Oracle Label Security

Protect PII from unauthorized access

Create Label Security policy	Define label components	Authorize users	Create and apply VPD policy

The VPD policy will do the following:

1. Get the numerical label tag from the user's current label
2. Get the numerical label tag from the 'S:PII' label
3. User label ≥ 'S:PII' → access to all rows in sensitive columns
4. User label < 'S:PII' → access to all rows, but sensitive PII column is blank

In this example, the VPD policy will be applied to the hr.EMPLOYEES table:

BEGIN
  DBMS_RLS.ADD_POLICY(
   object_schema => 'HR',
   object_name => 'EMPLOYEES',
   policy_name => 'vpd_protect_pii',
   function_schema => 'LBACSYS',
   policy_function => 'f_protect_pii',
   statement_types => 'select',
   sec_relevant_cols => 'SALARY',
   sec_relevant_cols_opt => dbms_rls.ALL_ROWS,
   policy_type => dbms_rls.CONTEXT_SENSITIVE);
END;
/

Download the entire demo script from here.

Hands-On Using OLS user authorizations to create powerful Command Rules in Oracle Database Vault OLS user authorizations in VPD policies: Determine access to application table columns based on user authorizations Six steps towards a successful multi level security implementation Oracle Magazine: Now Securing Every Row Related Technologies Database Firewall Audit Vault Data Masking (pdf) Secure Backup Configuration Management Identity Management Discussion Forums Security Audit Vault Database

Technical Information Datasheet Overview Whitepaper Oracle Label Security in Government and Defense Environments Technical White Paper Best practices Frequently Asked Questions Oracle Label Security with Oracle E-Business Suite: Best Practices Security Options Oracle Database Vault Oracle Advanced Security Oracle Label Security Security Features Data Encryption Virtual Private Database Database Auditing Backup Encryption Export file encryption Proxy Authentication Enterprise User Security Secure Application Roles Fine Grained Auditing