Oracle® Label Security Administrator's Guide 11g Release 1 (11.1) Part Number B28529-01 |
|
|
View PDF |
This appendix provides the following reference information:
Oracle Label Security does not in any way label the Oracle data dictionary tables. Access is controlled by standard Oracle Database system and object privileges. For a description of all data dictionary tables and views, refe to the Oracle Database Reference.
Oracle Label Security maintains an independent set of data dictionary tables. These tables are exempt from any policy enforcement. This section lists the views that can display information related to Oracle Label Security.
Note that access to the DBA views is granted by default to the SELECT_CATALOG_ROLE, a standard Oracle Database role that lets you examine the Oracle Database data dictionary.
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
USER_NAME | NOT NULL | VARCHAR2(30) |
APY | VARCHAR2(3) | |
REM | VARCHAR2(3) | |
SET_ | VARCHAR2(3) | |
PRV | VARCHAR2(3) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
COMP_NUM | NOT NULL | NUMBER(4) |
SHORT_NAME | NOT NULL | VARCHAR2(30) |
LONG_NAME | NOT NULL | VARCHAR2(80) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
LABEL | VARCHAR2(4000) | |
LABEL_TAG | NUMBER |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
GROUP_NUM | NOT NULL | NUMBER(4) |
SHORT_NAME | NOT NULL | VARCHAR2(30) |
LONG_NAME | NOT NULL | VARCHAR2(80) |
PARENT_NUM | NUMBER(4) | |
PARENT_NAME | VARCHAR2(30) |
Access to ALL_SA_LABELS is PUBLIC. However only the labels authorized for read access by the session are visible.
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
LABEL | VARCHAR2(4000) | |
LABEL_TAG | NUMBER | |
LABEL_TYPE | VARCHAR2(15) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | VARCHAR2(30) | |
LEVEL_NUM | NUMBER(4) | |
SHORT_NAME | VARCHAR2(30) | |
LONG_NAME | VARCHAR2(80) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
COLUMN_NAME | NOT NULL | VARCHAR2(30) |
STATUS | VARCHAR2(8) | |
POLICY_OPTIONS | VARCHAR2(4000) |
Name | Null? | Type |
---|---|---|
SCHEMA_NAME | NOT NULL | VARCHAR2(30) |
PROGRAM_NAME | NOT NULL | VARCHAR(30) |
POLICY_NAME | NOT NULL | VARCHAR2(30) |
PROGRAM_PRIVILEGES | VARCHAR2(4000) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
SCHEMA_NAME | NOT NULL | VARCHAR2(30) |
STATUS | VARCHAR2(8) | |
SCHEMA_OPTIONS | VARCHAR2(4000) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
SCHEMA_NAME | NOT NULL | VARCHAR2(30) |
TABLE_NAME | NOT NULL | VARCHAR2(30) |
STATUS | VARCHAR2(8) | |
TABLE_OPTIONS | VARCHAR2(4000) | |
FUNCTION | VARCHAR2(1024) | |
PREDICATE | VARCHAR2(256) |
Name | Null? | Type |
---|---|---|
USER_NAME | NOT NULL | VARCHAR2(30) |
POLICY_NAME | NOT NULL | VARCHAR2(30) |
USER_PRIVILEGES | VARCHAR2(4000) | |
MAX_READ_LABEL | VARCHAR2(4000) | |
MAX_WRITE_LABEL | VARCHAR2(4000) | |
MIN_WRITE_LABEL | VARCHAR2(4000) | |
DEFAULT_READ_LABEL | VARCHAR2(4000) | |
DEFAULT_WRITE_LABEL | VARCHAR2(4000) | |
DEFAULT_ROW_LABEL | VARCHAR2(4000) | |
USER_LABELS | VARCHAR2(4000) |
Name | Null? | Type |
---|---|---|
USER_NAME | NOT NULL | VARCHAR2(30) |
POLICY_NAME | NOT NULL | VARCHAR2(30) |
MAX_READ_LABEL | NOT NULL | VARCHAR2(4000) |
MAX_WRITE_LABEL | VARCHAR2(4000) | |
MIN_WRITE_LABEL | VARCHAR2(4000) | |
DEFAULT_READ_LABEL | VARCHAR2(4000) | |
DEFAULT_WRITE_LABEL | VARCHAR2(4000) | |
DEFAULT_ROW_LABEL | VARCHAR2(4000) | |
LABELS | VARCHAR2(4000) |
Note:
The field USER_LABELS in ALL_SA_USERS and the field LABELS in ALL_SA_USER_LABELS are retained solely for backward compatibility and will be removed in the next release.Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
USER_NAME | NOT NULL | VARCHAR2(30) |
MAX_LEVEL | NOT NULL | VARCHAR2(30) |
MIN_LEVEL | NOT NULL | VARCHAR2(30) |
DEF_LEVEL | NOT NULL | VARCHAR2(30) |
ROW_LEVEL | NOT NULL | VARCHAR2(30) |
Name | Null? | Type |
---|---|---|
USER_NAME | NOT NULL | VARCHAR2(30) |
POLICY_NAME | NOT NULL | VARCHAR2(30) |
USER_PRIVILEGES | VARCHAR2(4000) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
USER_NAME | NOT NULL | VARCHAR2(30) |
APY | VARCHAR2(3) | |
REM | VARCHAR2(3) | |
SET_ | VARCHAR2(3) | |
PRV | VARCHAR2(3) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
COMP_NUM | NOT NULL | NUMBER(4) |
SHORT_NAME | NOT NULL | VARCHAR2(30) |
LONG_NAME | NOT NULL | VARCHAR2(80) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
LABEL | VARCHAR2(4000) | |
LABEL_TAG | NUMBER |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
GROUP_NUM | NOT NULL | NUMBER(4) |
SHORT_NAME | NOT NULL | VARCHAR2(30) |
LONG_NAME | NOT NULL | VARCHAR2(80) |
PARENT_NUM | NUMBER(4) | |
PARENT_NAME | VARCHAR2(30) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
HIERARCHY_LEVEL | NUMBER | |
GROUP_NAME | VARCHAR2(4000) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
LABEL | VARCHAR2(4000) | |
LABEL_TAG | NUMBER | |
LABEL_TYPE | VARCHAR2(15) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
LEVEL_NUM | NOT NULL | NUMBER(4) |
SHORT_NAME | NOT NULL | VARCHAR2(30) |
LONG_NAME | NOT NULL | VARCHAR2(80) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
COLUMN_NAME | NOT NULL | VARCHAR2(30) |
STATUS | VARCHAR2(8) | |
POLICY_OPTIONS | VARCHAR2(4000) |
Name | Null? | Type |
---|---|---|
SCHEMA_NAME | NOT NULL | VARCHAR2(30) |
PROGRAM_NAME | NOT NULL | VARCHAR2(30) |
POLICY_NAME | NOT NULL | VARCHAR2(30) |
PROGRAM_PRIVILEGES | VARCHAR2(4000) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
SCHEMA_NAME | NOT NULL | VARCHAR2(30) |
STATUS | VARCHAR2(8) | |
SCHEMA_OPTIONS | VARCHAR2(4000) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
SCHEMA_NAME | NOT NULL | VARCHAR2(30) |
TABLE_NAME | NOT NULL | VARCHAR2(30) |
STATUS | VARCHAR2(8) | |
TABLE_OPTIONS | VARCHAR2(4000) | |
FUNCTION | VARCHAR2(1024) | |
PREDICATE | VARCHAR2(256) |
Name | Null? | Type |
---|---|---|
USER_NAME | NOT NULL | VARCHAR2(30) |
POLICY_NAME | NOT NULL | VARCHAR2(30) |
USER_PRIVILEGES | VARCHAR2(4000) | |
MAX_READ_LABEL | VARCHAR2(4000) | |
MAX_WRITE_LABEL | VARCHAR2(4000) | |
MIN_WRITE_LABEL | VARCHAR2(4000) | |
DEFAULT_READ_LABEL | VARCHAR2(4000) | |
DEFAULT_WRITE_LABEL | VARCHAR2(4000) | |
DEFAULT_ROW_LABEL | VARCHAR2(4000) | |
USER_LABELS | VARCHAR2(4000) |
Note:
The field USER_LABELS in DBA_SA_USERS is retained solely for backward compatibility and will be removed in the next release.Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
USER_NAME | NOT NULL | VARCHAR2(30) |
COMP | NOT NULL | VARCHAR2(30) |
RW_ACCESS | VARCHAR2(5) | |
DEF_COMP | NOT NULL | VARCHAR2(1) |
ROW_COMP | NOT NULL | VARCHAR2(1) |
Name | Null? | Type |
---|---|---|
POLICY_NAME | NOT NULL | VARCHAR2(30) |
USER_NAME | NOT NULL | VARCHAR2(30) |
GRP | NOT NULL | VARCHAR2(30) |
RW_ACCESS | VARCHAR2(5) | |
DEF_GROUP | NOT NULL | VARCHAR2(1) |
ROW_GROUP | NOT NULL | VARCHAR2(1) |
Name | Null? | Type |
---|---|---|
USER_NAME | NOT NULL | VARCHAR2(30) |
POLICY_NAME | NOT NULL | VARCHAR2(30) |
MAX_READ_LABEL | NOT NULL | VARCHAR2(4000) |
MAX_WRITE_LABEL | VARCHAR2(4000) | |
MIN_WRITE_LABEL | VARCHAR2(4000) | |
DEFAULT_READ_LABEL | VARCHAR2(4000) | |
DEFAULT_WRITE_LABEL | VARCHAR2(4000) | |
DEFAULT_ROW_LABEL | VARCHAR2(4000) | |
LABELS | VARCHAR2(4000) |
Note:
The field LABELS in DBA_SA_USER_LABELS is retained solely for backward compatibility and will be removed in the next release.Using the SA_AUDIT_ADMIN.CREATE_VIEW procedure, you can create an audit trail view for a specific policy. By default, this view is named DBA_policyname_AUDIT_TRAIL.
The DBA_SA_AUDIT_OPTIONS view contains the columns POLICY_NAME, USER_NAME, APY, SET_, and PRV.
The following restrictions exist in this Oracle Label Security release:
If you attempt to perform CREATE TABLE AS SELECT in a schema that is protected by an Oracle Label Security policy, then the statement will fail.
Label tags must be unique across the policies in the database. When you use multiple policies in a database, you cannot use the same numeric label tag in different policies.
The LBACSYS schema cannot be exported due to the use of opaque types in Oracle Label Security. An export of the entire database (parameter FULL=Y) with Oracle Label Security installed can be done, except that the LBACSYS schema would not be exported.
Do not perform a DROP USER CASCADE on the LBACSYS account.
Connect to the database as user SYS, using the AS SYSDBA syntax, and run the file $ORACLE_HOME/rdbms/admin/catnools.sql
to remove Oracle Label Security.
See Also:
Your platform-specific Oracle installation documentationUser accounts defined in the Oracle Internet Directory cannot be given individual Oracle Label Security authorizations. However, authorizations can be given to the shared schema to which the directory users are mapped.
The Oracle Label Security function SET_ACCESS_PROFILE can be used programmatically to set the label authorization profile to use after a user has been authenticated and mapped to a shared schema. Oracle Label Security does not enforce a mapping between users who are given label authorizations in Oracle Label Security and actual database users.
The person intending to install Oracle Label Security first selects the Custom installation choice. Oracle Label Security is listed as one of the options in the custom installation screen. After copying the Oracle Label Security files and relinking Oracle, the installer software automatically launches the Database Configuration Assistant (DBCA) during the database registration process, to configure options for the database to be created.
In DBCA, if Oracle Internet Directory is to be enabled for Oracle Label Security use, an additional option enables the installer users to configure the password for the Oracle Directory Integration and Provisioning (DIP) user. A DIP user with default password DIP has been created by catproc.sql. If the password is set during this configuration step, then the DIP provisioning profile will be created with the new DIP password.
Behind the scenes, DBCA does the following:
Runs catolsd.sql (as supposed to running catols.sql for a standalone Oracle Label Security configuration)
Creates the DIP provisioning profile with the given database DN for this database
Runs the bootstrap utility to refresh the database with policy information from Oracle Internet Directory
adds database DN to the cn=DBServers group
Note:
If this password is ever changed, Oracle Internet Directory must be updated with this information, using the provisioning tool oidprovtool.Installing Oracle Label Security automatically moves the AUD$ table out of SYS and into SYSTEM, and into a different tablespace.
Having the AUD$ table in the SYSTEM schema is supported when Oracle Label Security is being used.
When Oracle Label Security is not installed, moving the SYS.AUD$ table out of the SYSTEM tablespace is not supported because the Oracle code makes implicit assumptions about the data dictionary tables, such as SYS.AUD$, in support of upgrades and backup/recovery scenarios. Moving SYS.AUD$ is not supported unless done by Oracle when Oracle Label Security is installed.
Perform the following steps to remove Oracle Label Security. Do not perform a DROP USER CASCADE on the LBACSYS account to remove Oracle Label Security.
Connect AS SYSDBA.
Run the $ORACLE_HOME/rdbms/admin/catnools.sql script to delete the LBACSYS account.
Use the Oracle Universal Installer to remove Oracle Label Security.
See Also:
Your platform-specific Oracle installation documentation