Skip Headers
Oracle® Label Security Administrator's Guide
11g Release 1 (11.1)
Part Number B28529-01
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
Part I
1
Introduction to Oracle Label Security
1.1
Computer Security and Data Access Controls
1.1.1
Oracle Label Security and Security Standards
1.1.2
Security Policies
1.1.3
Access Control
1.1.3.1
Discretionary Access Control
1.1.3.2
Oracle Label Security
1.1.3.3
How Oracle Label Security Works with Discretionary Access Control
1.2
Oracle Label Security Architecture
1.3
Features of Oracle Label Security
1.3.1
Overview of Oracle Label Security Policy Functionality
1.3.2
Oracle Enterprise Edition: VPD Technology
1.3.3
Oracle Label Security: An Out-of-the-Box VPD
1.3.4
Label Policy Features
1.3.4.1
Data Labels
1.3.4.2
Label Authorizations
1.3.4.3
Policy Privileges
1.3.4.4
Policy Enforcement Options
1.3.4.5
Summary: Four Aspects of Label-Based Row Access
1.4
Oracle Label Security Integration with Oracle Internet Directory
2
Understanding Data Labels and User Labels
2.1
Introduction to Label-Based Security
2.2
Label Components
2.2.1
Label Component Definitions and Valid Characters
2.2.2
Levels
2.2.3
Compartments
2.2.4
Groups
2.2.5
Industry Examples of Levels, Compartments, and Groups
2.3
Label Syntax and Type
2.4
How Data Labels and User Labels Work Together
2.5
Administering Labels
3
Understanding Access Controls and Privileges
3.1
Introducing Access Mediation
3.2
Understanding Session Label and Row Label
3.2.1
The Session Label
3.2.2
The Row Label
3.2.3
Session Label Example
3.3
Understanding User Authorizations
3.3.1
Authorizations Set by the Administrator
3.3.1.1
Authorized Levels
3.3.1.2
Authorized Compartments
3.3.1.3
Authorized Groups
3.3.2
Computed Session Labels
3.4
Evaluating Labels for Access Mediation
3.4.1
Introducing Read/Write Access
3.4.1.1
Difference Between Read and Write Operations
3.4.1.2
Propagation of Read/Write Authorizations on Groups
3.4.2
The Oracle Label Security Algorithm for Read Access
3.4.3
The Oracle Label Security Algorithm for Write Access
3.5
Using Oracle Label Security Privileges
3.5.1
Privileges Defined by Oracle Label Security Policies
3.5.2
Special Access Privileges
3.5.2.1
READ
3.5.2.2
FULL
3.5.2.3
COMPACCESS
3.5.2.4
PROFILE_ACCESS
3.5.3
Special Row Label Privileges
3.5.3.1
WRITEUP
3.5.3.2
WRITEDOWN
3.5.3.3
WRITEACROSS
3.5.4
System Privileges, Object Privileges, and Policy Privileges
3.5.5
Access Mediation and Views
3.5.6
Access Mediation and Program Unit Execution
3.5.7
Access Mediation and Policy Enforcement Options
3.6
Working with Multiple Oracle Label Security Policies
3.6.1
Multiple Oracle Label Security Policies in a Single Database
3.6.2
Multiple Oracle Label Security Policies in a Distributed Environment
Part II Using Oracle Label Security Functionality
4
Getting Started with Oracle Label Security
4.1
Installing OLS and Enabling the LBACSYS User
4.2
Creating an OLS Policy
4.2.1
Step 1: Creating the Policy
4.2.2
Step 2: Creating Label Components for the Policy
4.2.3
Step 3: Creating Data Labels for the Policy
4.2.4
Step 4: Authorizing Users for the Policy
4.2.5
Step 5: Applying the Policy to a Database Table
4.2.6
Step 6: Adding Policy Labels to Table Rows
4.3
Creating a Sample OLS Policy
4.3.1
Step 1: Creating Users for the Oracle Label Security Example
4.3.2
Step 2: Creating the ACCESS_LOCATIONS Policy
4.3.3
Step 3: Defining the ACCESS_LOCATIONS Policy-Level Components
4.3.4
Step 4: Creating the ACCESS_LOCATIONS Policy Data Labels
4.3.5
Step 5: Creating the ACCESS_LOCATIONS Policy User Authorizations
4.3.6
Step 6: Applying the ACCESS_LOCATIONS Policy to the HR.LOCATIONS Table
4.3.7
Step 7: Adding Policy Labels to Table Data
4.3.8
Step 8: Testing the ACCESS_LOCATIONS Policy
4.3.9
Step 9: Removing the Components for This Example (Optional)
5
Working with Labeled Data
5.1
The Policy Label Column and Label Tags
5.1.1
The Policy Label Column
5.1.1.1
Hiding the Policy Label Column
5.1.1.2
Example 1: Numeric Column Data Type (NUMBER)
5.1.1.3
Example 2: Numeric Column Data Type with Hidden Column
5.1.2
Label Tags
5.1.2.1
Manually Defining Label Tags to Order Labels
5.1.2.2
Manually Defining Label Tags to Manipulate Data
5.1.2.3
Automatically Generated Label Tags
5.2
Assigning Labels to Data Rows
5.3
Presenting the Label
5.3.1
Converting a Character String to a Label Tag, with CHAR_TO_LABEL
5.3.2
Converting a Label Tag to a Character String, with LABEL_TO_CHAR
5.3.2.1
LABEL_TO_CHAR Examples
5.3.2.2
Retrieving All Columns from a Table When the Policy Label Column Is Hidden
5.4
Filtering Data Using Labels
5.4.1
Using Numeric Label Tags in WHERE Clauses
5.4.2
Ordering Labeled Data Rows
5.4.3
Ordering by Character Representation of Label
5.4.4
Determining Upper and Lower Bounds of Labels
5.4.4.1
Finding Least Upper Bound with LEAST_UBOUND
5.4.4.2
Finding Greatest Lower Bound with GREATEST_LBOUND
5.4.5
Merging Labels with the MERGE_LABEL Function
5.5
Inserting Labeled Data
5.5.1
Inserting Labels Using CHAR_TO_LABEL
5.5.2
Inserting Labels Using Numeric Label Tag Values
5.5.3
Inserting Data Without Specifying a Label
5.5.4
Inserting Data When the Policy Label Column Is Hidden
5.5.5
Inserting Labels Using TO_DATA_LABEL
5.6
Changing Your Session and Row Labels with SA_SESSION
5.6.1
SA_SESSION Functions to Change Session and Row Labels
5.6.2
Changing the Session Label with SA_SESSION.SET_LABEL
5.6.3
Changing the Row Label with SA_SESSION.SET_ROW_LABEL
5.6.4
Restoring Label Defaults with SA_SESSION.RESTORE_DEFAULT_LABELS
5.6.5
Saving Label Defaults with SA_SESSION.SAVE_DEFAULT_LABELS
5.6.6
Viewing Session Attributes with SA_SESSION Functions
5.6.6.1
USER_SA_SESSION View to Return All Security Attributes
5.6.6.2
Functions to Return Individual Security Attributes
6
Oracle Label Security Using Oracle Internet Directory
6.1
Introducing Label Management on Oracle Internet Directory
6.2
Configuring Oracle Internet Directory-Enabled Label Security
6.2.1
Granting Permissions for Configuring Oracle Internet Directory enabled Oracle Label Security
6.2.2
Registering a Database and Configuring Oracle Internet Directory enabled Oracle Label Security
6.2.2.1
Task 1 Configure Your Oracle Home for Directory Usage.
6.2.2.2
Task 2 Configure the Database for Oracle Internet Directory enabled Oracle Label Security
6.2.2.3
Alternate Method for Task 2, Configuring Database for Oracle Internet Directory enabled Oracle Label Security
6.2.2.4
Task3: Set the DIP Password and Connect Data
6.2.3
Unregistering a Database with Oracle Internet Directory enabled OLS
6.3
Removing Directory-enabled Oracle Label Security from Database
6.4
Oracle Label Security Profiles
6.5
Integrated Capabilities When Label Security Uses the Directory
6.6
Oracle Label Security Policy Attributes in Oracle Internet Directory
6.7
Restrictions on New Data Label Creation
6.8
Two Types of Administrators
6.9
Bootstrapping Databases
6.10
Synchronizing the Database and Oracle Internet Directory
6.10.1
Oracle Directory Integration and Provisioning (DIP) Provisioning Profiles
6.10.2
Disabling, Changing, and Enabling a Provisioning Profile
6.11
Security Roles and Permitted Actions
6.11.1
Restriction on Policy Creators for Directory-enabled Oracle Label Security
6.12
Superseded PL/SQL Statements
6.13
Procedures for Policy Administrators Only
Part III Administering an Oracle Label Security Application
7
Creating an Oracle Label Security Policy
7.1
Oracle Label Security Administrative Task Overview
7.1.1
Step 1: Create the Policy
7.1.2
Step 2: Define the Components of the Labels
7.1.3
Step 3: Identify the Set of Valid Data Labels
7.1.4
Step 4: Apply the Policy to Tables and Schemas
7.1.5
Step 5: Authorize Users
7.1.6
Step 6: Create and Authorize Trusted Program Units (Optional)
7.1.7
Step 7: Configure Auditing (Optional)
7.2
Organizing the Duties of Oracle Label Security Administrators
7.3
Choosing an Oracle Label Security Administrative Interface
7.3.1
Oracle Label Security Packages
7.3.1.1
Oracle Label Security Demonstration File
7.3.2
Oracle Enterprise Manager
7.4
Using the SA_SYSDBA Package to Manage Security Policies
7.4.1
Who Can Use the SA_SYSDBA Package
7.4.2
Who Can Administer a Policy
7.4.3
Valid Characters for Policy Specifications
7.4.4
Creating a Policy with SA_SYSDBA.CREATE_POLICY
7.4.5
Modifying Policy Options with SA_SYSDBA.ALTER_POLICY
7.4.6
Disabling a Policy with SA_SYSDBA.DISABLE_POLICY
7.4.7
Enabling a Policy with SA_SYSDBA.ENABLE_POLICY
7.4.8
Removing a Policy with SA_SYSDBA.DROP_POLICY
7.5
Using the SA_COMPONENTS Package to Define Label Components
7.5.1
Using Overloaded Procedures
7.5.2
Creating a Level with SA_COMPONENTS.CREATE_LEVEL
7.5.3
Modifying a Level with SA_COMPONENTS.ALTER_LEVEL
7.5.4
Removing a Level with SA_COMPONENTS.DROP_LEVEL
7.5.5
Creating a Compartment with SA_COMPONENTS.CREATE_COMPARTMENT
7.5.6
Modifying a Compartment with SA_COMPONENTS.ALTER_COMPARTMENT
7.5.7
Removing a Compartment with SA_COMPONENTS.DROP_COMPARTMENT
7.5.8
Creating a Group with SA_COMPONENTS.CREATE_GROUP
7.5.9
Modifying a Group with SA_COMPONENTS.ALTER_GROUP
7.5.10
Modifying a Group Parent with SA_COMPONENTS.ALTER_GROUP_PARENT
7.5.11
Removing a Group with SA_COMPONENTS.DROP_GROUP
7.6
Using the SA_LABEL_ADMIN Package to Specify Valid Labels
7.6.1
Creating a Valid Data Label with SA_LABEL_ADMIN.CREATE_LABEL
7.6.2
Modifying a Label with SA_LABEL_ADMIN.ALTER_LABEL
7.6.3
Deleting a Label with SA_LABEL_ADMIN.DROP_LABEL
8
Administering User Labels and Privileges
8.1
Introduction to User Label and Privilege Management
8.2
Managing User Labels by Component, with SA_USER_ADMIN
8.2.1
SA_USER_ADMIN.SET_LEVELS
8.2.2
SA_USER_ADMIN.SET_COMPARTMENTS
8.2.3
SA_USER_ADMIN.SET_GROUPS
8.2.4
SA_USER_ADMIN.ALTER_COMPARTMENTS
8.2.5
SA_USER_ADMIN.ADD_COMPARTMENTS
8.2.6
SA_USER_ADMIN.DROP_COMPARTMENTS
8.2.7
SA_USER_ADMIN.DROP_ALL_COMPARTMENTS
8.2.8
SA_USER_ADMIN.ADD_GROUPS
8.2.9
SA_USER_ADMIN.ALTER_GROUPS
8.2.10
SA_USER_ADMIN.DROP_GROUPS
8.2.11
SA_USER_ADMIN.DROP_ALL_GROUPS
8.3
Managing User Labels by Label String, with SA_USER_ADMIN
8.3.1
SA_USER_ADMIN.SET_USER_LABELS
8.3.2
SA_USER_ADMIN.SET_DEFAULT_LABEL
8.3.3
SA_USER_ADMIN.SET_ROW_LABEL
8.3.4
SA_USER_ADMIN.DROP_USER_ACCESS
8.4
Managing User Privileges with SA_USER_ADMIN.SET_USER_PRIVS
8.5
Setting Labels & Privileges with SA_SESSION.SET_ACCESS_PROFILE
8.6
Returning User Name with SA_SESSION.SA_USER_NAME
8.7
Using Oracle Label Security Views
8.7.1
View to Display All User Security Attributes: DBA_SA_USERS
8.7.2
Views to Display User Authorizations by Component
9
Implementing Policy Enforcement Options and Labeling Functions
9.1
Choosing Policy Options
9.1.1
Overview of Policy Enforcement Options
9.1.2
The HIDE Policy Column Option
9.1.3
The Label Management Enforcement Options
9.1.3.1
LABEL_DEFAULT: Using the Session's Default Row Label
9.1.3.2
LABEL_UPDATE: Changing Data Labels
9.1.3.3
CHECK_CONTROL: Checking Data Labels
9.1.4
The Access Control Enforcement Options
9.1.4.1
READ_CONTROL: Reading Data
9.1.4.2
WRITE_CONTROL: Writing Data
9.1.4.3
INSERT_CONTROL, UPDATE_CONTROL, and DELETE_CONTROL
9.1.5
The Overriding Enforcement Options
9.1.6
Guidelines for Using the Policy Enforcement Options
9.1.7
Exemptions from Oracle Label Security Policy Enforcement
9.1.8
Viewing Policy Options on Tables and Schemas
9.2
Using a Labeling Function
9.2.1
Labeling Data Rows under Oracle Label Security
9.2.2
Understanding Labeling Functions in Oracle Label Security Policies
9.2.3
Creating a Labeling Function for a Policy
9.2.4
Specifying a Labeling Function in a Policy
9.3
Inserting Labeled Data Using Policy Options and Labeling Functions
9.3.1
Evaluating Enforcement Control Options and INSERT
9.3.2
Inserting Labels When a Labeling Function Is Specified
9.3.3
Inserting Child Rows into Tables with Declarative Referential Integrity Enabled
9.4
Updating Labeled Data Using Policy Options and Labeling Functions
9.4.1
Updating Labels Using CHAR_TO_LABEL
9.4.2
Evaluating Enforcement Control Options and UPDATE
9.4.3
Updating Labels When a Labeling Function Is Specified
9.4.4
Updating Child Rows in Tables with Declarative Referential Integrity Enabled
9.5
Deleting Labeled Data Using Policy Options and Labeling Functions
9.6
Using a SQL Predicate with an Oracle Label Security Policy
9.6.1
Modifying an Oracle Label Security Policy with a SQL Predicate
9.6.2
Affecting Oracle Label Security Policies with Multiple SQL Predicates
10
Applying Policies to Tables and Schemas
10.1
Policy Administration Terminology
10.2
Subscribing Policies in Directory-Enabled Label Security
10.2.1
Subscribing to a Policy with SA_POLICY_ADMIN.POLICY_SUBSCRIBE
10.2.1.1
Syntax
10.2.2
Unsubscribing to a Policy with SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE
10.2.2.1
Syntax
10.3
Policy Administration Functions for Tables and Schemas
10.4
Administering Policies on Tables Using SA_POLICY_ADMIN
10.4.1
Applying a Policy with SA_POLICY_ADMIN.APPLY_TABLE_POLICY
10.4.1.1
Syntax
10.4.2
Removing a Policy with SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
10.4.2.1
Syntax
10.4.3
Disabling a Policy with SA_POLICY_ADMIN.DISABLE_TABLE_POLICY
10.4.3.1
Syntax
10.4.4
Reenabling a Policy with SA_POLICY_ADMIN.ENABLE_TABLE_POLICY
10.4.4.1
Syntax
10.5
Administering Policies on Schemas with SA_POLICY_ADMIN
10.5.1
Applying a Policy with SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY
10.5.1.1
Syntax
10.5.2
Altering Enforcement Options: SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY
10.5.2.1
Syntax
10.5.3
Removing a Policy with SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY
10.5.3.1
Syntax
10.5.4
Disabling a Policy with SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY
10.5.4.1
Syntax
10.5.5
Reenabling a Policy with SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY
10.5.5.1
Syntax
10.5.6
Policy Issues for Schemas
11
Administering and Using Trusted Stored Program Units
11.1
Introduction to Trusted Stored Program Units
11.1.1
How a Trusted Stored Program Unit Runs
11.1.2
Trusted Stored Program Unit Example
11.2
Managing Program Unit Privileges with SET_PROG_PRIVS
11.3
Creating and Compiling Trusted Stored Program Units
11.3.1
Creating Trusted Stored Program Units
11.3.2
Setting Privileges for Trusted Stored Program Units
11.3.3
Recompiling Trusted Stored Program Units
11.3.4
Re-creating Trusted Stored Program Units
11.3.5
Running Trusted Stored Program Units
11.4
Using SA_UTL Functions to Set and Return Label Information
11.4.1
Viewing Session Label and Row Label Using SA_UTL
11.4.1.1
SA_UTL.NUMERIC_LABEL
11.4.1.2
SA_UTL.NUMERIC_ROW_LABEL
11.4.1.3
SA_UTL.DATA_LABEL
11.4.2
Checking Rights to Read and Update Table Row Data
11.4.2.1
SA_UTL.CHECK_READ
11.4.2.2
SA_UTL.CHECK_WRITE
11.4.2.3
SA_UTL.CHECK_LABEL_CHANGE
11.4.3
Setting the Session Label and Row Label Using SA_UTL
11.4.3.1
SA_UTL.SET_LABEL
11.4.3.2
SA_UTL.SET_ROW_LABEL
11.4.4
Returning Greatest Lower Bound and Least Upper Bound
11.4.4.1
GREATEST_LBOUND
11.4.4.2
LEAST_UBOUND
12
Auditing Under Oracle Label Security
12.1
Overview of Oracle Label Security Auditing
12.2
Enabling Systemwide Auditing: AUDIT_TRAIL Initialization Parameter
12.3
Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN
12.3.1
Auditing Options for Oracle Label Security
12.3.2
Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.AUDIT
12.3.3
Disabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.NOAUDIT
12.3.4
Examining Audit Options with the DBA_SA_AUDIT_OPTIONS View
12.4
Managing Policy Label Auditing
12.4.1
Policy Label Auditing with SA_AUDIT_ADMIN.AUDIT_LABEL
12.4.2
Disabling Policy Label Auditing with SA_AUDIT_ADMIN.NOAUDIT_LABEL
12.4.3
Finding Label Audit Status with AUDIT_LABEL_ENABLED
12.5
Creating and Dropping an Audit Trail View for Oracle Label Security
12.5.1
Creating a View with SA_AUDIT_ADMIN.CREATE_VIEW
12.5.2
Dropping a View with SA_AUDIT_ADMIN.DROP_VIEW
12.6
Oracle Label Security Auditing Tips
12.6.1
Strategy for Setting SA_AUDIT_ADMIN Options
12.6.2
Auditing Privileged Operations
13
Using Oracle Label Security with a Distributed Database
13.1
An Oracle Label Security Distributed Configuration
13.2
Connecting to a Remote Database Under Oracle Label Security
13.3
Establishing Session Label and Row Label for a Remote Session
13.4
Setting Up Labels in a Distributed Environment
13.4.1
Setting Label Tags in a Distributed Environment
13.4.2
Setting Numeric Form of Label Components in a Distributed Environment
13.5
Using Oracle Label Security Policies in a Distributed Environment
13.6
Using Replication with Oracle Label Security
13.6.1
Introduction to Replication Under Oracle Label Security
13.6.1.1
Replication Functionality Supported by Oracle Label Security
13.6.1.2
Row-Level Security Restriction on Replication Under Oracle Label Security
13.6.2
Contents of a Materialized View
13.6.2.1
How Materialized View Contents Are Determined
13.6.2.2
Complete Materialized Views
13.6.2.3
Partial Materialized Views
13.6.3
Requirements for Creating Materialized Views Under Oracle Label Security
13.6.3.1
Requirements for the REPADMIN Account
13.6.3.2
Requirements for the Owner of the Materialized View
13.6.3.3
Requirements for Creating Partial Multilevel Materialized Views
13.6.3.4
Requirements for Creating Complete Multilevel Materialized Views
13.6.4
How to Refresh Materialized Views
14
Performing DBA Functions Under Oracle Label Security
14.1
Using the Export Utility with Oracle Label Security
14.1.1
Using Datapump Export Utility with Oracle Label Security
14.2
Using the Import Utility with Oracle Label Security
14.2.1
Requirements for Import Under Oracle Label Security
14.2.1.1
Preparing the Import Database
14.2.1.2
Verifying Import User Authorizations
14.2.2
Defining Data Labels for Import
14.2.3
Importing Labeled Data Without Installing Oracle Label Security
14.2.4
Importing Unlabeled Data
14.2.5
Importing Tables with Hidden Columns
14.3
Using SQL*Loader with Oracle Label Security
14.3.1
Requirements for Using SQL*Loader Under Oracle Label Security
14.3.2
Oracle Label Security Input to SQL*Loader
14.4
Performance Tips for Oracle Label Security
14.4.1
Using ANALYZE to Improve Oracle Label Security Performance
14.4.2
Creating Indexes on the Policy Label Column
14.4.3
Planning a Label Tag Strategy to Enhance Performance
14.4.4
Partitioning Data Based on Numeric Label Tags
14.5
Creating Additional Databases After Installation
15
Releasability Using Inverse Groups
15.1
Introduction to Inverse Groups and Releasability
15.2
Comparing Standard Groups and Inverse Groups
15.3
How Inverse Groups Work
15.3.1
Implementing Inverse Groups with the INVERSE_GROUP Enforcement Option
15.3.2
Inverse Groups and Label Components
15.3.3
Computed Labels with Inverse Groups
15.3.3.1
Computed Session Labels with Inverse Groups
15.3.3.2
Inverse Groups and Computed Max Read Groups and Max Write Groups
15.3.4
Inverse Groups and Hierarchical Structure
15.3.5
Inverse Groups and User Privileges
15.4
Algorithm for Read Access with Inverse Groups
15.5
Algorithm for Write Access with Inverse Groups
15.6
Algorithms for COMPACCESS Privilege with Inverse Groups
15.7
Session Labels and Inverse Groups
15.7.1
Setting Initial Session/Row Labels for Standard or Inverse Groups
15.7.1.1
Standard Groups: Rules for Changing Initial Session/Row Labels
15.7.1.2
Inverse Groups: Rules for Changing Initial Session/Row Labels
15.7.2
Setting Current Session/Row Labels for Standard or Inverse Groups
15.7.2.1
Standard Groups: Rules for Changing Current Session/Row Labels
15.7.2.2
Inverse Groups: Rules for Changing Current Session/Row Labels
15.7.3
Examples of Session Labels and Inverse Groups
15.7.3.1
Inverse Groups Example 1
15.7.3.2
Inverse Groups Example 2
15.8
Changes in Behavior of Procedures with Inverse Groups
15.8.1
SYSDBA.CREATE_POLICY with Inverse Groups
15.8.2
SYSDBA.ALTER_POLICY with Inverse Groups
15.8.3
SA_USER_ADMIN.ADD_GROUPS with Inverse Groups
15.8.4
SA_USER_ADMIN.ALTER_GROUPS with Inverse Groups
15.8.5
SA_USER_ADMIN.SET_GROUPS with Inverse Groups
15.8.6
SA_USER_ADMIN.SET_USER_LABELS with Inverse Groups
15.8.7
SA_USER_ADMIN.SET_DEFAULT_LABEL with Inverse Groups
15.8.8
SA_USER_ADMIN.SET_ROW_LABEL with Inverse Groups
15.8.9
SA_COMPONENTS.CREATE_GROUP with Inverse Groups
15.8.10
SA_COMPONENTS.ALTER_GROUP_PARENT with Inverse Groups
15.8.11
SA_SESSION.SET_LABEL with Inverse Groups
15.8.12
SA_SESSION.SET_ROW_LABEL with Inverse Groups
15.8.13
LEAST_UBOUND with Inverse Groups
15.8.14
GREATEST_LBOUND with Inverse Groups
15.9
Dominance Rules for Labels with Inverse Groups
Part IV Appendixes
A
Advanced Topics in Oracle Label Security
A.1
Analyzing the Relationships Between Labels
A.1.1
Dominant and Dominated Labels
A.1.2
Non-Comparable Labels
A.1.3
Using Dominance Functions
A.1.3.1
The DOMINATES Standalone Function
A.1.3.2
The STRICTLY_DOMINATES Standalone Function
A.1.3.3
The DOMINATED_BY Standalone Function
A.1.3.4
The STRICTLY_DOMINATED_BY Standalone Function
A.1.3.5
SA_UTL.DOMINATES
A.1.3.6
SA_UTL.STRICTLY_DOMINATES
A.1.3.7
SA_UTL.DOMINATED_BY
A.1.3.8
SA_UTL.STRICTLY_DOMINATED_BY
A.2
OCI Interface for Setting Session Labels
A.2.1
OCIAttrSet
A.2.2
OCIAttrGet
A.2.3
OCIParamGet
A.2.4
OCIAttrSet
A.2.5
OCI Example
B
Command-line Tools for Label Security Using Oracle Internet Directory
B.1
Command Explanations
B.2
Relating Parameters to Commands for olsadmintool
B.2.1
Summaries
B.3
Examples of Using olsadmintool
B.3.1
Make Other Users Policy Creators
B.3.2
Create Policies with Valid Options
B.3.3
Create Policy Administrators
B.3.4
Create Some Levels
B.3.5
Create Some Compartments
B.3.6
Create Some Groups
B.3.7
Create Some Labels
B.3.8
Create a Profile
B.3.9
Add a User to the Profile
B.3.10
Add Another User to the Profile
B.3.11
Set Some Audit Options
B.3.12
Results of These Examples
C
Oracle Label Security in an RAC Environment
C.1
Using Oracle Label Security Policy Functions in an RAC Environment
C.2
Using Transparent Application Failover in Oracle Label Security
D
Frequently Asked Questions on Oracle Label Security
E
Reference
E.1
Oracle Label Security Data Dictionary Tables and Views
E.1.1
Oracle Database
Data Dictionary Tables
E.1.2
Oracle Label Security Data Dictionary Views
E.1.2.1
ALL_SA_AUDIT_OPTIONS
E.1.2.2
ALL_SA_COMPARTMENTS
E.1.2.3
ALL_SA_DATA_LABELS
E.1.2.4
ALL_SA_GROUPS
E.1.2.5
ALL_SA_LABELS
E.1.2.6
ALL_SA_LEVELS
E.1.2.7
ALL_SA_POLICIES
E.1.2.8
ALL_SA_PROG_PRIVS
E.1.2.9
ALL_SA_SCHEMA_POLICIES
E.1.2.10
ALL_SA_TABLE_POLICIES
E.1.2.11
ALL_SA_USERS
E.1.2.12
ALL_SA_USER_LABELS
E.1.2.13
ALL_SA_USER_LEVELS
E.1.2.14
ALL_SA_USER_PRIVS
E.1.2.15
DBA_SA_AUDIT_OPTIONS
E.1.2.16
DBA_SA_COMPARTMENTS
E.1.2.17
DBA_SA_DATA_LABELS
E.1.2.18
DBA_SA_GROUPS
E.1.2.19
DBA_SA_GROUP_HIERARCHY
E.1.2.20
DBA_SA_LABELS
E.1.2.21
DBA_SA_LEVELS
E.1.2.22
DBA_SA_POLICIES
E.1.2.23
DBA_SA_PROG_PRIVS
E.1.2.24
DBA_SA_SCHEMA_POLICIES
E.1.2.25
DBA_SA_TABLE_POLICIES
E.1.2.26
DBA_SA_USERS
E.1.2.27
DBA_SA_USER_COMPARTMENTS
E.1.2.28
DBA_SA_USER_GROUPS
E.1.2.29
DBA_SA_USER_LABELS
E.1.2.30
DBA_SA_USER_LEVELS
E.1.2.31
DBA_SA_USER_PRIVS
E.1.3
Oracle Label Security Auditing Views
E.2
Restrictions in Oracle Label Security
E.2.1
CREATE TABLE AS SELECT Restriction in Oracle Label Security
E.2.2
Label Tag Restriction
E.2.3
Export Restriction in Oracle Label Security
E.2.4
Oracle Label Security Removal Restriction
E.2.5
Shared Schema Support
E.2.6
Hidden Columns Restriction
E.3
Installing Oracle Label Security
E.3.1
Oracle Label Security and the SYS.AUD$ Table
E.4
Removing Oracle Label Security
Index