Oracle9i Enterprise Edition provides powerful, highly customizable access controls for managing data access with a high degree of granularity.  Oracle9i Policy Manager is the new Java based GUI administration tool for managing Oracle9i virtual private database fine grained access control control policies, Oracle9i application contexts and Oracle9i Label Security policies. 

Manage Oracle9i Virtual Private Database FGAC Policy Groups
Oracle9i Enterprise Edition introduces VPD FGAC policy groups.  VPD FGAC policy groups contain one or more VPD FGAC security policies and are assigned to an individual table or view.  Each VPD FGAC policy can have its enforcement criteria tied to one or more DML operations.  For example, a VPD FGAC policy could be enforced on SELECT statements and not INSERT statements.  In addtion, an optional UPDATE CHECK enforcement option is available which verifies whether data INSERTED or UPDATED by an application user is still accessible based on the enforced VPD FGAC policy.  For example, an application user might insert data with a department number which is outside his or her own department.  However, the VPD FGAC policy assigned to the table prevents the user from acessing data outside his department.  The CHECK_OPTION prevents the user from initially inserting the data with the alternate department number.  The DML enforcement criteria and CHECK_OPTION are managed from the Oracle9i Policy Manager. 

Oracle9i Application Contexts
The Oracle9i Enterprise Edition virtual private database (VPD) technology gives you the ability to create and manage application contexts.  Application contexts are named memory locations and were introduced in Oracle8i.  Application contexts are very handy for storing key pieces of information which are fairly static and used to enforce a general security rule or policy.  Typically, application contexts are initialized when a user connects to an application or database, using a logon trigger for example, and remain constant while connected to the application.  Application contexts can be integrated with an Oracle9i Enterprise Edition fine grained access control policy.  Combining the two provides you with a powerful tool for enforcing your security policy.

Application contexts are associated with a PL/SQL package.  The PL/SQL package is assigned and trusted as the only mechanism for modifying the application context values.  Application policy contexts are created within an application context and are associated with a table or view.  When multiple VPD FGAC policy groups are assigned to the same table, the application policy context can be used to control which policy group is executed.  This can be used for dynamic runtime policy group enforcement.  When an application policy context value is initialized to the name of an existing policy group, the VPD FGAC policies within that group are enforced.

Manage Oracle9i Label Security Policies
Oracle9i Label Security policies enforce label based access control.  Labels are commonly associated with intelligence agencies and military operations.  However, labels are used extensively in commercial organizations.  Examples of labels include [internal], [confidential], [sensitive:human resources], and  [internal:ACME California].  Oracle9i Label Security policies are applied to individual tables or entire schemes.  No coding or PL/SQL software development is required.  Oracle9i Label Security uses an Oracle supplied security package to mediate access to data rows by comparing sensitivity labels assigned to each data row with label authorizations assigned to the user.

Oracle9i Label Security policies are comprised of a policy name, enforcement options, label definitions, user label authorizations and a list of protected objects.  Using Oracle9i Policy Manager you can create policies, define label components, create labels, establish user label authorizations, customize enforcement options, apply policies to schemes and tables, drop policies from schemes and tables, disable policies, and configure Oracle9i Label Security specific auditing options.  In addition, SQL*Predicates, more commonly known as where clauses, can be added to Oracle9i Label Security policies using Oracle9i Policy Manager.
 

 

KEY FEATURES
Oracle9i VPD FGAC Policy Administration Create VPD FGAC policy groups Assign a policy groups to a table or view Add VPD FGAC policies to policy groups Enable and disable VPD FGAC policies within policy groups Drop policy groups Drop VPD FGAC policies from policy groups Oracle9i VPD FGAC Policy Enforcement Control Customize each FGAC policy to fire on certain DML operations  SELECT INSERT UPDATE DELETE CHECK OPTION verifies new and modified data is accessible based on policy.  Checks data accessibility  after insertion and/or modification based on security policies.  Prevents data from being non accessible after insertion or modification. Application Context Management Create application contexts Designate trusted packages for context management Add VPD FGAC policy contexts to application contexts for policy group control. Specify application context initialization method Oracle9i Label Security Administration  Create Oracle9i Label Security policies Assign Oracle9i Label Security policies to tables and schemes Enable and disable policies Drop policies Set hide policy column option Define label components Levels Compartments Groups Create sensitivity labels Oracle9i Label Security Selective protection Protect entire schemes or individual tables Customizable enforcement on a per table basis Read and write authorization granularity on individual groups and compartments Add SQL*Predicates, or where clauses, to policies	Oracle9i Label Security User Label Authorization Management Set maximum accessible sensitivity level for user Set minimum accessible sensitivity level for user Set default sensitivity level after application authentication for user Set sensitivity level assigned for new data inserted by user Set list of compartments user is authorized to read.  User can read a row if he or she has all compartments in a label Set list of groups user is authorized to read.  User can read a row if he or she has one of the groups in a label Set list of compartments user is authorized to write.  User can write to a row if all compartments in a label are in this list. Set list of groups user is authorized to write.  User can write to a row if one of the groups in a label are in this list. Oracle9i Label Security Policy Enforcement Control Customize each Label Security policy to fire on certain DML operations READ/SELECT  INSERT UPDATE DELETE LABEL Update - protects modification of the label LABEL Check - perform READ check after label assignment to prevent accidental over classification.  Identical to the VPD FGAC CHECK OPTION. NO CONTROL - disables enforcement Oracle9i Label Security special user privilege management READ - User with this authorization can perform read/select operations without row level security enforcement. Other Oracle9i Label Security enforcement options are still enforced.  Read operations are still restricted by standard Oracle discretionary access controls. FULL - User with this authorization has access to all data and is restricted only by standard Oracle discretionary access controls.  No row level security enforcement. PROFILE ACCESS - User with this authorization can assume the Oracle9i Label Security authorizations of another user.  Oracle9i Label Security Trusted Program Units Assign Oracle PL/SQL stored procedures Oracle9i Label Security READ and FULL authorizations, reducing need to authorize individual users. Oracle9i Label Security Auditing Manage Oracle9i Label Security specific auditing
RELATED PRODUCTS AND SERVICES Oracle Enterprise Security Manager is available to manage enterprise users and database roles in the Oracle Internet Directory.	GETTING STARTED Oracle9i Policy Manager is installed by default with the Oracle9i Enterprise Edition.  Oracle9i Label Security is a separately licensed option for the Oracle9i Enterprise Edition.