How to use Oracle Label Security User Clearances in Oracle Database Vault

Date: 12-Sep-2006

Pre-Requisites:

  1. Install Oracle Database 10g R2
  2. Install Oracle Label Security
  3. Install upgrade to Oracle Database 10g R2 10.2.0.2.
  4. Install Oracle Database Vault
  5. Download and run this script, which uses Oracle Label Security labels in a VPD policy with column filtering to protect PII, as documented here:


Send us your comments

  1. Start the Database Vault Administration Web interface by pointing your Web browser to "http://<hostname>:<port>/dva" and log in as the owner of Database Vault:

  2. Click on "Label Security Integration":

  3. Click on "Create":

    1. Pick your OLS policy from the drop-down-list
    2. Select "LII" as the algorithm
    3. Select the lowest level of your policy as the label to be used for initialization errors
    4. Move "Domain" from the "Available Factors" to the "Selected Factors"
    5. Click "OK"


  4. Confirm and click on the "Database Instance: <sid>" breadcrump:

  5. Click on "Factors":

  6. Select the "Domain" Factor and click on "Edit":

  7. Select "IP Address" from the drop down list; scroll down:

  8. Under "Identities" click on "Create":

  9. Name the Identity "Local Connection", assign a "Trust Level", move the highest label from "Available OLS Labels" to "Selected OLS Labels" and click on "OK":

  10. Scroll down and click "Create":

  11. Name the Identity "Remote Connection", assign a "Trust Level", move the lowest label from "Available OLS Labels" to "Selected OLS Labels" and click on "OK":

  12. Scroll down, select "Local Connection" and click "Edit":

  13. Under "Map Identity" click "Create":

  14. For "Local Connection", select "Client IP" as the Contributing Factor; select "Is Null" as the Map Condition and enter "local" in "Low Value". (When a database is accessed locally, the request does not go through the Listener, so the query "select sys_context('userenv','ip_address')" returns NULL). Click "OK":

  15. Verify and click "OK":

  16. Scroll down, select "Remote Connection" and click "Edit":

  17. Under "Map Identity" click "Create":

  18. For "Remote Connection", select "Client IP" as the Contributing Factor; select "Is Not Null" as the Map Condition and enter "remote" in "Low Value". (When a database is accessed remotely, the request goes through the Listener, so the query "select sys_context('userenv','ip_address')" is never NULL). Click "OK":

  19. Verify and click "OK":

  20. SKing (who has the "SENS:PII" label) connects remotely, but cannot see the "SALARY" column. His remote connection has the "CONF" label, which does not allow access to the "SALARY" column. The label attached to his IP Address dominates his session label:

  21. When SKing connects locally, his connection has the "SENS:PII" label and access to the SALARY column is granted.


In-Memory Replay Banner