.

To find the identities of existing factors in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DVSYS.DBA_DV_IDENTITY View".

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DVSYS.DBA_DV_MAC_POLICY View".

label

Oracle Label Security label name.

To find existing policy labels for factor identifiers, query the DVSYS.DBA_DV_POLICY_LABEL view, described in "DVSYS.DBA_DV_POLICY_LABEL View".


Example

BEGIN
 DBMS_MACADM.DELETE_POLICY_LABEL(
  identity_factor_name   => 'App_Host_Name', 
  identity_factor_value  => 'Sect2_Fin_Apps', 
  policy_name            => 'Access Locations', 
  label                  => 'Sensitive'); 
END;
/

UPDATE_MAC_POLICY Procedure

The UPDATE_MAC_POLICY procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.

Syntax

DBMS_MACADM.UPDATE_MAC_POLICY(
  policy_name  IN VARCHAR2, 
  algorithm    IN VARCHAR2); 

Parameters

Table 18-8 UPDATE_MAC_POLICY

Parameter Description

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DVSYS.DBA_DV_MAC_POLICY View".

algorithm

Merge algorithm for cases when Oracle Label Security has merged two labels. See Table 18-3 for listing of the available algorithms.

For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide.


Example

BEGIN
 DBMS_MACADM.UPDATE_MAC_POLICY(
  policy_name  => 'Access Locations',
  algorithm    => 'LUI');
END;
/