4 Getting Started with Oracle Label Security

Before using Oracle Label Security, you must register it with the database and then enable the LBACSYS Oracle Label Security account. Then you can log in to Cloud Control or SQL*Plus to start using OLS.

Topics:

Registering Oracle Label Security with an Oracle Database

You must register Oracle Label Security with the database in which you plan to use it.

Topics:

About Registering Oracle Label Security

When you install Oracle Database, by default Oracle Label Security is not enabled. You must register it with the database. Afterwards, you must enable the default Oracle Label Security user account, LBACSYS.

After you register Oracle Label Security, you can disable and re-enable it when necessary.

If you are using a multitenant environment, then only register Oracle Label Security in the pluggable databases (PDBs) in which you plan to create Oracle Label Security policies. Because Oracle Label Security is not designed to protect data dictionary objects, you cannot create policies in the root.

Checking if Oracle Label Security Has Been Registered and Enabled

You can query the DBA_OLS_STATUS data dictionary view to find if Oracle Label Security has already been registered and enabled.

  1. Log into the database instance as user SYS with the SYSDBA administrative privilege.
    sqlplus sys as sysdba
    Enter password: password
    
  2. If you are using a multitenant environment, then connect to the appropriate PDB.

    For example, to connect to the PDB hrpdb:

    CONNECT SYS@hrpdb AS SYSDBA
    Enter password: password
    

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  3. Run the following query to find if Oracle Label Security has been registered:
    SELECT STATUS FROM DBA_OLS_STATUS WHERE NAME = 'OLS_CONFIGURE_STATUS';
    

    If the output is TRUE, then Oracle Label Security is registered. If the output is FALSE, then you must register Oracle Label Security.

  4. If Oracle Label Security has been registered, then check if it is enabled. The PARAMETER column is case sensitive, so use the case shown here.
    SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';
    

    If it returns TRUE, then Oracle Label Security is enabled. Go to "Enabling the LBACSYS Oracle Label Security User Account". If the output is FALSE, then you must enable Oracle Label Security.

Note:

If Oracle Label Security is registered, it may or may not be enabled. You can query the V$OPTION dynamic view to find if it is enabled. See "Checking if Oracle Label Security Is Enabled or Disabled" for more information.

Registering and Enabling Oracle Label Security from SQL*Plus

You can both register and enable Oracle Label Security from SQL*Plus.

  1. Log into the database instance as user SYS with the SYSDBA administrative privilege.

    For example:

    sqlplus sys as sysdba
    Enter password: password 
    
  2. If you are using a multitenant environment, then connect to the appropriate PDB.

    For example, to connect to the PDB hrpdb:

    CONNECT SYS@hrpdb AS SYSDBA
    Enter password: password
    

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  3. Register and enable Oracle Label Security as follows.
    EXEC LBACSYS.CONFIGURE_OLS; -- This procedure registers Oracle Label Security.
    EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; -- This procedure enables it.
    
  4. Connect as user SYS with the SYSOPER privilege.
    CONNECT SYS AS SYSOPER -- Or, CONNECT SYS@hrpdb AS SYSOPER
    Enter password: password
    
  5. Restart the database.

    For example:

    SHUTDOWN IMMEDIATE
    STARTUP
    

Registering and Enabling Oracle Label Security Using DBCA

You can both register and enable Oracle Label Security using Database Configuration Assistant.

  1. Start Database Configuration Assistant (DBCA).
    • UNIX: Run the following command:

      $ORACLE_HOME/bin/dbca
      
    • Windows: From the Start menu, click All Programs. Then click Oracle - ORACLE_HOME, then Configuration and Migration Tools, and then Database Configuration Assistant.

    The Welcome screen appears.

  2. Click Next.

    The Operations screen appears.

  3. Select Configure Database Options. Click Next.

    The Database screen appears.

  4. From the list, select the database where you need to configure and enable OLS. Click Next.

    The Database Content screen appears.

  5. Select Oracle Label Security. Click Next.

    The Connection Mode screen appears.

  6. Select either Dedicated Server Mode or Shared Server Mode. Click Finish.

    A dialog box is displayed informing you that the operation will require the database to be restarted.

  7. Click OK.

    A confirmation dialog box is displayed.

  8. Click OK.

    The DBCA progress screen is displayed.

  9. After the operation is complete, you are prompted to perform another operation. Click No to exit DBCA.

Enabling the LBACSYS Oracle Label Security . User Account 12.2.9 ... for about you and me used to be together

After you complete the registration process, the default user account, LBACSYS, is granted the LBAC_DBA database role, which provides the privileges necessary to manage Oracle Label Security. LBACSYS is created as a locked account with its password expired.

  1. Log into the database instance as a user who has been granted the ALTER USER system privilege (for example, the SYSTEM user).

    For example:

    sqlplus system -- Or, sqlplus system@hrpdb for the hrpdb pluggable database (PDB)
    Enter password: password
    

    If Oracle Database Vault is enabled, then log in as a user who has been granted the DV_ACCTMGR role.

  2. Enter this statement:
    ALTER USER LBACSYS ACCOUNT UNLOCK IDENTIFIED BY password;
    

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

After you unlock user LBACSYS and provide a password, as a good practice, you may want to reserve this account as a back-up user account. For day-to-day use, consider granting the LBAC_DBA database role to trusted users who you want to administer Oracle Label Security.

If you plan to use Enterprise Manager Cloud Control to administer Oracle Label Security, then ensure that any users to whom you have granted the LBAC_DBA role also have the SELECT ANY DICTIONARY privilege. By default, the LBACSYS user already has this privilege.

Logging into Cloud Control or SQL*Plus for Oracle Label Security

After you complete the Oracle Label Security registration and enablement process, you can begin using it.

Topics:

Logging into Oracle Label Security from Enterprise Manager Cloud Control

From Enterprise Manager Cloud Control, you use the Oracle Label Security pages to create and manage Oracle Label Security policies.

  1. Ensure that you have configured the Cloud Control target databases that you plan to use with Oracle Label Security.

    See the Oracle Enterprise Manager online help and Oracle Enterprise Manager Advanced Configuration for more information about configuring target databases.

  2. Point your browser to the Cloud Control login page.

    For example:

    https://myserver.example.com:7799/em
    
  3. Log into Cloud Control as user SYSMAN.
  4. In the Cloud Control home page, from the Targets menu, select Databases.
  5. In the Databases page, select the link for the database to which you want to connect.

    The Database home page appears.

  6. From the Security menu, select Label Security.

    The Database Login page appears.

  7. Enter the following information:
    • Username: Enter the user name of a user who has been granted the LBAC_DBA database role, or enter LBACSYS.

    • Password: Enter the password.

    • Role: Select NORMAL from the list.

    • Save As: Select this check box if you want these credentials to be automatically filled in for you the next time that this page appears. The credentials are stored in Enterprise Manager in a secured manner. Access to these credentials depends on the user who is currently logged in.

Logging in to Oracle Label Security from SQL*Plus

You can log in to Oracle Label Security from SQL*Plus if you have been granted the LBAC_DBA database role.

  • To use Oracle Label Security from SQL*Plus, connect as user LBACSYS or as a user who has been granted the LBAC_DBA database role. To find if a user has been granted this role, query the GRANTEE and GRANTED_ROLE columns of the DBA_ROLE_PRIVS data dictionary view.

For example:

sqlplus psmith_ols -- Or, sqlplus psmith_ols@hrpdb for a PDB named hrpdb
Enter password: password

To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.