Oracle Technology Network

Database
Middleware
Developer Tools
Enterprise Management
Applications Technology
Products A-Z

BI & Data Warehousing
Embedded
Java
Linux
.NET
PHP
Security
Windows Server System
Technologies A-Z

Enterprise 2.0
Extreme Transaction Processing
Service-Oriented Architecture
Virtualization

Join OTN
Oracle ACEs
Oracle Wiki
Blogs
Podcasts
Events
Newsletters
Oracle Magazine
Oracle Books
Certification
User Groups
Partner White Papers

GETTING STARTED

E-mail this page

How to use Oracle Label Security User Clearances in Oracle Database Vault

How to use Oracle Label Security User Clearances in Oracle Database Vault

Date: 12-Sep-2006

Pre-Requisites:

Install Oracle Database 10g R2
Install Oracle Label Security
Install upgrade to Oracle Database 10g R2 10.2.0.2.
Install Oracle Database Vault
Download and run this script, which uses Oracle Label Security labels in a VPD policy with column filtering to protect PII, as documented here:

Send us your comments

Start the Database Vault Administration Web interface by pointing your Web browser to "http://<hostname>:<port>/dva" and log in as the owner of Database Vault:

Click on "Label Security Integration":

Click on "Create":

1. Pick your OLS policy from the drop-down-list
2. Select "LII" as the algorithm
3. Select the lowest level of your policy as the label to be used for initialization errors
4. Move "Domain" from the "Available Factors" to the "Selected Factors"
5. Click "OK"

Confirm and click on the "Database Instance: <sid>" breadcrump:

Click on "Factors":

Select the "Domain" Factor and click on "Edit":

Select "IP Address" from the drop down list; scroll down:

Under "Identities" click on "Create":

Name the Identity "Local Connection", assign a "Trust Level", move the highest label from "Available OLS Labels" to "Selected OLS Labels" and click on "OK":

Scroll down and click "Create":

Name the Identity "Remote Connection", assign a "Trust Level", move the lowest label from "Available OLS Labels" to "Selected OLS Labels" and click on "OK":

Scroll down, select "Local Connection" and click "Edit":

Under "Map Identity" click "Create":

For "Local Connection", select "Client IP" as the Contributing Factor; select "Is Null" as the Map Condition and enter "local" in "Low Value". (When a database is accessed locally, the request does not go through the Listener, so the query "select sys_context('userenv','ip_address')" returns NULL). Click "OK":

Verify and click "OK":

Scroll down, select "Remote Connection" and click "Edit":

Under "Map Identity" click "Create":

For "Remote Connection", select "Client IP" as the Contributing Factor; select "Is Not Null" as the Map Condition and enter "remote" in "Low Value". (When a database is accessed remotely, the request goes through the Listener, so the query "select sys_context('userenv','ip_address')" is never NULL). Click "OK":

Verify and click "OK":

SKing (who has the "SENS:PII" label) connects remotely, but cannot see the "SALARY" column. His remote connection has the "CONF" label, which does not allow access to the "SALARY" column. The label attached to his IP Address dominates his session label:

When SKing connects locally, his connection has the "SENS:PII" label and access to the SALARY column is granted.

E-mail this page

	About Oracle \| \| Careers \| Contact Us \| Site Maps \| Legal Notices \| Terms of Use \| Privacy