oracle-db12c-logo

Oracle Label Security


OLS user clearances as Factors in Oracle Database Vault

Start Oracle Database Vault and log in as LBACSYS (the owner of the OLS schema) to create a Label Security policy that stores the user clearance labels. These will later be used as Factors in Oracle Database Vault:

  $ sqlplus LBACSYS/password
  SQL> execute sa_sysdba.create_policy('PRIVACY','PRIVACY_COLUMN','NO_CONTROL');

 

The following commands create the two levels used in the OLS policy:

  SQL> execute sa_components.create_level('PRIVACY',1000,'C','CONFIDENTIAL');
  SQL> execute sa_components.create_level('PRIVACY',2000,'S','SENSITIVE');

 

The next command creates the 'PII' compartment:

  SQL> execute sa_components.create_compartment('PRIVACY',100,'PII','PERS_INFO');

 

The user JSmith is granted the less sensitive label:

  SQL> execute sa_user_admin.set_user_labels('PRIVACY','JSmith','C');

 

The user MDale is granted the more sensitive label, which also includes the PII compartment:

  SQL> execute sa_user_admin.set_user_labels('PRIVACY','MDale','S:PII');

 

In order to use the OLS labels as factors in Database Vault, you need to create a 'Rule Set' first:

  SQL> connect dbv_owner/password;
  SQL> execute dvsys.dbms_macadm.create_rule_set('PII Rule Set','Protect PII
       data from privileged users','Y',1,0,2,NULL,NULL,0,NULL);

 

Rule Sets contain one or more Rule; this Rule contains the syntax to evaluate the OLS labels:

  SQL> execute dvsys.dbms_macadm.create_rule('Check OLS Factor',
       'dominates(sa_utl.numeric_label(''PRIVACY''),
        char_to_label(''PRIVACY'',''S:PII'')) = ''1''');
  SQL> execute dvsys.dbms_macadm.sync_rules;
  SQL> commit;

 

Add the Rule to the Rule Set:

  SQL> execute dvsys.dbms_macadm.add_rule_to_rule_set
       ('PII Rule Set','Check OLS Factor');
  SQL> commit;

 



Hands-On


 Using OLS user authorizations to create powerful Command Rules in Oracle Database Vault
 OLS user authorizations in VPD policies: Determine access to application table columns based on user authorizations
 Six steps towards a successful multi level security implementation

Security Features


Strong Authentication
Network Encryption
Real Application Security
Unified Auditing
Secure External Password Store
Virtual Private Database
Traditional Database Auditing
Proxy Authentication
Enterprise User Security
Secure Application Roles
Fine Grained Auditing

Discussion Forums


 Security
 Oracle Audit Vault and Database Firewall
 Database

Technical Information


 Datasheet
 Overview White Paper
 Government and Defense Environments White Paper
 Technical White Paper
 Best Practices
 Frequently Asked Questions
 Oracle Label Security with Oracle E-Business Suite: Best Practices

Security Solutions


 Oracle Database Vault
 Oracle Advanced Security
 Oracle Label Security
Oracle Audit Vault and Database Firewall
Data Masking
KScope 14 RHS Banner

Database Cloud Service Banner