Contents

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documentation
• Conventions

Part I

1 Introduction to Oracle Label Security

• 1.1 Computer Security and Data Access Controls
  • 1.1.1 Oracle Label Security and Security Standards
  • 1.1.2 Security Policies
  • 1.1.3 Access Control
    • 1.1.3.1 Discretionary Access Control
    • 1.1.3.2 Oracle Label Security
    • 1.1.3.3 How Oracle Label Security Works with Discretionary Access Control
• 1.2 Oracle Label Security Architecture
• 1.3 Features of Oracle Label Security
  • 1.3.1 Overview of Oracle Label Security Policy Functionality
  • 1.3.2 Oracle Enterprise Edition: VPD Technology
  • 1.3.3 Oracle Label Security: An Out-of-the-Box VPD
  • 1.3.4 Label Policy Features
    • 1.3.4.1 Data Labels
    • 1.3.4.2 Label Authorizations
    • 1.3.4.3 Policy Privileges
    • 1.3.4.4 Policy Enforcement Options
    • 1.3.4.5 Summary: Four Aspects of Label-Based Row Access
• 1.4 Oracle Label Security Integration with Oracle Internet Directory

2 Understanding Data Labels and User Labels

• 2.1 Introduction to Label-Based Security
• 2.2 Label Components
  • 2.2.1 Label Component Definitions and Valid Characters
  • 2.2.2 Levels
  • 2.2.3 Compartments
  • 2.2.4 Groups
  • 2.2.5 Industry Examples of Levels, Compartments, and Groups
• 2.3 Label Syntax and Type
• 2.4 How Data Labels and User Labels Work Together
• 2.5 Administering Labels

3 Understanding Access Controls and Privileges

• 3.1 Introducing Access Mediation
• 3.2 Understanding Session Label and Row Label
  • 3.2.1 The Session Label
  • 3.2.2 The Row Label
  • 3.2.3 Session Label Example
• 3.3 Understanding User Authorizations
  • 3.3.1 Authorizations Set by the Administrator
    • 3.3.1.1 Authorized Levels
    • 3.3.1.2 Authorized Compartments
    • 3.3.1.3 Authorized Groups
  • 3.3.2 Computed Session Labels
• 3.4 Evaluating Labels for Access Mediation
  • 3.4.1 Introducing Read/Write Access
    • 3.4.1.1 Difference Between Read and Write Operations
    • 3.4.1.2 Propagation of Read/Write Authorizations on Groups
  • 3.4.2 The Oracle Label Security Algorithm for Read Access
  • 3.4.3 The Oracle Label Security Algorithm for Write Access
• 3.5 Using Oracle Label Security Privileges
  • 3.5.1 Privileges Defined by Oracle Label Security Policies
  • 3.5.2 Special Access Privileges
    • 3.5.2.1 READ
    • 3.5.2.2 FULL
    • 3.5.2.3 COMPACCESS
    • 3.5.2.4 PROFILE_ACCESS
  • 3.5.3 Special Row Label Privileges
    • 3.5.3.1 WRITEUP
    • 3.5.3.2 WRITEDOWN
    • 3.5.3.3 WRITEACROSS
  • 3.5.4 System Privileges, Object Privileges, and Policy Privileges
  • 3.5.5 Access Mediation and Views
  • 3.5.6 Access Mediation and Program Unit Execution
  • 3.5.7 Access Mediation and Policy Enforcement Options
• 3.6 Working with Multiple Oracle Label Security Policies
  • 3.6.1 Multiple Oracle Label Security Policies in a Single Database
  • 3.6.2 Multiple Oracle Label Security Policies in a Distributed Environment

Part II Using Oracle Label Security Functionality

4 Getting Started with Oracle Label Security

• 4.1 Installing OLS and Enabling the LBACSYS User
• 4.2 Creating an OLS Policy
  • 4.2.1 Step 1: Creating the Policy
  • 4.2.2 Step 2: Creating Label Components for the Policy
  • 4.2.3 Step 3: Creating Data Labels for the Policy
  • 4.2.4 Step 4: Authorizing Users for the Policy
  • 4.2.5 Step 5: Applying the Policy to a Database Table
  • 4.2.6 Step 6: Adding Policy Labels to Table Rows
• 4.3 Creating a Sample OLS Policy
  • 4.3.1 Step 1: Creating Users for the Oracle Label Security Example
  • 4.3.2 Step 2: Creating the ACCESS_LOCATIONS Policy
  • 4.3.3 Step 3: Defining the ACCESS_LOCATIONS Policy-Level Components
  • 4.3.4 Step 4: Creating the ACCESS_LOCATIONS Policy Data Labels
  • 4.3.5 Step 5: Creating the ACCESS_LOCATIONS Policy User Authorizations
  • 4.3.6 Step 6: Applying the ACCESS_LOCATIONS Policy to the HR.LOCATIONS Table
  • 4.3.7 Step 7: Adding Policy Labels to Table Data
  • 4.3.8 Step 8: Testing the ACCESS_LOCATIONS Policy
  • 4.3.9 Step 9: Removing the Components for This Example (Optional)

5 Working with Labeled Data

• 5.1 The Policy Label Column and Label Tags
  • 5.1.1 The Policy Label Column
    • 5.1.1.1 Hiding the Policy Label Column
    • 5.1.1.2 Example 1: Numeric Column Data Type (NUMBER)
    • 5.1.1.3 Example 2: Numeric Column Data Type with Hidden Column
  • 5.1.2 Label Tags
    • 5.1.2.1 Manually Defining Label Tags to Order Labels
    • 5.1.2.2 Manually Defining Label Tags to Manipulate Data
    • 5.1.2.3 Automatically Generated Label Tags
• 5.2 Assigning Labels to Data Rows
• 5.3 Presenting the Label
  • 5.3.1 Converting a Character String to a Label Tag, with CHAR_TO_LABEL
  • 5.3.2 Converting a Label Tag to a Character String, with LABEL_TO_CHAR
    • 5.3.2.1 LABEL_TO_CHAR Examples
    • 5.3.2.2 Retrieving All Columns from a Table When the Policy Label Column Is Hidden
• 5.4 Filtering Data Using Labels
  • 5.4.1 Using Numeric Label Tags in WHERE Clauses
  • 5.4.2 Ordering Labeled Data Rows
  • 5.4.3 Ordering by Character Representation of Label
  • 5.4.4 Determining Upper and Lower Bounds of Labels
    • 5.4.4.1 Finding Least Upper Bound with LEAST_UBOUND
    • 5.4.4.2 Finding Greatest Lower Bound with GREATEST_LBOUND
  • 5.4.5 Merging Labels with the MERGE_LABEL Function
• 5.5 Inserting Labeled Data
  • 5.5.1 Inserting Labels Using CHAR_TO_LABEL
  • 5.5.2 Inserting Labels Using Numeric Label Tag Values
  • 5.5.3 Inserting Data Without Specifying a Label
  • 5.5.4 Inserting Data When the Policy Label Column Is Hidden
  • 5.5.5 Inserting Labels Using TO_DATA_LABEL
• 5.6 Changing Your Session and Row Labels with SA_SESSION
  • 5.6.1 SA_SESSION Functions to Change Session and Row Labels
  • 5.6.2 Changing the Session Label with SA_SESSION.SET_LABEL
  • 5.6.3 Changing the Row Label with SA_SESSION.SET_ROW_LABEL
  • 5.6.4 Restoring Label Defaults with SA_SESSION.RESTORE_DEFAULT_LABELS
  • 5.6.5 Saving Label Defaults with SA_SESSION.SAVE_DEFAULT_LABELS
  • 5.6.6 Viewing Session Attributes with SA_SESSION Functions
    • 5.6.6.1 USER_SA_SESSION View to Return All Security Attributes
    • 5.6.6.2 Functions to Return Individual Security Attributes

6 Oracle Label Security Using Oracle Internet Directory

• 6.1 Introducing Label Management on Oracle Internet Directory
• 6.2 Configuring Oracle Internet Directory-Enabled Label Security
  • 6.2.1 Granting Permissions for Configuring Oracle Internet Directory enabled Oracle Label Security
  • 6.2.2 Registering a Database and Configuring Oracle Internet Directory enabled Oracle Label Security
    • 6.2.2.1 Task 1 Configure Your Oracle Home for Directory Usage.
    • 6.2.2.2 Task 2 Configure the Database for Oracle Internet Directory enabled Oracle Label Security
    • 6.2.2.3 Alternate Method for Task 2, Configuring Database for Oracle Internet Directory enabled Oracle Label Security
    • 6.2.2.4 Task3: Set the DIP Password and Connect Data
  • 6.2.3 Unregistering a Database with Oracle Internet Directory enabled OLS
• 6.3 Removing Directory-enabled Oracle Label Security from Database
• 6.4 Oracle Label Security Profiles
• 6.5 Integrated Capabilities When Label Security Uses the Directory
• 6.6 Oracle Label Security Policy Attributes in Oracle Internet Directory
• 6.7 Restrictions on New Data Label Creation
• 6.8 Two Types of Administrators
• 6.9 Bootstrapping Databases
• 6.10 Synchronizing the Database and Oracle Internet Directory
  • 6.10.1 Oracle Directory Integration and Provisioning (DIP) Provisioning Profiles
  • 6.10.2 Disabling, Changing, and Enabling a Provisioning Profile
• 6.11 Security Roles and Permitted Actions
  • 6.11.1 Restriction on Policy Creators for Directory-enabled Oracle Label Security
• 6.12 Superseded PL/SQL Statements
• 6.13 Procedures for Policy Administrators Only

Part III Administering an Oracle Label Security Application

7 Creating an Oracle Label Security Policy

• 7.1 Oracle Label Security Administrative Task Overview
  • 7.1.1 Step 1: Create the Policy
  • 7.1.2 Step 2: Define the Components of the Labels
  • 7.1.3 Step 3: Identify the Set of Valid Data Labels
  • 7.1.4 Step 4: Apply the Policy to Tables and Schemas
  • 7.1.5 Step 5: Authorize Users
  • 7.1.6 Step 6: Create and Authorize Trusted Program Units (Optional)
  • 7.1.7 Step 7: Configure Auditing (Optional)
• 7.2 Organizing the Duties of Oracle Label Security Administrators
• 7.3 Choosing an Oracle Label Security Administrative Interface
  • 7.3.1 Oracle Label Security Packages
    • 7.3.1.1 Oracle Label Security Demonstration File
  • 7.3.2 Oracle Enterprise Manager
• 7.4 Using the SA_SYSDBA Package to Manage Security Policies
  • 7.4.1 Who Can Use the SA_SYSDBA Package
  • 7.4.2 Who Can Administer a Policy
  • 7.4.3 Valid Characters for Policy Specifications
  • 7.4.4 Creating a Policy with SA_SYSDBA.CREATE_POLICY
  • 7.4.5 Modifying Policy Options with SA_SYSDBA.ALTER_POLICY
  • 7.4.6 Disabling a Policy with SA_SYSDBA.DISABLE_POLICY
  • 7.4.7 Enabling a Policy with SA_SYSDBA.ENABLE_POLICY
  • 7.4.8 Removing a Policy with SA_SYSDBA.DROP_POLICY
• 7.5 Using the SA_COMPONENTS Package to Define Label Components
  • 7.5.1 Using Overloaded Procedures
  • 7.5.2 Creating a Level with SA_COMPONENTS.CREATE_LEVEL
  • 7.5.3 Modifying a Level with SA_COMPONENTS.ALTER_LEVEL
  • 7.5.4 Removing a Level with SA_COMPONENTS.DROP_LEVEL
  • 7.5.5 Creating a Compartment with SA_COMPONENTS.CREATE_COMPARTMENT
  • 7.5.6 Modifying a Compartment with SA_COMPONENTS.ALTER_COMPARTMENT
  • 7.5.7 Removing a Compartment with SA_COMPONENTS.DROP_COMPARTMENT
  • 7.5.8 Creating a Group with SA_COMPONENTS.CREATE_GROUP
  • 7.5.9 Modifying a Group with SA_COMPONENTS.ALTER_GROUP
  • 7.5.10 Modifying a Group Parent with SA_COMPONENTS.ALTER_GROUP_PARENT
  • 7.5.11 Removing a Group with SA_COMPONENTS.DROP_GROUP
• 7.6 Using the SA_LABEL_ADMIN Package to Specify Valid Labels
  • 7.6.1 Creating a Valid Data Label with SA_LABEL_ADMIN.CREATE_LABEL
  • 7.6.2 Modifying a Label with SA_LABEL_ADMIN.ALTER_LABEL
  • 7.6.3 Deleting a Label with SA_LABEL_ADMIN.DROP_LABEL

8 Administering User Labels and Privileges

• 8.1 Introduction to User Label and Privilege Management
• 8.2 Managing User Labels by Component, with SA_USER_ADMIN
  • 8.2.1 SA_USER_ADMIN.SET_LEVELS
  • 8.2.2 SA_USER_ADMIN.SET_COMPARTMENTS
  • 8.2.3 SA_USER_ADMIN.SET_GROUPS
  • 8.2.4 SA_USER_ADMIN.ALTER_COMPARTMENTS
  • 8.2.5 SA_USER_ADMIN.ADD_COMPARTMENTS
  • 8.2.6 SA_USER_ADMIN.DROP_COMPARTMENTS
  • 8.2.7 SA_USER_ADMIN.DROP_ALL_COMPARTMENTS
  • 8.2.8 SA_USER_ADMIN.ADD_GROUPS
  • 8.2.9 SA_USER_ADMIN.ALTER_GROUPS
  • 8.2.10 SA_USER_ADMIN.DROP_GROUPS
  • 8.2.11 SA_USER_ADMIN.DROP_ALL_GROUPS
• 8.3 Managing User Labels by Label String, with SA_USER_ADMIN
  • 8.3.1 SA_USER_ADMIN.SET_USER_LABELS
  • 8.3.2 SA_USER_ADMIN.SET_DEFAULT_LABEL
  • 8.3.3 SA_USER_ADMIN.SET_ROW_LABEL
  • 8.3.4 SA_USER_ADMIN.DROP_USER_ACCESS
• 8.4 Managing User Privileges with SA_USER_ADMIN.SET_USER_PRIVS
• 8.5 Setting Labels & Privileges with SA_SESSION.SET_ACCESS_PROFILE
• 8.6 Returning User Name with SA_SESSION.SA_USER_NAME
• 8.7 Using Oracle Label Security Views
  • 8.7.1 View to Display All User Security Attributes: DBA_SA_USERS
  • 8.7.2 Views to Display User Authorizations by Component

9 Implementing Policy Enforcement Options and Labeling Functions

• 9.1 Choosing Policy Options
  • 9.1.1 Overview of Policy Enforcement Options
  • 9.1.2 The HIDE Policy Column Option
  • 9.1.3 The Label Management Enforcement Options
    • 9.1.3.1 LABEL_DEFAULT: Using the Session's Default Row Label
    • 9.1.3.2 LABEL_UPDATE: Changing Data Labels
    • 9.1.3.3 CHECK_CONTROL: Checking Data Labels
  • 9.1.4 The Access Control Enforcement Options
    • 9.1.4.1 READ_CONTROL: Reading Data
    • 9.1.4.2 WRITE_CONTROL: Writing Data
    • 9.1.4.3 INSERT_CONTROL, UPDATE_CONTROL, and DELETE_CONTROL
  • 9.1.5 The Overriding Enforcement Options
  • 9.1.6 Guidelines for Using the Policy Enforcement Options
  • 9.1.7 Exemptions from Oracle Label Security Policy Enforcement
  • 9.1.8 Viewing Policy Options on Tables and Schemas
• 9.2 Using a Labeling Function
  • 9.2.1 Labeling Data Rows under Oracle Label Security
  • 9.2.2 Understanding Labeling Functions in Oracle Label Security Policies
  • 9.2.3 Creating a Labeling Function for a Policy
  • 9.2.4 Specifying a Labeling Function in a Policy
• 9.3 Inserting Labeled Data Using Policy Options and Labeling Functions
  • 9.3.1 Evaluating Enforcement Control Options and INSERT
  • 9.3.2 Inserting Labels When a Labeling Function Is Specified
  • 9.3.3 Inserting Child Rows into Tables with Declarative Referential Integrity Enabled
• 9.4 Updating Labeled Data Using Policy Options and Labeling Functions
  • 9.4.1 Updating Labels Using CHAR_TO_LABEL
  • 9.4.2 Evaluating Enforcement Control Options and UPDATE
  • 9.4.3 Updating Labels When a Labeling Function Is Specified
  • 9.4.4 Updating Child Rows in Tables with Declarative Referential Integrity Enabled
• 9.5 Deleting Labeled Data Using Policy Options and Labeling Functions
• 9.6 Using a SQL Predicate with an Oracle Label Security Policy
  • 9.6.1 Modifying an Oracle Label Security Policy with a SQL Predicate
  • 9.6.2 Affecting Oracle Label Security Policies with Multiple SQL Predicates

10 Applying Policies to Tables and Schemas

• 10.1 Policy Administration Terminology
• 10.2 Subscribing Policies in Directory-Enabled Label Security
  • 10.2.1 Subscribing to a Policy with SA_POLICY_ADMIN.POLICY_SUBSCRIBE
    • 10.2.1.1 Syntax
  • 10.2.2 Unsubscribing to a Policy with SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE
    • 10.2.2.1 Syntax
• 10.3 Policy Administration Functions for Tables and Schemas
• 10.4 Administering Policies on Tables Using SA_POLICY_ADMIN
  • 10.4.1 Applying a Policy with SA_POLICY_ADMIN.APPLY_TABLE_POLICY
    • 10.4.1.1 Syntax
  • 10.4.2 Removing a Policy with SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
    • 10.4.2.1 Syntax
  • 10.4.3 Disabling a Policy with SA_POLICY_ADMIN.DISABLE_TABLE_POLICY
    • 10.4.3.1 Syntax
  • 10.4.4 Reenabling a Policy with SA_POLICY_ADMIN.ENABLE_TABLE_POLICY
    • 10.4.4.1 Syntax
• 10.5 Administering Policies on Schemas with SA_POLICY_ADMIN
  • 10.5.1 Applying a Policy with SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY
    • 10.5.1.1 Syntax
  • 10.5.2 Altering Enforcement Options: SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY
    • 10.5.2.1 Syntax
  • 10.5.3 Removing a Policy with SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY
    • 10.5.3.1 Syntax
  • 10.5.4 Disabling a Policy with SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY
    • 10.5.4.1 Syntax
  • 10.5.5 Reenabling a Policy with SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY
    • 10.5.5.1 Syntax
  • 10.5.6 Policy Issues for Schemas

11 Administering and Using Trusted Stored Program Units

• 11.1 Introduction to Trusted Stored Program Units
  • 11.1.1 How a Trusted Stored Program Unit Runs
  • 11.1.2 Trusted Stored Program Unit Example
• 11.2 Managing Program Unit Privileges with SET_PROG_PRIVS
• 11.3 Creating and Compiling Trusted Stored Program Units
  • 11.3.1 Creating Trusted Stored Program Units
  • 11.3.2 Setting Privileges for Trusted Stored Program Units
  • 11.3.3 Recompiling Trusted Stored Program Units
  • 11.3.4 Re-creating Trusted Stored Program Units
  • 11.3.5 Running Trusted Stored Program Units
• 11.4 Using SA_UTL Functions to Set and Return Label Information
  • 11.4.1 Viewing Session Label and Row Label Using SA_UTL
    • 11.4.1.1 SA_UTL.NUMERIC_LABEL
    • 11.4.1.2 SA_UTL.NUMERIC_ROW_LABEL
    • 11.4.1.3 SA_UTL.DATA_LABEL
  • 11.4.2 Checking Rights to Read and Update Table Row Data
    • 11.4.2.1 SA_UTL.CHECK_READ
    • 11.4.2.2 SA_UTL.CHECK_WRITE
    • 11.4.2.3 SA_UTL.CHECK_LABEL_CHANGE
  • 11.4.3 Setting the Session Label and Row Label Using SA_UTL
    • 11.4.3.1 SA_UTL.SET_LABEL
    • 11.4.3.2 SA_UTL.SET_ROW_LABEL
  • 11.4.4 Returning Greatest Lower Bound and Least Upper Bound
    • 11.4.4.1 GREATEST_LBOUND
    • 11.4.4.2 LEAST_UBOUND

12 Auditing Under Oracle Label Security

• 12.1 Overview of Oracle Label Security Auditing
• 12.2 Enabling Systemwide Auditing: AUDIT_TRAIL Initialization Parameter
• 12.3 Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN
  • 12.3.1 Auditing Options for Oracle Label Security
  • 12.3.2 Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.AUDIT
  • 12.3.3 Disabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.NOAUDIT
  • 12.3.4 Examining Audit Options with the DBA_SA_AUDIT_OPTIONS View
• 12.4 Managing Policy Label Auditing
  • 12.4.1 Policy Label Auditing with SA_AUDIT_ADMIN.AUDIT_LABEL
  • 12.4.2 Disabling Policy Label Auditing with SA_AUDIT_ADMIN.NOAUDIT_LABEL
  • 12.4.3 Finding Label Audit Status with AUDIT_LABEL_ENABLED
• 12.5 Creating and Dropping an Audit Trail View for Oracle Label Security
  • 12.5.1 Creating a View with SA_AUDIT_ADMIN.CREATE_VIEW
  • 12.5.2 Dropping a View with SA_AUDIT_ADMIN.DROP_VIEW
• 12.6 Oracle Label Security Auditing Tips
  • 12.6.1 Strategy for Setting SA_AUDIT_ADMIN Options
  • 12.6.2 Auditing Privileged Operations

13 Using Oracle Label Security with a Distributed Database

• 13.1 An Oracle Label Security Distributed Configuration
• 13.2 Connecting to a Remote Database Under Oracle Label Security
• 13.3 Establishing Session Label and Row Label for a Remote Session
• 13.4 Setting Up Labels in a Distributed Environment
  • 13.4.1 Setting Label Tags in a Distributed Environment
  • 13.4.2 Setting Numeric Form of Label Components in a Distributed Environment
• 13.5 Using Oracle Label Security Policies in a Distributed Environment
• 13.6 Using Replication with Oracle Label Security
  • 13.6.1 Introduction to Replication Under Oracle Label Security
    • 13.6.1.1 Replication Functionality Supported by Oracle Label Security
    • 13.6.1.2 Row-Level Security Restriction on Replication Under Oracle Label Security
  • 13.6.2 Contents of a Materialized View
    • 13.6.2.1 How Materialized View Contents Are Determined
    • 13.6.2.2 Complete Materialized Views
    • 13.6.2.3 Partial Materialized Views
  • 13.6.3 Requirements for Creating Materialized Views Under Oracle Label Security
    • 13.6.3.1 Requirements for the REPADMIN Account
    • 13.6.3.2 Requirements for the Owner of the Materialized View
    • 13.6.3.3 Requirements for Creating Partial Multilevel Materialized Views
    • 13.6.3.4 Requirements for Creating Complete Multilevel Materialized Views
  • 13.6.4 How to Refresh Materialized Views

14 Performing DBA Functions Under Oracle Label Security

• 14.1 Using the Export Utility with Oracle Label Security
  • 14.1.1 Using Datapump Export Utility with Oracle Label Security
• 14.2 Using the Import Utility with Oracle Label Security
  • 14.2.1 Requirements for Import Under Oracle Label Security
    • 14.2.1.1 Preparing the Import Database
    • 14.2.1.2 Verifying Import User Authorizations
  • 14.2.2 Defining Data Labels for Import
  • 14.2.3 Importing Labeled Data Without Installing Oracle Label Security
  • 14.2.4 Importing Unlabeled Data
  • 14.2.5 Importing Tables with Hidden Columns
• 14.3 Using SQL*Loader with Oracle Label Security
  • 14.3.1 Requirements for Using SQL*Loader Under Oracle Label Security
  • 14.3.2 Oracle Label Security Input to SQL*Loader
• 14.4 Performance Tips for Oracle Label Security
  • 14.4.1 Using ANALYZE to Improve Oracle Label Security Performance
  • 14.4.2 Creating Indexes on the Policy Label Column
  • 14.4.3 Planning a Label Tag Strategy to Enhance Performance
  • 14.4.4 Partitioning Data Based on Numeric Label Tags
• 14.5 Creating Additional Databases After Installation

15 Releasability Using Inverse Groups

• 15.1 Introduction to Inverse Groups and Releasability
• 15.2 Comparing Standard Groups and Inverse Groups
• 15.3 How Inverse Groups Work
  • 15.3.1 Implementing Inverse Groups with the INVERSE_GROUP Enforcement Option
  • 15.3.2 Inverse Groups and Label Components
  • 15.3.3 Computed Labels with Inverse Groups
    • 15.3.3.1 Computed Session Labels with Inverse Groups
    • 15.3.3.2 Inverse Groups and Computed Max Read Groups and Max Write Groups
  • 15.3.4 Inverse Groups and Hierarchical Structure
  • 15.3.5 Inverse Groups and User Privileges
• 15.4 Algorithm for Read Access with Inverse Groups
• 15.5 Algorithm for Write Access with Inverse Groups
• 15.6 Algorithms for COMPACCESS Privilege with Inverse Groups
• 15.7 Session Labels and Inverse Groups
  • 15.7.1 Setting Initial Session/Row Labels for Standard or Inverse Groups
    • 15.7.1.1 Standard Groups: Rules for Changing Initial Session/Row Labels
    • 15.7.1.2 Inverse Groups: Rules for Changing Initial Session/Row Labels
  • 15.7.2 Setting Current Session/Row Labels for Standard or Inverse Groups
    • 15.7.2.1 Standard Groups: Rules for Changing Current Session/Row Labels
    • 15.7.2.2 Inverse Groups: Rules for Changing Current Session/Row Labels
  • 15.7.3 Examples of Session Labels and Inverse Groups
    • 15.7.3.1 Inverse Groups Example 1
    • 15.7.3.2 Inverse Groups Example 2
• 15.8 Changes in Behavior of Procedures with Inverse Groups
  • 15.8.1 SA_SYSDBA.CREATE_POLICY with Inverse Groups
  • 15.8.2 SA_SYSDBA.ALTER_POLICY with Inverse Groups
  • 15.8.3 SA_USER_ADMIN.ADD_GROUPS with Inverse Groups
  • 15.8.4 SA_USER_ADMIN.ALTER_GROUPS with Inverse Groups
  • 15.8.5 SA_USER_ADMIN.SET_GROUPS with Inverse Groups
  • 15.8.6 SA_USER_ADMIN.SET_USER_LABELS with Inverse Groups
  • 15.8.7 SA_USER_ADMIN.SET_DEFAULT_LABEL with Inverse Groups
  • 15.8.8 SA_USER_ADMIN.SET_ROW_LABEL with Inverse Groups
  • 15.8.9 SA_COMPONENTS.CREATE_GROUP with Inverse Groups
  • 15.8.10 SA_COMPONENTS.ALTER_GROUP_PARENT with Inverse Groups
  • 15.8.11 SA_SESSION.SET_LABEL with Inverse Groups
  • 15.8.12 SA_SESSION.SET_ROW_LABEL with Inverse Groups
  • 15.8.13 LEAST_UBOUND with Inverse Groups
  • 15.8.14 GREATEST_LBOUND with Inverse Groups
• 15.9 Dominance Rules for Labels with Inverse Groups

Part IV Appendixes

A Advanced Topics in Oracle Label Security

• A.1 Analyzing the Relationships Between Labels
  • A.1.1 Dominant and Dominated Labels
  • A.1.2 Non-Comparable Labels
  • A.1.3 Using Dominance Functions
    • A.1.3.1 The DOMINATES Standalone Function
    • A.1.3.2 The STRICTLY_DOMINATES Standalone Function
    • A.1.3.3 The DOMINATED_BY Standalone Function
    • A.1.3.4 The STRICTLY_DOMINATED_BY Standalone Function
    • A.1.3.5 SA_UTL.DOMINATES
    • A.1.3.6 SA_UTL.STRICTLY_DOMINATES
    • A.1.3.7 SA_UTL.DOMINATED_BY
    • A.1.3.8 SA_UTL.STRICTLY_DOMINATED_BY
• A.2 OCI Interface for Setting Session Labels
  • A.2.1 OCIAttrSet
  • A.2.2 OCIAttrGet
  • A.2.3 OCIParamGet
  • A.2.4 OCIAttrSet
  • A.2.5 OCI Example

B Command-line Tools for Label Security Using Oracle Internet Directory

• B.1 Command Explanations
• B.2 Relating Parameters to Commands for olsadmintool
  • B.2.1 Summaries
• B.3 Examples of Using olsadmintool
  • B.3.1 Make Other Users Policy Creators
  • B.3.2 Create Policies with Valid Options
  • B.3.3 Create Policy Administrators
  • B.3.4 Create Some Levels
  • B.3.5 Create Some Compartments
  • B.3.6 Create Some Groups
  • B.3.7 Create Some Labels
  • B.3.8 Create a Profile
  • B.3.9 Add a User to the Profile
  • B.3.10 Add Another User to the Profile
  • B.3.11 Set Some Audit Options
  • B.3.12 Results of These Examples

C Oracle Label Security in an Oracle RAC Environment

• C.1 Using Oracle Label Security Policy Functions in an Oracle RAC Environment
• C.2 Using Transparent Application Failover in Oracle Label Security

D Frequently Asked Questions on Oracle Label Security

E Reference

• E.1 Oracle Label Security Data Dictionary Tables and Views
  • E.1.1 Oracle Database Data Dictionary Tables
  • E.1.2 Oracle Label Security Data Dictionary Views
    • E.1.2.1 ALL_SA_AUDIT_OPTIONS
    • E.1.2.2 ALL_SA_COMPARTMENTS
    • E.1.2.3 ALL_SA_DATA_LABELS
    • E.1.2.4 ALL_SA_GROUPS
    • E.1.2.5 ALL_SA_LABELS
    • E.1.2.6 ALL_SA_LEVELS
    • E.1.2.7 ALL_SA_POLICIES
    • E.1.2.8 ALL_SA_PROG_PRIVS
    • E.1.2.9 ALL_SA_SCHEMA_POLICIES
    • E.1.2.10 ALL_SA_TABLE_POLICIES
    • E.1.2.11 ALL_SA_USERS
    • E.1.2.12 ALL_SA_USER_LABELS
    • E.1.2.13 ALL_SA_USER_LEVELS
    • E.1.2.14 ALL_SA_USER_PRIVS
    • E.1.2.15 DBA_SA_AUDIT_OPTIONS
    • E.1.2.16 DBA_SA_COMPARTMENTS
    • E.1.2.17 DBA_SA_DATA_LABELS
    • E.1.2.18 DBA_SA_GROUPS
    • E.1.2.19 DBA_SA_GROUP_HIERARCHY
    • E.1.2.20 DBA_SA_LABELS
    • E.1.2.21 DBA_SA_LEVELS
    • E.1.2.22 DBA_SA_POLICIES
    • E.1.2.23 DBA_SA_PROG_PRIVS
    • E.1.2.24 DBA_SA_SCHEMA_POLICIES
    • E.1.2.25 DBA_SA_TABLE_POLICIES
    • E.1.2.26 DBA_SA_USERS
    • E.1.2.27 DBA_SA_USER_COMPARTMENTS
    • E.1.2.28 DBA_SA_USER_GROUPS
    • E.1.2.29 DBA_SA_USER_LABELS
    • E.1.2.30 DBA_SA_USER_LEVELS
    • E.1.2.31 DBA_SA_USER_PRIVS
  • E.1.3 Oracle Label Security Auditing Views
• E.2 Restrictions in Oracle Label Security
  • E.2.1 CREATE TABLE AS SELECT Restriction in Oracle Label Security
  • E.2.2 Label Tag Restriction
  • E.2.3 Export Restriction in Oracle Label Security
  • E.2.4 Oracle Label Security Removal Restriction
  • E.2.5 Shared Schema Support
  • E.2.6 Hidden Columns Restriction
• E.3 Installing Oracle Label Security
  • E.3.1 Oracle Label Security and the SYS.AUD$ Table
• E.4 Removing Oracle Label Security

Index