Oracle Technology Network
Database
Security
Database
Security
 | Oracle Label Security |
OLS user clearances as Factors in Oracle Database Vault
Start Oracle Database Vault and log in as LBACSYS (the owner of the OLS schema) to create a Label Security policy that stores the user clearance labels. These will later be used as Factors in Oracle Database Vault:
$ sqlplus LBACSYS/password SQL> execute sa_sysdba.create_policy('PRIVACY','PRIVACY_COLUMN','NO_CONTROL');
The following commands create the two levels used in the OLS policy:
SQL> execute sa_components.create_level('PRIVACY',1000,'C','CONFIDENTIAL'); SQL> execute sa_components.create_level('PRIVACY',2000,'S','SENSITIVE');
The next command creates the 'PII' compartment:
SQL> execute sa_components.create_compartment('PRIVACY',100,'PII','PERS_INFO');
The user JSmith is granted the less sensitive label:
SQL> execute sa_user_admin.set_user_labels('PRIVACY','JSmith','C');
The user MDale is granted the more sensitive label, which also includes the PII compartment:
SQL> execute sa_user_admin.set_user_labels('PRIVACY','MDale','S:PII');
In order to use the OLS labels as factors in Database Vault, you need to create a 'Rule Set' first:
SQL> connect dbv_owner/password; SQL> execute dvsys.dbms_macadm.create_rule_set('PII Rule Set','Protect PII data from privileged users','Y',1,0,2,NULL,NULL,0,NULL);
Rule Sets contain one or more Rule; this Rule contains the syntax to evaluate the OLS labels:
SQL> execute dvsys.dbms_macadm.create_rule('Check OLS Factor', 'dominates(sa_utl.numeric_label(''PRIVACY''), char_to_label(''PRIVACY'',''S:PII'')) = ''1'''); SQL> execute dvsys.dbms_macadm.sync_rules; SQL> commit;
Add the Rule to the Rule Set:
SQL> execute dvsys.dbms_macadm.add_rule_to_rule_set ('PII Rule Set','Check OLS Factor'); SQL> commit;
 | Popular Downloads |  |
|
| ||
|
More Database Downloads
|
|
Printer View