1/29

Contents

Title and Copyright Information

Preface

• Audience
• Related Documentation
• Conventions

Changes in This Release for Oracle Label Security Administrator's Guide

• Changes in Oracle Database 12c Release 1 (12.1.0.2)
  • New Features
  • Deprecated Features
• Changes in Oracle Database 12c Release 1 (12.1.0.1)
  • New Features
  • Deprecated Features
  • Other Changes

Part I Getting Started with Oracle Label Security

1 Introduction to Oracle Label Security

• About Oracle Label Security
• Benefits of Oracle Label Security
• Who Has Privileges to Use Oracle Label Security?
• Duties of Oracle Label Security Administrators
• Components of Oracle Label Security
• Oracle Label Security Architecture
• Oracle Label Security Administrative Interfaces
  • Oracle Label Security Packages
  • Oracle Enterprise Manager Cloud Control
• How Oracle Label Security Works with Other Oracle Products
  • Oracle Label Security Integration with Oracle Internet Directory
  • Oracle Label Security Integration in a Multitenant Environment

2 Understanding Data Labels and User Labels

• About Label-Based Security
• About User Label and Privilege Management
• Label Components
  • Label Component Definitions and Valid Characters
  • Level Sensitivity Components
  • Compartment Components
  • Group Components
  • Industry Examples of Levels, Compartments, and Groups
• Label Syntax and Type
• How Data Labels and User Labels Work Together
• Administration of Labels

3 Access Controls and Privileges

• Access Mediation
• How the Session Label and Row Label Work
  • The Session Label
  • The Row Label
  • Session Label Example
• How User Authorizations Work
  • Authorizations Set by the Administrator
  • Computed Session Labels
• Evaluation of Labels for Access Mediation
  • About Read and Write Access
  • How Oracle Label Security Algorithm for Read Access Works
  • How the Oracle Label Security Algorithm for Write Access Works
• Oracle Label Security Privileges
  • Privileges Defined by Oracle Label Security Policies
  • Special Access Privileges
  • Special Row Label Privileges
  • System Privileges, Object Privileges, and Policy Privileges
  • Access Mediation and Views
  • Access Mediation and Program Unit Execution
  • Access Mediation and Policy Enforcement Options
• Working with Multiple Oracle Label Security Policies
  • Multiple Oracle Label Security Policies in a Single Database
  • Multiple Oracle Label Security Policies in a Distributed Environment

Part II Using Oracle Label Security Functionality

4 Getting Started with Oracle Label Security

• Registering Oracle Label Security with an Oracle Database
  • About Registering Oracle Label Security
  • Checking if Oracle Label Security Has Been Registered and Enabled
  • Registering and Enabling Oracle Label Security from SQL*Plus
  • Registering and Enabling Oracle Label Security Using DBCA
• Enabling the LBACSYS Oracle Label Security . User Account 12.2.9 ... for about you and me used to be together
• Logging into Cloud Control or SQL*Plus for Oracle Label Security
  • Logging into Oracle Label Security from Enterprise Manager Cloud Control
  • Logging in to Oracle Label Security from SQL*Plus

5 Creating an Oracle Label Security Policy

• About Creating Oracle Label Security Policies
• Step 1: Create the Label Security Policy Container
  • About the Label Security Policy Container
  • Creating a Label Policy Container
• Step 2: Create Data Labels for the Label Security Policy
  • About Data Labels
  • About Policy Level Sensitivity Components
  • Creating a Policy Level Component
  • About Policy Compartment Components
  • Creating a Policy Compartment Component
  • About Policy Group Components
  • Creating a Policy Data Label Group
  • About Associating the Policy Components with a Named Data Label
  • Associating the Policy Components with a Named Data Label
• Step 3: Authorize Users for the Label Security Policy
  • About Authorizing Users for Label Security Policies
  • About Authorizing Levels
  • Authorizing a Level
  • About Authorizing Compartments
  • Authorizing a Compartment
  • About Authorizing Groups
  • Authorizing a Group
• Step 4: Grant Privileges to Users and Trusted Stored Program Units
  • About Granting Privileges to Users and Trusted Program Units for the Policy
  • Granting Privileges to a User
  • Granting Privileges to a Trusted Program Unit
• Step 5: Apply the Policy to a Database Table or Schema
  • About Applying the Policy to a Database Table or Schema
  • Applying a Policy to a Schema
• Step 6: Add Policy Labels to Table Rows
  • About Adding Policy Labels to Table Rows
  • Adding a Policy Label to a Table Row
• Step 7: (Optional) Configure Auditing
  • About Configuring Auditing
  • Configuring Auditing
• Using Enterprise Manager Cloud Control to Create an OLS Policy
  • Creating the Label Security Policy Container Using Cloud Control
  • Creating Policy Components Using Cloud Control
  • Creating Data Labels for the Policy Using Cloud Control
  • Authorizing, Granting Privileges, and Auditing Users for a Policy Using Cloud Control
  • Granting Privileges to Trusted Program Units Using Cloud Control
  • Applying a Policy to a Database Table with Cloud Control
  • Applying Policy Labels to Table Rows Using Cloud Control
  • Auditing Oracle Label Security Policies Using Cloud Control

6 Working with Labeled Data

• How Policy Label Column and Label Tags Work
  • The Policy Label Column
  • Label Tags
• Assignments of Labels to Data Rows
• Presenting the Label
  • Converting a Character String to a Label Tag with CHAR_TO_LABEL
  • Conversion of a Label Tag to a Character String, with LABEL_TO_CHAR
• Filtration of Data Using Labels
  • Use of Numeric Label Tags in WHERE Clauses
  • Ordering Labeled Data Rows
  • Ordering by Character Representation of Label
  • Determination of the Upper and Lower Bounds of Labels
  • Merging Labels with the MERGE_LABEL Function
• Inserting Labeled Data
  • About Inserting Labeled Data
  • Inserting Labels Using CHAR_TO_LABEL
  • Inserting Labels Using Numeric Label Tag Values
  • Inserting Data Without Specifying a Label
  • Inserting Data When the Policy Label Column Is Hidden
  • Inserting Labels Using TO_DATA_LABEL
• Changing Session and Row Labels

7 Oracle Label Security Using Oracle Internet Directory

• About Label Management on Oracle Internet Directory
• Configuring Oracle Internet Directory-Enabled Label Security
  • About Configuring Oracle Internet Directory-Enabled Label Security
  • Granting Permissions for Configuring OID-Enabled Oracle Label Security
  • Registering a Database and Configuring OID-Enabled Oracle Label Security
  • Unregisteration of a Database with Oracle Internet Directory Enabled Oracle Label Security
• Removing Directory-Enabled Oracle Label Security from Database
• Oracle Label Security Profiles
• Integrated Capabilities When Label Security Uses the Directory
• Oracle Label Security Policy Attributes in Oracle Internet Directory
• Subscription of Policies in Directory-Enabled Label Security
• Restrictions on New Data Label Creation
• Administrator Duties for Oracle Internet Directory and Oracle Label Security
• Bootstrapping Databases
• Synchronizing the Database and Oracle Internet Directory
  • About Synchronizing the Database and Oracle Internet Directory
  • Oracle Directory Integration and Provisioning (DIP) Provisioning Profiles
  • Modifying a Provisioning Profile
  • Changing the Database Connection Information for a Provisioning Profile
  • Configuring Oracle Directory-Enabled Oracle Label Security with Oracle Data Guard
• Security Roles and Permitted Actions
  • Permitted Tasks and Access Levels for Oracle Internet Directory
  • Restriction on Policy Creators for Directory-enabled Oracle Label Security
• Superseded PL/SQL Statements When OID Is Enabled with OLS
• Oracle Label Security Procedures for Policy Administrators Only

Part III Administering an Oracle Label Security Application

8 Implementing Policy Enforcement Options and Labeling Functions

• Oracle Label Security Policy Enforcement Options
  • About Policy Enforcement Options
  • Levels of Policy Enforcement Options
  • Categories of Policy Enforcement Options
  • Relationships of Policy Enforcement Options
  • How the HIDE Policy Column Option Works
  • How the Label Management Enforcement Options Work
  • How the Access Control Enforcement Options Work
  • How the Overriding Enforcement Options Work
  • Guidelines for Using the Policy Enforcement Options
  • Exemptions from Oracle Label Security Policy Enforcement
  • Data Dictionary Views for Viewing Policy Options on Tables and Schemas
• Labeling Functions
  • Labeling Data Rows under Oracle Label Security
  • How Labeling Functions in Oracle Label Security Policies Works
  • Creating a Labeling Function for a Policy
  • Specifying a Labeling Function in a Policy
• Inserting Labeled Data Using Policy Options and Labeling Functions
  • Outcome of Insert or Updates Operations on Data Based on Authorizations
  • The Insertion of Labels When a Labeling Function Is Specified
  • The Insertion Child Rows into Tables with Declarative Referential Integrity Enabled
• Updating Labeled Data Using Policy Options and Labeling Functions
  • Updating Labels Using CHAR_TO_LABEL
  • Evaluation of Enforcement Control Options and UPDATE
  • Updates to Labels When a Labeling Function Is Specified
  • Updates to Child Rows in Tables with Declarative Referential Integrity Enabled
• Deletion of Labeled Data Using Policy Options and Labeling Functions
• SQL Predicates with an Oracle Label Security Policy
  • Modifications to an Oracle Label Security Policy with a SQL Predicate
  • How Multiple SQL Predicates Affect Oracle Label Security Policies

9 Administering and Using Trusted Stored Program Units

• About Trusted Stored Program Units
• How a Trusted Stored Program Unit Runs
• Example of a Trusted Stored Program Unit
• Creating and Compiling Trusted Stored Program Units
  • Creation of Trusted Stored Program Units
  • Privileges for Trusted Stored Program Units
  • Recompiling of Trusted Stored Program Units
  • Re-creation of Trusted Stored Program Units
  • Execution of Trusted Stored Program Units
• How Setting and Returning Label Information Works

10 Auditing Under Oracle Label Security

• About Oracle Label Security Auditing
• Systemwide Auditing: AUDIT_TRAIL Initialization Parameter
• How Oracle Label Security Auditing Is Enabled or Disabled
• Oracle Label Security and Unified Auditing
• Oracle Label Security Auditing Tips
  • Strategy for Setting SA_AUDIT_ADMIN Options
  • Auditing of Privileged Operations

11 Using Oracle Label Security with a Distributed Database

• About the Oracle Label Security Distributed Configuration
• How Connections to a Remote Database Under Oracle Label Security Work
• Session Labels and Row Labels in Remote Sessions
• Labels in a Distributed Environment
  • Label Tags in a Distributed Environment
  • Numeric Form of Label Components in a Distributed Environment
• Oracle Label Security Policies in a Distributed Environment
• Replication with Oracle Label Security
  • About Replication Under Oracle Label Security
  • Contents of a Materialized View
  • Requirements for Creating Materialized Views Under Oracle Label Security
  • How to Refresh Materialized Views

12 Performing DBA Functions Under Oracle Label Security

• Oracle Data Pump Export Use with Oracle Label Security
  • Full Database Export
  • Schema and Table-Level Export
• Data Pump Import Use with Oracle Label Security
  • Full Database Import for the LBACSYS Schema Metadata
  • Schema and Table Level Import
• SQL*Loader Use with Oracle Label Security
  • Requirements for Using SQL*Loader Under Oracle Label Security
  • Oracle Label Security Input to SQL*Loader
• Performance Tips for Oracle Label Security
  • Use of ANALYZE to Improve Oracle Label Security Performance
  • Creation of Indexes on the Policy Label Column
  • Label Tag Strategy Plan to Enhance Performance
  • Partitioned Data Based on Numeric Label Tags
• Creation of Additional Databases After Installation
  • About the Creation of Additional Databases After Installation
  • Creating Additional Databases When the Label Security Schema Is in the Seed
  • Creating Additional Databases with the Custom Installation Option
• Oracle Label Security Upgrades and Downgrades
  • About Oracle Label Security Upgrades and Downgrades
  • Oracle Label Security Release 12.1 Upgrades
  • Oracle Label Security Downgrades

13 Releasability Using Inverse Groups

• About Inverse Groups and Releasability
• Comparison of Standard Groups and Inverse Groups
• How Inverse Groups Work
  • Implementation of Inverse Groups with the INVERSE_GROUP Enforcement Option
  • Inverse Groups and Label Components
  • Computed Labels with Inverse Groups
  • Inverse Groups and Hierarchical Structure
  • Inverse Groups and User Privileges
• Algorithm for Read Access with Inverse Groups
• Algorithm for Write Access with Inverse Groups
• Algorithms for COMPACCESS Privilege with Inverse Groups
• Session Labels and Inverse Groups
  • Initial Session and Row Labels for Standard or Inverse Groups
  • Setting Current Session or Row Labels for Standard or Inverse Groups
  • Examples of Session Labels and Inverse Groups
• Changes in Behavior of Procedures with Inverse Groups
  • SA_SYSDBA.CREATE_POLICY with Inverse Groups
  • SA_SYSDBA.ALTER_POLICY with Inverse Groups
  • SA_USER_ADMIN.ADD_GROUPS with Inverse Groups
  • SA_USER_ADMIN.ALTER_GROUPS with Inverse Groups
  • SA_USER_ADMIN.SET_GROUPS with Inverse Groups
  • SA_USER_ADMIN.SET_USER_LABELS with Inverse Groups
  • SA_USER_ADMIN.SET_DEFAULT_LABEL with Inverse Groups
  • SA_USER_ADMIN.SET_ROW_LABEL with Inverse Groups
  • SA_COMPONENTS.CREATE_GROUP with Inverse Groups
  • SA_COMPONENTS.ALTER_GROUP_PARENT with Inverse Groups
  • SA_SESSION.SET_LABEL with Inverse Groups
  • SA_SESSION.SET_ROW_LABEL with Inverse Groups
  • LEAST_UBOUND with Inverse Groups
  • GREATEST_LBOUND with Inverse Groups
• Dominance Rules for Labels with Inverse Groups

Part IV Appendixes

A Disabling and Enabling Oracle Label Security

• When You Must Disable Oracle Label Security
• Checking if Oracle Label Security Is Enabled or Disabled
• Disabling Oracle Label Security
• Enabling Oracle Label Security

B Advanced Topics in Oracle Label Security

• Analyzing the Relationships Between Labels
  • About Dominant and Dominated Labels
  • Non-Comparable Labels
  • Using Dominance Functions
• Queries for Audited Oracle Label Security Session Labels
  • About Queries for Auditing Oracle Label Security Session Labels
  • LBACSYS.ORA_GET_AUDITED_LABEL Function
• Oracle Call Interface for Setting Session Labels
  • About Using the Oracle Call Interface to Set Session Labels
  • Using the Oracle Call Interface to Set Session Labels
  • Example: Using Oracle Call Interface with the SYS_CONTEXT Function

C Command-line Tools for Label Security Using Oracle Internet Directory

• About the Command-line Oracle Label Security Tools
• Oracle Label Security Commands in Categories
• olsadmintool Command Reference
  • About the olsadmintool Commands
  • olsadmintool addadmin
  • olsadmintool addpolcreator
  • olsadmintool adduser
  • olsadmintool altercompartent
  • olsadmintool altergroup
  • olsadmintool altergroupparent
  • olsadmintool alterlabel
  • olsadmintool alterlevel
  • olsadmintool alterpolicy
  • olsadmintool audit
  • olsadmintool createcompartment
  • olsadmintool creategroup
  • olsadmintool createlabel
  • olsadmintool createlevel
  • olsadmintool createprofile
  • olsadmintool createpolicy
  • olsamindtool describeprofile
  • olsadmintool dropadmin
  • olsadmintool dropcompartment
  • olsadmintool dropgroup
  • olsadmintool droplabel
  • olsadmintool droplevel
  • olsadmintool droppolicy
  • olsadmintool dropprofile
  • olsadmintool droppolcreator
  • olsadmintool dropuser
  • olsadmintool --help
  • olsadmintool noaudit
  • olsadmintool listprofile
• Relating Parameters to Commands for olsadmintool
  • About Relating Parameters to Commands for olsadmintool
  • Summaries of olsadmintool Parameters
• Examples of Using the olsadmintool Utility
  • Example: Making Other Users Policy Creators
  • Example: Creating Policies with Valid Options
  • Example: Creating Policy Administrators
  • Example: Creating Levels
  • Example: Creating Compartments
  • Example: Creating Groups
  • Example: Creating Labels
  • Example: Creating a Profile
  • Example: Adding a User to a Profile
  • Example: Adding Another User to a Profile
  • Example: Setting Audit Options
  • Results of These Examples

D Oracle Label Security in an Oracle RAC Environment

• Oracle Label Security Policy Functions in an Oracle RAC Environment
• Transparent Application Failover in Oracle Label Security

E Oracle Label Security PL/SQL Packages

• SA_AUDIT_ADMIN Oracle Label Security Auditing PL/SQL Package
  • SA_AUDIT_ADMIN.AUDIT
  • SA_AUDIT_ADMIN.AUDIT_LABEL
  • SA_AUDIT_ADMIN.AUDIT_LABEL_ENABLED Function
  • SA_AUDIT_ADMIN.CREATE_VIEW
  • SA_AUDIT_ADMIN.DROP_VIEW
  • SA_AUDIT_ADMIN.NOAUDIT
  • SA_AUDIT_ADMIN.NOAUDIT_LABEL
• SA_COMPONENTS Label Components PL/SQL Package
  • SA_COMPONENTS.ALTER_COMPARTMENT
  • SA_COMPONENTS.ALTER_GROUP
  • SA_COMPONENTS.ALTER_GROUP_PARENT
  • SA_COMPONENTS.ALTER_LEVEL
  • SA_COMPONENTS.CREATE_COMPARTMENT
  • SA_COMPONENTS.CREATE_GROUP
  • SA_COMPONENTS.CREATE_LEVEL
  • SA_COMPONENTS.DROP_COMPARTMENT
  • SA_COMPONENTS.DROP_GROUP
  • SA_COMPONENTS.DROP_LEVEL
• SA_LABEL_ADMIN Label Management PL/SQL Package
  • SA_LABEL_ADMIN.ALTER_LABEL
  • SA_LABEL_ADMIN.CREATE_LABEL
  • SA_LABEL_ADMIN.DROP_LABEL
• SA_POLICY_ADMIN Policy Administration PL/SQL Package
  • SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY
  • SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY
  • SA_POLICY_ADMIN.APPLY_TABLE_POLICY
  • SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY
  • SA_POLICY_ADMIN.DISABLE_TABLE_POLICY
  • SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY
  • SA_POLICY_ADMIN.ENABLE_TABLE_POLICY
  • SA_POLICY_ADMIN.POLICY_SUBSCRIBE
  • SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE
  • SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY
  • SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
• SA_SESSION Session Management PL/SQL Package
  • SA_SESSION.COMP_READ
  • SA_SESSION.COMP_WRITE
  • SA_SESSION.GROUP_READ
  • SA_SESSION.GROUP_WRITE
  • SA_SESSION.LABEL
  • SA_SESSION.MAX_LEVEL
  • SA_SESSION.MAX_READ_LABEL
  • SA_SESSION.MAX_WRITE_LABEL
  • SA_SESSION.MIN_LEVEL
  • SA_SESSION.MIN_WRITE_LABEL
  • SA_SESSION.PRIVS
  • SA_SESSION.RESTORE_DEFAULT_LABELS
  • SA_SESSION.ROW_LABEL
  • SA_SESSION.SET_LABEL
  • SA_SESSION.SA_USER_NAME
  • SA_SESSION.SAVE_DEFAULT_LABELS
  • SA_SESSION.SET_ACCESS_PROFILE
  • SA_SESSION.SET_ROW_LABEL
• SA_SYSDBA Policy Management PL/SQL Package
  • SA_SYSDBA.ALTER_POLICY
  • SA_SYSDBA.CREATE_POLICY
  • SA_SYSDBA.DISABLE_POLICY
  • SA_SYSDBA.DROP_POLICY
  • SA_SYSDBA.ENABLE_POLICY
• SA_USER_ADMIN User, Levels, Groups, and Compartments PL/SQL Package
  • SA_USER_ADMIN.ADD_COMPARTMENTS
  • SA_USER_ADMIN.ADD_GROUPS
  • SA_USER_ADMIN.ALTER_COMPARTMENTS
  • SA_USER_ADMIN.ALTER_GROUPS
  • SA_USER_ADMIN.DROP_ALL_COMPARTMENTS
  • SA_USER_ADMIN.DROP_ALL_GROUPS
  • SA_USER_ADMIN.DROP_COMPARTMENTS
  • SA_USER_ADMIN.DROP_GROUPS
  • SA_USER_ADMIN.DROP_USER_ACCESS
  • SA_USER_ADMIN.SET_COMPARTMENTS
  • SA_USER_ADMIN.SET_DEFAULT_LABEL
  • SA_USER_ADMIN.SET_GROUPS
  • SA_USER_ADMIN.SET_LEVELS
  • SA_USER_ADMIN.SET_PROG_PRIVS
  • SA_USER_ADMIN.SET_ROW_LABEL
  • SA_USER_ADMIN.SET_USER_LABELS
  • SA_USER_ADMIN.SET_USER_PRIVS
• SA_UTL PL/SQL Utility Functions and Procedures
  • SA_UTL.CHECK_LABEL_CHANGE
  • SA_UTL.CHECK_READ
  • SA_UTL.CHECK_WRITE
  • SA_UTL.DATA_LABEL
  • SA_UTL.GREATEST_LBOUND
  • SA_UTL.LEAST_UBOUND
  • SA_UTL.NUMERIC_LABEL
  • SA_UTL.NUMERIC_ROW_LABEL
  • SA_UTL.SET_LABEL
  • SA_UTL.SET_ROW_LABEL

F Oracle Label Security Reference

• Oracle Label Security Data Dictionary Tables and Views
  • Oracle Database Data Dictionary Tables
  • Oracle Label Security Data Dictionary Views
  • Oracle Label Security User-Created Auditing View
• Restrictions in Oracle Label Security

G Frequently Asked Questions about Oracle Label Security

• Who Uses Oracle Label Security?
• How Can Oracle Label Security Address My Security Needs?
• Should I Use Oracle Label Security to Protect All My Tables?
• What Is the Difference Between Oracle Virtual Private Database and Oracle Label Security?
• Can I Combine Oracle Virtual Private Database and Oracle Label Security?
• Can I Use Oracle Label Security with Oracle E-Business Suite?
• Can I Use Oracle Label Security with Oracle Database Vault?
• Does Oracle Label Security Provide Column-Level Access Control?
• Can I Base Secure Application Roles on Oracle Label Security?
• What Are Trusted Stored Program Units?
• Does VPD or OLS Add an Additional Column to the Protected Table?
• Why Should the Additional OLS Row Label Column Be Hidden?

Index