Skip Headers

Oracle Label Security Administrator's Guide
Release 2 (9.2)
Part Number A96578-01
Go To Documentation Library
Home		 Go To Product List
Book List		 Go To Table Of Contents
Contents
Master Index
Feedback

Go to previous page

Index

A  B  C  D  E  F  G  H  I  L  M  N  O  P  R  S  T  U  V  W 

A

access control
discretionary, 1-4, 1-5, 3-23
fine-grained, 1-4, 1-6
label-based, 1-5, 1-7, 1-12
policies, 1-3
understanding, 3-1
access mediation
and views, 3-23
enforcement options, 3-25
introduction, 3-2
label evaluation, 3-10
program units, 3-24
ADD_COMPARTMENTS function, 6-8
ADD_GROUPS procedure, 6-9
inverse groups, 13-22
ALL_CONTROL option, 7-7
ALL_SA_AUDIT_OPTIONS view, B-2
ALL_SA_COMPARTMENTS view, B-3
ALL_SA_DATA_LABELS view, B-3
ALL_SA_GROUPS view, B-3
ALL_SA_LABELS view, B-4
ALL_SA_LEVELS view, B-4
ALL_SA_POLICIES view, B-4
ALL_SA_PROG_PRIVS view, B-5
ALL_SA_SCHEMA_POLICIES view, B-5
ALL_SA_TABLE_POLICIES view, B-5
ALL_SA_USER_LABELS view, B-6
ALL_SA_USER_LEVELS view, B-7
ALL_SA_USER_PRIVS view, B-8
ALL_SA_USERS view, B-6
ALTER_COMPARTMENT procedure, 5-17
ALTER_COMPARTMENTS procedure, 6-7
ALTER_GROUP procedure, 5-20
ALTER_GROUP_PARENT
inverse groups, 13-25
ALTER_GROUP_PARENT procedure, 5-21
ALTER_GROUPS function, 6-10
ALTER_GROUPS procedure
inverse groups, 13-23
ALTER_LABEL function, 5-24
ALTER_LEVEL procedure, 5-13, 5-15
ALTER_POLICY procedure, 5-10
inverse groups, 13-21
ALTER_SCHEMA_POLICY procedure, 8-3, 8-9
ANALYZE command, 12-8
APPLY_SCHEMA_POLICY procedure, 8-3, 8-8
with inverse groups, 13-4
APPLY_TABLE_POLICY procedure, 8-3, 8-4
with inverse groups, 13-4
architecture, Oracle Label Security, 1-8
AS SYSDBA clause, 12-13
AUDIT procedure, 10-5
AUDIT_LABEL procedure, 10-10
AUDIT_LABEL_ENABLED function, 10-10
AUDIT_TRAIL parameter, 10-3
auditing
audit trails, 1-12, 10-2, 10-3, 10-11
options for Oracle Label Security, 10-4
Oracle Label Security, 1-12, 10-1, 10-2
security and, 10-5
strategy, 10-12
systemwide, 10-3
types of, 5-4
views, 10-11

B

B-tree indexes, 12-8

C

CHAR_TO_LABEL function, 4-7, 4-16, 4-18
characters, valid, 2-3, 5-9
CHECK_CONTROL option
and label update, 7-15, 7-16
and labeling functions, 7-13
and READ_CONTROL, 7-5
definition, 7-3
with other options, 7-8
child rows
deleting, 7-17
inserting, 7-14
updating, 7-16
COMP_READ function, 4-24
COMP_WRITE function, 4-24
COMPACCESS privilege, 3-18, 3-20
inverse groups, 13-8, 13-13
compartments
definition, 2-6
example, 2-7
setting authorizations, 3-7
COMPATIBLE parameter, 12-13
components. See label components
CREATE FUNCTION statement, 9-5
CREATE PACKAGE BODY statement, 9-5
CREATE PACKAGE statement, 9-5
Create Policy icon, 5-2, 5-8
CREATE PROCEDURE statement, 9-5
CREATE TABLE AS SELECT statement, B-15
CREATE_COMPARTMENT procedure, 5-16
CREATE_GROUP procedure, 5-19
inverse groups, 13-25
CREATE_LABEL procedure, 5-23
CREATE_LEVEL procedure, 5-14
CREATE_POLICY procedure, 5-2, 5-9
inverse groups, 13-21
CREATE_VIEW procedure, 10-11, B-15
creating databases, 12-13

D

DAC. See discretionary access control (DAC)
data
access rules, 1-9
label-based access, 2-2
restricting access, 1-4
sensitivity, 1-10, 5-24
data dictionary tables, 6-2, 6-18, 12-8, 12-13, B-2
DATA_LABEL function, 9-7
database links, 11-4
databases, creating additional, 12-13
DBA_policyname_AUDIT_TRAIL view, B-15
DBA_SA_AUDIT_OPTIONS view, 10-9, B-8, B-15
DBA_SA_COMPARTMENTS view, 12-4, B-8
DBA_SA_DATA_LABELS view, B-9
DBA_SA_GROUP_HIERARCHY view, B-9
DBA_SA_GROUPS view, 12-4, B-9
DBA_SA_LABELS view, 12-4, B-10
DBA_SA_LEVELS view, 12-4, B-10
DBA_SA_POLICIES view, B-10
DBA_SA_PROG_PRIVS view, B-11
DBA_SA_SCHEMA_POLICIES view, 7-10, B-11
DBA_SA_TABLE_POLICIES view, 7-10, B-11
DBA_SA_USER_COMPARTMENTS view, 6-18, B-12
DBA_SA_USER_GROUPS view, 6-18, B-13
DBA_SA_USER_LABELS view, B-13
DBA_SA_USER_LEVELS view, 6-18, B-14
DBA_SA_USER_PRIVS view, B-14
DBA_SA_USERS view, 6-17, B-12
DELETE_CONTROL option, 7-3, 7-17
DELETE_RESTRICT option, 7-17
deleting labeled data, 7-17
demobld.sql file, 5-6
DISABLE_POLICY procedure, 5-10
DISABLE_SCHEMA_POLICY procedure, 8-3, 8-10
DISABLE_TABLE_POLICY procedure, 8-3, 8-6
discretionary access control (DAC), 1-4, 3-23
distributed databases
connecting to, 11-4
multiple policies, 3-26
Oracle Label Security configuration, 11-2
remote session label, 11-5
dominance
definition, 3-13, 3-14
functions, A-3
greatest lower bound, 4-13
inverse groups, 13-27
least upper bound, 4-12
overview, A-2
DOMINATED_BY function, A-3, A-4, A-5
DOMINATES function, A-2, A-3, A-4, A-5
DROP USER CASCADE restriction, B-16
DROP_ALL_COMPARTMENTS procedure, 6-9
DROP_ALL_GROUPS procedure, 6-11
DROP_COMPARTMENT procedure, 5-18
DROP_COMPARTMENTS function, 6-8
DROP_GROUP procedure, 5-22
DROP_GROUPS procedure, 6-10
DROP_LABEL function, 5-25
DROP_LEVEL procedure, 5-16
DROP_POLICY procedure, 5-11
DROP_USER_ACCESS procedure, 6-15
DROP_VIEW procedure, 10-11
duties, of security administrators, 5-5

E

ENABLE_POLICY procedure, 5-11
ENABLE_SCHEMA_POLICY procedure, 8-3, 8-11
ENABLE_TABLE_POLICY procedure, 8-3, 8-7
enforcement options
and UPDATE, 7-14
combinations of, 7-8
exemptions, 7-9
guidelines, 7-8
INVERSE_GROUP, 13-4
list of, 7-3
overview, 7-2
viewing, 7-10
EXEMPT ACCESS POLICY privilege, 7-9
Export utility
LBACSYS restriction, B-15
policy enforcement, 7-9
row labels, 3-19, 12-2, 12-4

F

FULL privilege, 3-18, 3-19, 3-21

G

GLBD function, 4-13
granularity, data access, 3-15
GREATEST_LBOUND function, 4-13, 9-9
inverse groups, 13-26
GROUP_READ function, 4-24
GROUP_WRITE function, 4-24
groups
definition, 2-8
example, 2-8
hierarchical, 2-8, 2-13, B-9
inverse, 13-2
parent, 2-8, 3-11, 5-19, 5-21, 13-8
read/write access, 3-11
setting authorizations, 3-8

H

HIDE option
default, 5-9
discussion of, 7-4
example, 4-3
importing hidden column, 12-5
inserting data, 4-17
introduction, 4-2
not exported, 12-2
per-table basis, 4-9
PL/SQL restriction, B-16
schema level, 7-2

I

Import utility
importing labeled data, 12-3, 12-4
importing policies, 12-2
importing unlabeled data, 12-5
with Oracle Label Security, 12-2
indexes, 12-8
INITIAL_LABEL variable, A-7
INITIAL_ROW_LABEL variable, A-7
initialization parameters
AUDIT_TRAIL, 10-3
COMPATIBLE, 12-13
INSERT_CONTROL option, 7-3, 7-13
inserting labeled data, 4-16, 7-13
INTO TABLE clause, 12-6
inverse groups
and label components, 13-4
COMPACCESS privilege, 13-8, 13-13
computed labels, 13-5
dominance, 13-27
implementation of, 13-4
introduction, 13-2
Max Read Groups, 13-7
Max Write Groups, 13-7
parent-child unsupported, 13-8
read algorithm, 13-9
session labels, 13-16
SET_DEFAULT_LABEL, 13-16
SET_LABEL, 13-17
SET_ROW_LABEL, 13-16, 13-17
usesr privileges, 13-8
write algorithm, 13-11
INVERSE_GROUP enforcement option
behavior of procedures, 13-20
implementation, 13-4

L

label components
defining, 5-2, 5-12
in distributed environment, 11-6
industry examples, 2-10
interrelation, 2-13
valid characters, 2-3, 5-9
label evaluation process
COMPACCESS read, 3-20
COMPACCESS write, 3-21
inverse groups, COMPACCESS, 13-13
LABEL_UPDATE, 7-15
read access, 3-13
read access, inverse groups, 13-9
write access, 3-15
write access, inverse groups, 13-11
LABEL function, 4-24
label tags
converting from string, 4-7
converting to string, 4-8
distributed environment, 11-6
example, 4-5
inserting data, 4-16
introduction, 2-11
manually defined, 4-4, 4-5
strategy, 12-10
using in WHERE clauses, 4-10
LABEL_DEFAULT option
and labeling functions, 7-5, 7-10, 7-11
authorizing compartments, 3-7
authorizing groups, 3-8
definition, 7-3
importing unlabeled data, 12-5
inserting labeled data, 4-16, 4-17
with enforcement options, 7-8
with SET_ROW_LABEL, 4-21
LABEL_TO_CHAR function, 4-8, 4-9, 4-11
LABEL_UPDATE option
and labeling functions, 7-5, 7-11
and privileges, 7-5
and WRITE_CONTROL, 7-6
and WRITEACROSS, 3-18
and WRITEDOWN, 3-18, 3-22
and WRITEUP, 3-18, 3-22
definition, 7-3
evaluation process, 7-15
with enforcement options, 7-8
label-based security, 2-2
labeling functions
ALL_CONTROL and NO_CONTROL, 7-7
and CHECK_CONTROL, 7-13
and LABEL_DEFAULT, 7-5, 7-11
and LABEL_UPDATE, 7-5
and LBACSYS, 7-11
creating, 7-12
example, 7-10
how they work, 7-11
importing unlabeled data, 12-5
inserting data, 4-17
introduction, 3-25
override manual insert, 7-13
specifying, 7-12
testing, 7-11
UPDATE, 7-16
using, 7-10
with enforcement options, 7-8
labels
administering, 2-14
and performance, 3-19
data and user, 2-12
merging, 4-14
non-comparable, A-3
relationships between, A-2
syntax, 2-11
valid, 2-11, 4-4
with inverse groups, 13-5
Labels property sheet, 5-2, 5-3
LBAC_DBA role, 5-8
LBAC_LABEL datatype, 7-11
LBACSYS schema
and labeling functions, 7-11
creating additional databases, 12-13
data dictionary tables, 12-8
export restriction, 12-2, B-15
LEAST_UBOUND function, 4-12, 4-15, 9-9
inverse groups, 13-26
levels
definition, 2-4
example, 2-5
setting authorizations, 3-6
LUBD function, 4-12

M

materialized views, 11-9, 11-13
Max Read Groups, 13-7
Max Write Group, 13-7
MAX_LEVEL function, 4-24
MERGE_LABEL function, 4-14, 4-15
MIN_LEVEL function, 4-24

N

NO_CONTROL option, 7-3, 7-7
NOAUDIT procedure, 10-4, 10-7, 10-10
NUMBER datatype, 4-2
NUMERIC_LABEL function, 9-7
NUMERIC_ROW_LABEL function, 9-7

O

object privileges
and Oracle Label Security privileges, 3-23
and trusted stored program units, 3-24, 9-3
discretionary access control, 1-5
OCI example, A-9
OCI interface, A-7
OCI_ATTR_APPCTX_LIST, A-7
OCI_ATTR_APPCTX_SIZE, A-7
OCIAttrGet, A-7
OCIAttrSet, A-7, A-8
OCIParamGet, A-8
Oracle Policy Manager
administering labels, 2-14
applying policies, 5-3, 8-3
authorizing trusted program units, 5-4
authorizing users, 5-3, 6-2
configuring auditing, 5-4
creating policies, 5-2, 5-8
defining label components, 5-2
identifying valid labels, 5-3
introduction, 5-7
ORDER BY clause, 4-10, 4-11

P

packages
Oracle Label Security, 5-6
trusted stored program units, 9-2
partitioning, 4-5, 12-12
performance, Oracle Label Security
ANALYZE command, 12-8
indexes, 12-8
label tag strategy, 12-10
partitioning, 12-12
READ privilege, 3-19
PL/SQL
creating VPD policies, 1-6
overloaded procedures, 5-13
recreating labels for import, 12-4
SA_UTL package, 9-7
trusted stored program units, 9-2
policies
creating, 5-2
enforcement guidelines, 7-8
enforcement options, 1-11, 3-25, 4-1, 7-2, 7-3, 7-8
managing, 5-8
multiple, 3-26, 4-4, 6-2, B-15
privileges, 1-5, 1-11, 3-23, 6-15
terminology, 8-2
virtual private database (VPD), 1-7
policy label column
indexing, 12-8
inserting data when hidden, 4-17
introduction, 2-2, 4-2
retrieving, 4-8
retrieving hidden, 4-9
storing label tag, 2-11
policy_DBA role, 5-5, 5-8, 5-22, 6-2, 6-15, 8-4, 8-8
predicates
access mediation, 3-25
errors, 7-19
label tag performance strategy, 12-10
multiple, 7-19
used with policy, 7-18
virtual private database, 1-4
privileges
COMPACCESS, 3-18, 3-20
FULL, 3-18, 3-19, 3-21
Oracle Label Security, 3-18
PROFILE_ACCESS, 3-18, 3-21
program units, 3-24
READ, 3-18, 3-19
row label, 3-22
trusted stored program units, 9-6
WRITEACROSS, 3-18, 3-22
WRITEDOWN, 3-18, 3-22, 3-24
WRITEUP, 3-18, 3-22
PRIVS function, 4-24
procedures, overloaded, 5-13
PROFILE_ACCESS privilege, 3-18, 3-21

R

read access
algorithm, 3-13, 3-19
introduction, 3-10
read label, 3-9
READ privilege, 3-18, 3-19
READ_CONTROL option
about, 7-6
algorithm, 3-13
and CHECK_CONTROL, 7-5
and child rows, 7-14
definition, 7-3
referential integrity, 7-16
with other options, 7-8
with predicates, 7-18
READ_ONLY function, 6-7, 6-8, 6-9, 6-10
READ_WRITE function, 6-7, 6-8, 6-9, 6-10
reading down, 3-14
referential integrity, 7-14, 7-16, 7-17
releasability, 13-2
remote users, 11-4
REMOVE_SCHEMA_POLICY procedure, 8-3, 8-10
REMOVE_TABLE_POLICY procedure, 8-3, 8-5
REPADMIN account, 11-9, 11-13, 11-14
replication
materialized views (snapshots), 11-9, 11-13, 11-15
with Oracle Label Security, 11-9, 11-10
RESTORE_DEFAULT_LABELS procedure, 4-19, 4-22
restrictions, Oracle Label Security, B-15
row labels
changing compartments, 6-7
default, 3-7, 3-8, 3-9, 4-19, 9-8
example, 3-4
in distributed environment, 11-5
inserting, 4-16
LABEL_DEFAULT option, 7-5
privileges, 3-22
restoring, 4-22
saving defaults, 4-22
setting, 4-21, 9-8
setting compartments, 6-5
setting groups, 6-6
setting levels, 6-4
understanding, 3-3
updating, 3-22
viewing, 9-7
ROW_LABEL function, 4-24
row-level security, 1-4

S

SA_COMPONENTS package, 5-12
SA_POLICY_ADMIN package, 8-1
SA_SESSION functions
defined, 4-19
viewing security attributes, 4-24
SA_SYSDBA package, 5-8
SA_USER_ADMIN package
administering stored program units, 9-4
overview, 6-2
SA_USER_NAME function, 4-24, 6-16
SA_UTL package
dominance functions, A-5
overview, 9-7
SAVE_DEFAULT_LABELS procedure, 4-19, 4-22
schemas
applying policies to, 5-3, 5-10, 7-2, 7-8
default policy options, 5-9
restrictions on shared, B-16
security
introduction, 1-2
standards, 1-3
security policies
introduction, 1-3
Oracle Label Security, 1-7
VPD, 1-7
session labels
changing, 4-20
computed, 3-9
distributed database, 11-5
example, 3-4
OCI interface, A-7
restoring, 4-22
SA_UTL.SET_LABEL, 9-8
saving defaults, 4-22
setting compartments, 6-5
setting groups, 6-6
setting levels, 6-4
understanding, 3-3
viewing, 9-7
SET_ACCESS_PROFILE function, B-16
SET_ACCESS_PROFILE procedure, 6-16
SET_COMPARTMENTS procedure, 6-5
SET_DEFAULT_LABEL function, 6-13
inverse groups, 13-16
SET_DEFAULT_LABEL procedure
inverse groups, 13-25
SET_GROUPS procedure, 6-6
inverse groups, 13-23
SET_LABEL function
and RESTORE_DEFAULT_LABELS, 4-22
definition, 4-19
inverse groups, 13-17
on remote database, 11-5
SA_UTL.SET_LABEL, 9-8
using, 4-20
SET_LABEL procedure
inverse groups, 13-25
SET_LEVELS procedure, 6-4
SET_PROG_PRIVS function, 9-4
SET_ROW_LABEL function
inverse groups, 13-16, 13-17
SET_ROW_LABEL procedure, 4-19, 4-21, 6-14, 9-8, 13-17
inverse groups, 13-25, 13-26
SET_USER_LABELS procedure, 6-12
inverse groups, 13-24
SET_USER_PRIVS function, 6-15
shared schema restrictions, B-16
SQL*Loader, 12-6
STRICTLY_DOMINATED_BY function, A-3, A-5, A-6
STRICTLY_DOMINATES function, A-3, A-4, A-5
SYS account
policy enforcement, 7-9
SYS_CONTEXT
and labeling functions, 7-11
variables, A-7
SYSDBA privilege, 10-3
system privileges, 1-5, 3-23, 3-24

T

tasks, overview, 5-2
TO_DATA_LABEL function, 4-18, 5-3, 5-23
TO_LBAC_DATA_LABEL function, 7-11
triggers, 7-11
trusted stored program units
creating, 9-5
error handling, 9-6
example, 9-3
executing, 9-6
introduction, 9-2
privileges, 3-24, 9-6
re-compiling, 9-5
replacing, 9-5

U

UPDATE_CONTROL option, 7-3, 7-14
updating labeled data, 7-14
user authorizations
compartments, 3-7
groups, 3-8
levels, 3-6
understanding, 3-5
USER_SA_SESSION view, 4-23

V

views
access mediation, 3-23
ALL_SA_COMPARTMENTS, B-3
ALL_SA_GROUPS, B-3
ALL_SA_LABELS, B-3, B-4
ALL_SA_LEVELS, B-4
ALL_SA_POLICIES, B-4
ALL_SA_PROG_PRIVS, B-5
ALL_SA_SCHEMA_POLICIES, B-5
ALL_SA_TABLE_POLICIES, B-5
ALL_SA_USER_LABELS, B-6
ALL_SA_USER_LEVELS, B-7
ALL_SA_USER_PRIVS, B-8
ALL_SA_USERS, B-6
auditing, B-15
DBA_policyname_AUDIT_TRAIL, B-15
DBA_SA_AUDIT_OPTIONS, 10-9, B-8, B-15
DBA_SA_COMPARTMENTS, B-8
DBA_SA_DATA_LABELS, B-9
DBA_SA_GROUP_HIERARCHY, B-9
DBA_SA_GROUPS, B-9
DBA_SA_LABELS, B-10
DBA_SA_LEVELS, B-10
DBA_SA_POLICIES, B-10
DBA_SA_PROG_PRIVS, B-11
DBA_SA_SCHEMA_POLICIES, 7-10, B-11
DBA_SA_TABLE_POLICIES, 7-10, B-11
DBA_SA_USER_COMPARTMENTS, B-12
DBA_SA_USER_GROUPS, B-13
DBA_SA_USER_LABELS, B-13
DBA_SA_USER_LEVELS, B-14
DBA_SA_USER_PRIVS, B-14
DBA_SA_USERS, B-12
USER_SA_SESSION, 4-23
virtual private database (VPD)
introduction, 1-4
Oracle Label Security policies, 1-7
policies, 1-6

W

write access
algorithm, 3-16, 3-19
introduction, 3-10
write label, 3-9
WRITE_CONTROL option
algorithm, 3-15
definition, 7-3
introduction, 7-6
LABEL_UPDATE, 7-6
with INSERT, UPDATE, DELETE, 7-6
with other options, 7-8
WRITEACROSS privilege, 3-18, 3-22, 7-3, 7-5, 7-15
WRITEDOWN privilege, 3-18, 3-22, 3-24, 7-3, 7-5, 7-15
WRITEUP privilege, 3-18, 3-22
Go to previous page
Oracle
Copyright © 2000, 2002 Oracle Corporation.
All Rights Reserved.
Go To Documentation Library
Home		 Go To Product List
Book List		 Go To Table Of Contents
Contents
Master Index
Feedback