Skip Headers
Oracle® Label Security Administrator's Guide
10
g
Release 2 (10.2)
Part Number B14267-02
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
Part I
1
Introduction to Oracle Label Security
1.1
Computer Security and Data Access Controls
1.1.1
Oracle Label Security and Security Standards
1.1.2
Security Policies
1.1.3
Access Control
1.1.3.1
Discretionary Access Control
1.1.3.2
Oracle Label Security
1.1.3.3
How Oracle Label Security Works with Discretionary Access Control
1.2
Oracle Label Security Architecture
1.3
Features of Oracle Label Security
1.3.1
Overview of Oracle Label Security Policy Functionality
1.3.2
Oracle Enterprise Edition: VPD Technology
1.3.3
Oracle Label Security: An Out-of-the-Box VPD
1.3.4
Label Policy Features
1.3.4.1
Data Labels
1.3.4.2
Label Authorizations
1.3.4.3
Policy Privileges
1.3.4.4
Policy Enforcement Options
1.3.4.5
Summary: Four Aspects of Label-Based Row Access
1.4
Oracle Label Security Integration with Oracle Internet Directory
2
Understanding Data Labels and User Labels
2.1
Introduction to Label-Based Security
2.2
Label Components
2.2.1
Label Component Definitions and Valid Characters
2.2.2
Levels
2.2.3
Compartments
2.2.4
Groups
2.2.5
Industry Examples of Levels, Compartments, and Groups
2.3
Label Syntax and Type
2.4
How Data Labels and User Labels Work Together
2.5
Administering Labels
3
Understanding Access Controls and Privileges
3.1
Introducing Access Mediation
3.2
Understanding Session Label and Row Label
3.2.1
The Session Label
3.2.2
The Row Label
3.2.3
Session Label Example
3.3
Understanding User Authorizations
3.3.1
Authorizations Set by the Administrator
3.3.1.1
Authorized Levels
3.3.1.2
Authorized Compartments
3.3.1.3
Authorized Groups
3.3.2
Computed Session Labels
3.4
Evaluating Labels for Access Mediation
3.4.1
Introducing Read/Write Access
3.4.1.1
Difference Between Read and Write Operations
3.4.1.2
Propagation of Read/Write Authorizations on Groups
3.4.2
The Oracle Label Security Algorithm for Read Access
3.4.3
The Oracle Label Security Algorithm for Write Access
3.5
Using Oracle Label Security Privileges
3.5.1
Privileges Defined by Oracle Label Security Policies
3.5.2
Special Access Privileges
3.5.2.1
READ
3.5.2.2
FULL
3.5.2.3
COMPACCESS
3.5.2.4
PROFILE_ACCESS
3.5.3
Special Row Label Privileges
3.5.3.1
WRITEUP
3.5.3.2
WRITEDOWN
3.5.3.3
WRITEACROSS
3.5.4
System Privileges, Object Privileges, and Policy Privileges
3.5.5
Access Mediation and Views
3.5.6
Access Mediation and Program Unit Execution
3.5.7
Access Mediation and Policy Enforcement Options
3.6
Working with Multiple Oracle Label Security Policies
3.6.1
Multiple Oracle Label Security Policies in a Single Database
3.6.2
Multiple Oracle Label Security Policies in a Distributed Environment
Part II Using Oracle Label Security Functionality
4
Working with Labeled Data
4.1
The Policy Label Column and Label Tags
4.1.1
The Policy Label Column
4.1.1.1
Hiding the Policy Label Column
4.1.1.2
Example 1: Numeric Column Data Type (NUMBER)
4.1.1.3
Example 2: Numeric Column Data Type with Hidden Column
4.1.2
Label Tags
4.1.2.1
Manually Defining Label Tags to Order Labels
4.1.2.2
Manually Defining Label Tags to Manipulate Data
4.1.2.3
Automatically Generated Label Tags
4.2
Assigning Labels to Data Rows
4.3
Presenting the Label
4.3.1
Converting a Character String to a Label Tag, with CHAR_TO_LABEL
4.3.2
Converting a Label Tag to a Character String, with LABEL_TO_CHAR
4.3.2.1
LABEL_TO_CHAR Examples
4.3.2.2
Retrieving All Columns from a Table When the Policy Label Column Is Hidden
4.4
Filtering Data Using Labels
4.4.1
Using Numeric Label Tags in WHERE Clauses
4.4.2
Ordering Labeled Data Rows
4.4.3
Ordering by Character Representation of Label
4.4.4
Determining Upper and Lower Bounds of Labels
4.4.4.1
Finding Least Upper Bound with LEAST_UBOUND
4.4.4.2
Finding Greatest Lower Bound with GREATEST_LBOUND
4.4.5
Merging Labels with the MERGE_LABEL Function
4.5
Inserting Labeled Data
4.5.1
Inserting Labels Using CHAR_TO_LABEL
4.5.2
Inserting Labels Using Numeric Label Tag Values
4.5.3
Inserting Data Without Specifying a Label
4.5.4
Inserting Data When the Policy Label Column Is Hidden
4.5.5
Inserting Labels Using TO_DATA_LABEL
4.6
Changing Your Session and Row Labels with SA_SESSION
4.6.1
SA_SESSION Functions to Change Session and Row Labels
4.6.2
Changing the Session Label with SA_SESSION.SET_LABEL
4.6.3
Changing the Row Label with SA_SESSION.SET_ROW_LABEL
4.6.4
Restoring Label Defaults with SA_SESSION.RESTORE_DEFAULT_LABELS
4.6.5
Saving Label Defaults with SA_SESSION.SAVE_DEFAULT_LABELS
4.6.6
Viewing Session Attributes with SA_SESSION Functions
4.6.6.1
USER_SA_SESSION View to Return All Security Attributes
4.6.6.2
Functions to Return Individual Security Attributes
5
Oracle Label Security Using Oracle Internet Directory
5.1
Introducing Label Management on Oracle Internet Directory
5.2
Configuring Oracle Internet Directory-Enabled Label Security
5.2.1
Granting Permissions for Configuring Oracle Internet Directory enabled Oracle Label Security
5.2.2
Registering a Database and Configuring Oracle Internet Directory enabled Oracle Label Security
5.2.2.1
Task 1 Configure Your Oracle Home for Directory Usage.
5.2.2.2
Task 2 Configure the Database for Oracle Internet Directory enabled Oracle Label Security
5.2.2.3
Alternate Method for Task 2, Configuring Database for Oracle Internet Directory enabled Oracle Label Security
5.2.2.4
Task3: Set the DIP Password and Connect Data
5.2.3
Unregistering a Database with Oracle Internet Directory enabled OLS
5.3
Removing Directory-enabled Oracle Label Security from Database
5.4
Oracle Label Security Profiles
5.5
Integrated Capabilities When Label Security Uses the Directory
5.6
Oracle Label Security Policy Attributes in Oracle Internet Directory
5.7
Restrictions on New Data Label Creation
5.8
Two Types of Administrators
5.9
Bootstrapping Databases
5.10
Synchronizing the Database and Oracle Internet Directory
5.10.1
Oracle Directory Integration and Provisioning (DIP) Provisioning Profiles
5.10.2
Disabling, Changing, and Enabling a Provisioning Profile
5.11
Security Roles and Permitted Actions
5.11.1
Restriction on Policy Creators for Directory-enabled Oracle Label Security
5.12
Superseded PL/SQL Statements
5.13
Procedures for Policy Administrators Only
Part III Administering an Oracle Label Security Application
6
Creating an Oracle Label Security Policy
6.1
Oracle Label Security Administrative Task Overview
6.1.1
Step 1: Create the Policy
6.1.2
Step 2: Define the Components of the Labels
6.1.3
Step 3: Identify the Set of Valid Data Labels
6.1.4
Step 4: Apply the Policy to Tables and Schemas
6.1.5
Step 5: Authorize Users
6.1.6
Step 6: Create and Authorize Trusted Program Units (Optional)
6.1.7
Step 7: Configure Auditing (Optional)
6.2
Organizing the Duties of Oracle Label Security Administrators
6.3
Choosing an Oracle Label Security Administrative Interface
6.3.1
Oracle Label Security Packages
6.3.1.1
Oracle Label Security Demonstration File
6.3.2
Oracle Policy Manager
6.4
Using the SA_SYSDBA Package to Manage Security Policies
6.4.1
Who Can Use the SA_SYSDBA Package
6.4.2
Who Can Administer a Policy
6.4.3
Valid Characters for Policy Specifications
6.4.4
Creating a Policy with SA_SYSDBA.CREATE_POLICY
6.4.5
Modifying Policy Options with SA_SYSDBA.ALTER_POLICY
6.4.6
Disabling a Policy with SA_SYSDBA.DISABLE_POLICY
6.4.7
Enabling a Policy with SA_SYSDBA.ENABLE_POLICY
6.4.8
Removing a Policy with SA_SYSDBA.DROP_POLICY
6.5
Using the SA_COMPONENTS Package to Define Label Components
6.5.1
Using Overloaded Procedures
6.5.2
Creating a Level with SA_COMPONENTS.CREATE_LEVEL
6.5.3
Modifying a Level with SA_COMPONENTS.ALTER_LEVEL
6.5.4
Removing a Level with SA_COMPONENTS.DROP_LEVEL
6.5.5
Creating a Compartment with SA_COMPONENTS.CREATE_COMPARTMENT
6.5.6
Modifying a Compartment with SA_COMPONENTS.ALTER_COMPARTMENT
6.5.7
Removing a Compartment with SA_COMPONENTS.DROP_COMPARTMENT
6.5.8
Creating a Group with SA_COMPONENTS.CREATE_GROUP
6.5.9
Modifying a Group with SA_COMPONENTS.ALTER_GROUP
6.5.10
Modifying a Group Parent with SA_COMPONENTS.ALTER_GROUP_PARENT
6.5.11
Removing a Group with SA_COMPONENTS.DROP_GROUP
6.6
Using the SA_LABEL_ADMIN Package to Specify Valid Labels
6.6.1
Creating a Valid Data Label with SA_LABEL_ADMIN.CREATE_LABEL
6.6.2
Modifying a Label with SA_LABEL_ADMIN.ALTER_LABEL
6.6.3
Deleting a Label with SA_LABEL_ADMIN.DROP_LABEL
7
Administering User Labels and Privileges
7.1
Introduction to User Label and Privilege Management
7.2
Managing User Labels by Component, with SA_USER_ADMIN
7.2.1
SA_USER_ADMIN.SET_LEVELS
7.2.2
SA_USER_ADMIN.SET_COMPARTMENTS
7.2.3
SA_USER_ADMIN.SET_GROUPS
7.2.4
SA_USER_ADMIN.ALTER_COMPARTMENTS
7.2.5
SA_USER_ADMIN.ADD_COMPARTMENTS
7.2.6
SA_USER_ADMIN.DROP_COMPARTMENTS
7.2.7
SA_USER_ADMIN.DROP_ALL_COMPARTMENTS
7.2.8
SA_USER_ADMIN.ADD_GROUPS
7.2.9
SA_USER_ADMIN.ALTER_GROUPS
7.2.10
SA_USER_ADMIN.DROP_GROUPS
7.2.11
SA_USER_ADMIN.DROP_ALL_GROUPS
7.3
Managing User Labels by Label String, with SA_USER_ADMIN
7.3.1
SA_USER_ADMIN.SET_USER_LABELS
7.3.2
SA_USER_ADMIN.SET_DEFAULT_LABEL
7.3.3
SA_USER_ADMIN.SET_ROW_LABEL
7.3.4
SA_USER_ADMIN.DROP_USER_ACCESS
7.4
Managing User Privileges with SA_USER_ADMIN.SET_USER_PRIVS
7.5
Setting Labels & Privileges with SA_SESSION.SET_ACCESS_PROFILE
7.6
Returning User Name with SA_SESSION.SA_USER_NAME
7.7
Using Oracle Label Security Views
7.7.1
View to Display All User Security Attributes: DBA_SA_USERS
7.7.2
Views to Display User Authorizations by Component
8
Implementing Policy Enforcement Options and Labeling Functions
8.1
Choosing Policy Options
8.1.1
Overview of Policy Enforcement Options
8.1.2
The HIDE Policy Column Option
8.1.3
The Label Management Enforcement Options
8.1.3.1
LABEL_DEFAULT: Using the Session's Default Row Label
8.1.3.2
LABEL_UPDATE: Changing Data Labels
8.1.3.3
CHECK_CONTROL: Checking Data Labels
8.1.4
The Access Control Enforcement Options
8.1.4.1
READ_CONTROL: Reading Data
8.1.4.2
WRITE_CONTROL: Writing Data
8.1.4.3
INSERT_CONTROL, UPDATE_CONTROL, and DELETE_CONTROL
8.1.5
The Overriding Enforcement Options
8.1.6
Guidelines for Using the Policy Enforcement Options
8.1.7
Exemptions from Oracle Label Security Policy Enforcement
8.1.8
Viewing Policy Options on Tables and Schemas
8.2
Using a Labeling Function
8.2.1
Labeling Data Rows under Oracle Label Security
8.2.2
Understanding Labeling Functions in Oracle Label Security Policies
8.2.3
Creating a Labeling Function for a Policy
8.2.4
Specifying a Labeling Function in a Policy
8.3
Inserting Labeled Data Using Policy Options and Labeling Functions
8.3.1
Evaluating Enforcement Control Options and INSERT
8.3.2
Inserting Labels When a Labeling Function Is Specified
8.3.3
Inserting Child Rows into Tables with Declarative Referential Integrity Enabled
8.4
Updating Labeled Data Using Policy Options and Labeling Functions
8.4.1
Updating Labels Using CHAR_TO_LABEL
8.4.2
Evaluating Enforcement Control Options and UPDATE
8.4.3
Updating Labels When a Labeling Function Is Specified
8.4.4
Updating Child Rows in Tables with Declarative Referential Integrity Enabled
8.5
Deleting Labeled Data Using Policy Options and Labeling Functions
8.6
Using a SQL Predicate with an Oracle Label Security Policy
8.6.1
Modifying an Oracle Label Security Policy with a SQL Predicate
8.6.2
Affecting Oracle Label Security Policies with Multiple SQL Predicates
9
Applying Policies to Tables and Schemas
9.1
Policy Administration Terminology
9.2
Subscribing Policies in Directory-Enabled Label Security
9.2.1
Subscribing to a Policy with SA_POLICY_ADMIN.POLICY_SUBSCRIBE
9.2.1.1
Syntax
9.2.2
Unsubscribing to a Policy with SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE
9.2.2.1
Syntax
9.3
Policy Administration Functions for Tables and Schemas
9.4
Administering Policies on Tables Using SA_POLICY_ADMIN
9.4.1
Applying a Policy with SA_POLICY_ADMIN.APPLY_TABLE_POLICY
9.4.1.1
Syntax
9.4.2
Removing a Policy with SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
9.4.2.1
Syntax
9.4.3
Disabling a Policy with SA_POLICY_ADMIN.DISABLE_TABLE_POLICY
9.4.3.1
Syntax
9.4.4
Reenabling a Policy with SA_POLICY_ADMIN.ENABLE_TABLE_POLICY
9.4.4.1
Syntax
9.5
Administering Policies on Schemas with SA_POLICY_ADMIN
9.5.1
Applying a Policy with SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY
9.5.1.1
Syntax
9.5.2
Altering Enforcement Options: SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY
9.5.2.1
Syntax
9.5.3
Removing a Policy with SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY
9.5.3.1
Syntax
9.5.4
Disabling a Policy with SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY
9.5.4.1
Syntax
9.5.5
Reenabling a Policy with SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY
9.5.5.1
Syntax
9.5.6
Policy Issues for Schemas
10
Administering and Using Trusted Stored Program Units
10.1
Introduction to Trusted Stored Program Units
10.1.1
How a Trusted Stored Program Unit Runs
10.1.2
Trusted Stored Program Unit Example
10.2
Managing Program Unit Privileges with SET_PROG_PRIVS
10.3
Creating and Compiling Trusted Stored Program Units
10.3.1
Creating Trusted Stored Program Units
10.3.2
Setting Privileges for Trusted Stored Program Units
10.3.3
Recompiling Trusted Stored Program Units
10.3.4
Re-creating Trusted Stored Program Units
10.3.5
Running Trusted Stored Program Units
10.4
Using SA_UTL Functions to Set and Return Label Information
10.4.1
Viewing Session Label and Row Label Using SA_UTL
10.4.1.1
SA_UTL.NUMERIC_LABEL
10.4.1.2
SA_UTL.NUMERIC_ROW_LABEL
10.4.1.3
SA_UTL.DATA_LABEL
10.4.2
Setting the Session Label and Row Label Using SA_UTL
10.4.2.1
SA_UTL.SET_LABEL
10.4.2.2
SA_UTL.SET_ROW_LABEL
10.4.3
Returning Greatest Lower Bound and Least Upper Bound
10.4.3.1
GREATEST_LBOUND
10.4.3.2
LEAST_UBOUND
11
Auditing Under Oracle Label Security
11.1
Overview of Oracle Label Security Auditing
11.2
Enabling Systemwide Auditing: AUDIT_TRAIL Initialization Parameter
11.3
Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN
11.3.1
Auditing Options for Oracle Label Security
11.3.2
Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.AUDIT
11.3.3
Disabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.NOAUDIT
11.3.4
Examining Audit Options with the DBA_SA_AUDIT_OPTIONS View
11.4
Managing Policy Label Auditing
11.4.1
Policy Label Auditing with SA_AUDIT_ADMIN.AUDIT_LABEL
11.4.2
Disabling Policy Label Auditing with SA_AUDIT_ADMIN.NOAUDIT_LABEL
11.4.3
Finding Label Audit Status with AUDIT_LABEL_ENABLED
11.5
Creating and Dropping an Audit Trail View for Oracle Label Security
11.5.1
Creating a View with SA_AUDIT_ADMIN.CREATE_VIEW
11.5.2
Dropping a View with SA_AUDIT_ADMIN.DROP_VIEW
11.6
Oracle Label Security Auditing Tips
11.6.1
Strategy for Setting SA_AUDIT_ADMIN Options
11.6.2
Auditing Privileged Operations
12
Using Oracle Label Security with a Distributed Database
12.1
An Oracle Label Security Distributed Configuration
12.2
Connecting to a Remote Database Under Oracle Label Security
12.3
Establishing Session Label and Row Label for a Remote Session
12.4
Setting Up Labels in a Distributed Environment
12.4.1
Setting Label Tags in a Distributed Environment
12.4.2
Setting Numeric Form of Label Components in a Distributed Environment
12.5
Using Oracle Label Security Policies in a Distributed Environment
12.6
Using Replication with Oracle Label Security
12.6.1
Introduction to Replication Under Oracle Label Security
12.6.1.1
Replication Functionality Supported by Oracle Label Security
12.6.1.2
Row-Level Security Restriction on Replication Under Oracle Label Security
12.6.2
Contents of a Materialized View
12.6.2.1
How Materialized View Contents Are Determined
12.6.2.2
Complete Materialized Views
12.6.2.3
Partial Materialized Views
12.6.3
Requirements for Creating Materialized Views Under Oracle Label Security
12.6.3.1
Requirements for the REPADMIN Account
12.6.3.2
Requirements for the Owner of the Materialized View
12.6.3.3
Requirements for Creating Partial Multilevel Materialized Views
12.6.3.4
Requirements for Creating Complete Multilevel Materialized Views
12.6.4
How to Refresh Materialized Views
13
Performing DBA Functions Under Oracle Label Security
13.1
Using the Export Utility with Oracle Label Security
13.1.1
Using Datapump Export Utility with Oracle Label Security
13.2
Using the Import Utility with Oracle Label Security
13.2.1
Requirements for Import Under Oracle Label Security
13.2.1.1
Preparing the Import Database
13.2.1.2
Verifying Import User Authorizations
13.2.2
Defining Data Labels for Import
13.2.3
Importing Labeled Data Without Installing Oracle Label Security
13.2.4
Importing Unlabeled Data
13.2.5
Importing Tables with Hidden Columns
13.3
Using SQL*Loader with Oracle Label Security
13.3.1
Requirements for Using SQL*Loader Under Oracle Label Security
13.3.2
Oracle Label Security Input to SQL*Loader
13.4
Performance Tips for Oracle Label Security
13.4.1
Using ANALYZE to Improve Oracle Label Security Performance
13.4.2
Creating Indexes on the Policy Label Column
13.4.3
Planning a Label Tag Strategy to Enhance Performance
13.4.4
Partitioning Data Based on Numeric Label Tags
13.5
Creating Additional Databases After Installation
14
Releasability Using Inverse Groups
14.1
Introduction to Inverse Groups and Releasability
14.2
Comparing Standard Groups and Inverse Groups
14.3
How Inverse Groups Work
14.3.1
Implementing Inverse Groups with the INVERSE_GROUP Enforcement Option
14.3.2
Inverse Groups and Label Components
14.3.3
Computed Labels with Inverse Groups
14.3.3.1
Computed Session Labels with Inverse Groups
14.3.3.2
Inverse Groups and Computed Max Read Groups and Max Write Groups
14.3.4
Inverse Groups and Hierarchical Structure
14.3.5
Inverse Groups and User Privileges
14.4
Algorithm for Read Access with Inverse Groups
14.5
Algorithm for Write Access with Inverse Groups
14.6
Algorithms for COMPACCESS Privilege with Inverse Groups
14.7
Session Labels and Inverse Groups
14.7.1
Setting Initial Session/Row Labels for Standard or Inverse Groups
14.7.1.1
Standard Groups: Rules for Changing Initial Session/Row Labels
14.7.1.2
Inverse Groups: Rules for Changing Initial Session/Row Labels
14.7.2
Setting Current Session/Row Labels for Standard or Inverse Groups
14.7.2.1
Standard Groups: Rules for Changing Current Session/Row Labels
14.7.2.2
Inverse Groups: Rules for Changing Current Session/Row Labels
14.7.3
Examples of Session Labels and Inverse Groups
14.7.3.1
Inverse Groups Example 1
14.7.3.2
Inverse Groups Example 2
14.8
Changes in Behavior of Procedures with Inverse Groups
14.8.1
SYSDBA.CREATE_POLICY with Inverse Groups
14.8.2
SYSDBA.ALTER_POLICY with Inverse Groups
14.8.3
SA_USER_ADMIN.ADD_GROUPS with Inverse Groups
14.8.4
SA_USER_ADMIN.ALTER_GROUPS with Inverse Groups
14.8.5
SA_USER_ADMIN.SET_GROUPS with Inverse Groups
14.8.6
SA_USER_ADMIN.SET_USER_LABELS with Inverse Groups
14.8.7
SA_USER_ADMIN.SET_DEFAULT_LABEL with Inverse Groups
14.8.8
SA_USER_ADMIN.SET_ROW_LABEL with Inverse Groups
14.8.9
SA_COMPONENTS.CREATE_GROUP with Inverse Groups
14.8.10
SA_COMPONENTS.ALTER_GROUP_PARENT with Inverse Groups
14.8.11
SA_SESSION.SET_LABEL with Inverse Groups
14.8.12
SA_SESSION.SET_ROW_LABEL with Inverse Groups
14.8.13
LEAST_UBOUND with Inverse Groups
14.8.14
GREATEST_LBOUND with Inverse Groups
14.9
Dominance Rules for Labels with Inverse Groups
Part IV Appendixes
A
Advanced Topics in Oracle Label Security
A.1
Analyzing the Relationships Between Labels
A.1.1
Dominant and Dominated Labels
A.1.2
Non-Comparable Labels
A.1.3
Using Dominance Functions
A.1.3.1
The DOMINATES Standalone Function
A.1.3.2
The STRICTLY_DOMINATES Standalone Function
A.1.3.3
The DOMINATED_BY Standalone Function
A.1.3.4
The STRICTLY_DOMINATED_BY Standalone Function
A.1.3.5
SA_UTL.DOMINATES
A.1.3.6
SA_UTL.STRICTLY_DOMINATES
A.1.3.7
SA_UTL.DOMINATED_BY
A.1.3.8
SA_UTL.STRICTLY_DOMINATED_BY
A.2
OCI Interface for Setting Session Labels
A.2.1
OCIAttrSet
A.2.2
OCIAttrGet
A.2.3
OCIParamGet
A.2.4
OCIAttrSet
A.2.5
OCI Example
B
Command-line Tools for Label Security Using Oracle Internet Directory
B.1
Command Explanations
B.2
Relating Parameters to Commands for olsadmintool
B.2.1
Summaries
B.3
Examples of Using olsadmintool
B.3.1
Make Other Users Policy Creators
B.3.2
Create Policies with Valid Options
B.3.3
Create Policy Administrators
B.3.4
Create Some Levels
B.3.5
Create Some Compartments
B.3.6
Create Some Groups
B.3.7
Create Some Labels
B.3.8
Create a Profile
B.3.9
Add a User to the Profile
B.3.10
Add Another User to the Profile
B.3.11
Set Some Audit Options
B.3.12
Results of These Examples
C
Reference
C.1
Oracle Label Security Data Dictionary Tables and Views
C.1.1
Oracle Database
Data Dictionary Tables
C.1.2
Oracle Label Security Data Dictionary Views
C.1.2.1
ALL_SA_AUDIT_OPTIONS
C.1.2.2
ALL_SA_COMPARTMENTS
C.1.2.3
ALL_SA_DATA_LABELS
C.1.2.4
ALL_SA_GROUPS
C.1.2.5
ALL_SA_LABELS
C.1.2.6
ALL_SA_LEVELS
C.1.2.7
ALL_SA_POLICIES
C.1.2.8
ALL_SA_PROG_PRIVS
C.1.2.9
ALL_SA_SCHEMA_POLICIES
C.1.2.10
ALL_SA_TABLE_POLICIES
C.1.2.11
ALL_SA_USERS
C.1.2.12
ALL_SA_USER_LABELS
C.1.2.13
ALL_SA_USER_LEVELS
C.1.2.14
ALL_SA_USER_PRIVS
C.1.2.15
DBA_SA_AUDIT_OPTIONS
C.1.2.16
DBA_SA_COMPARTMENTS
C.1.2.17
DBA_SA_DATA_LABELS
C.1.2.18
DBA_SA_GROUPS
C.1.2.19
DBA_SA_GROUP_HIERARCHY
C.1.2.20
DBA_SA_LABELS
C.1.2.21
DBA_SA_LEVELS
C.1.2.22
DBA_SA_POLICIES
C.1.2.23
DBA_SA_PROG_PRIVS
C.1.2.24
DBA_SA_SCHEMA_POLICIES
C.1.2.25
DBA_SA_TABLE_POLICIES
C.1.2.26
DBA_SA_USERS
C.1.2.27
DBA_SA_USER_COMPARTMENTS
C.1.2.28
DBA_SA_USER_GROUPS
C.1.2.29
DBA_SA_USER_LABELS
C.1.2.30
DBA_SA_USER_LEVELS
C.1.2.31
DBA_SA_USER_PRIVS
C.1.3
Oracle Label Security Auditing Views
C.2
Restrictions in Oracle Label Security
C.2.1
CREATE TABLE AS SELECT Restriction in Oracle Label Security
C.2.2
Label Tag Restriction
C.2.3
Export Restriction in Oracle Label Security
C.2.4
Oracle Label Security Removal Restriction
C.2.5
Shared Schema Support
C.2.6
Hidden Columns Restriction
C.3
Installing Oracle Label Security
C.3.1
Oracle Label Security and the SYS.AUD$ Table
C.4
Removing Oracle Label Security
D
Oracle Label Security in an RAC Environment
D.1
Using Oracle Label Security Policy Functions in an RAC Environment
D.2
Using Transparent Application Failover in Oracle Label Security
Index