What's new in Release 2 of Oracle9i Label Security?
Release 2 Oracle9i Label Security supports for releasabilities.  Releasabilities have historically been used in government organizations to control the dissemination of data.  For example, when you add a releasability to a data label, the data becomes less classified.  For example, a user with inverse groups UK, US cannot access data which only has inverse group UK.  Adding US to that data makes it accessible to all users with the inverse groups UK, US.  When you assign releasabilities to a user, you mark the communication channel to the user. For data to flow across the communication channel, the data releasabilities must dominate the releasabilities assigned to the user.  In other words, releasabilities assigned to a data record must contain all the releasabilities assigned to a user.  The advantage of releasabilities lies in their power to broadly control disseminate information. Releasing data to the entire marketing organization becomes as simple as adding the Marketing releasability to the data record.  Release 2 of Oracle9i Label Security makes this technology available to commercial and government organizations on widely used, commercial operating systems.  Historically, this technology has only been available on highly specialized operating systems.

Who should consider Oracle9i Label Security
Sensitivity labels are used in some form in virtually every industry.  These industries include healthcare, law enforcement, energy, retail, national security and defense industries.  Examples of sensitivity labels include [Internal], [Confidential], [Physician Only], [Highly Sensitive], [Widget Corporation], [Confidential : Chicago Operation], [Sensitive : Finance : Europe], [Top Secret], and [Unclassified].  Application providers can integrate Oracle9i Label Security functionality to enhance their product offering and gain competitive advantage.

What can Oracle9i Label Security do for my security needs?
High speed Internet access allows data to be consolidated in large central repositories and made accessible to a larger number of users  Oracle9i Label Security can be used to label data and restrict access with a high degree of granularity.  A very similar problem is created when multiple organizations or companies share a single application.  Sensitivity labels can be used to restrict application users to an organization or subset of data within an organization.  Data privacy is important to consumers and regulatory measures continue to be announced.  Oracle9i Label Security can be used to implement privacy policies on data, restricting access to only those who have a need-to-know.

What is the difference between Oracle9i VPD and Oracle9i Label Security?
Oracle9i VPD is provided at no cost with the Oracle9i Enterprise Edition.  Oracle9i Label Security is an add-on security option for the Oracle9i Enterprise Edition.  Oracle VPD is a term used for several powerful Oracle9i Enterprise Edition security features - fine grained access control (FGAC), application context and global application context.  FGAC refers to policies written using PL/SQL.  FGAC policies can be assigned to an individual table or view.  Information requests which reference tables and views protected by FGAC are modified according to the FGAC policy assigned to the table or view.  FGAC policies can be as simple as enforcing access during business hours.  FGAC policies can be written which restrict access by comparing the value of an attribute in an individual row with a VPD application context value.  Global application context allows an application context to be accessed across multiple database sessions, reducing or eliminating the need to create a separate application context for each user session.

Oracle9i Label Security is an out-of-the-box solution for row level security.  No coding or software development is required, allowing the administrator to focus completely on the policy.  Oracle9i Label Security provides an interface for creating policies, specifying enforcement options, defining data sensitivity labels, establishing user label authorizations, and protecting individual tables or schemes.  Data sensitivity labels provide a powerful and flexible method of restricting access to data.  For example, data belonging to different organizations or companies can be separated using data sensitivity labels and selectively shared between companies by changing the data sensitivity label.

Depending on the complexity of the security policy, Oracle9i virtual private database may be the preferred method for implementing your security policy.  In addition, Oracle9i Label Security is best suited for situations where access control decisions need to be based on the sensitivity of the information.

Are there any guidelines for using Oracle9i Label Security and defining sensitivity labels? 
Yes, a comprehensive administrator's guide is provided with the Oracle9i Enterprise Edition.  In addition, a comprehensive on-demand training class is available on the Oracle Learning Channel.  The on-demand training class walks through a list of recommended implementation guidelines.  In most cases, the security mechanisms provided at no-cost with the Oracle9i Enterprise Edition will be sufficient to address security requirements.  Oracle9i Label Security should be considered when security is required at the individual row level.

Are there any administrative tools available for Oracle9i Label Security?
Yes, Oracle9i Policy Manager is the new Java GUI for managing Oracle Label Security policies as well as user defined VPD FGAC policies.  Using Oracle9i Policy Manager administrator's can create policies, define label components, create labels, establish user label authorizations, customize enforcement options, apply policies to schemes and tables, drop policies from schemes and tables, disable policies, define an application context, and create VPD policy groups.  Oracle9i Policy Manager is the administration tool for managing policies to protect information at the row level.

Can I use Oracle9i Label Security with Oracle Applications?
Oracle Applications are using Oracle VPD to provide new functionality and security protections.  Due to the complexity of identifying which tables a policy should be applied to, it's not recommended that customers attempt to apply an Oracle9i Label Security policy to an existing Oracle Application table.  The Oracle Applications group is incorporating new Oracle security technologies on an on-going basis.

Should I use Oracle9i Label Security to protect all my tables?
Definitely not, the traditional Oracle discretionary access control (DAC) object privileges SELECT, INSERT, UPDATE, and DELETE combined with database roles and stored procedures are sufficient in most cases.  The on-demand Oracle9i Label Security training class, available on the Oracle Learning Channel, provides implementation guidelines for Oracle9i Label Security. 

Will Oracle9i Label Security be evaluated?
Oracle9i Label Security will be evaluated under the ISO/IEC 15408 Common Criteria.  Security evaluations provide an independent security assessment of the security protection mechanisms provided with Oracle9i Label Security.

Where can I find Oracle9i Label Security?
Release 2 Oracle9i Label Security ships on the Oracle9i Enterprise Edition CD.  The Oracle9i Enterprise Edition can be downloaded from the Oracle Technology Network at .  Oracle9i Label Security is not installed as part of the typical/default Oracle9i installation.  Choose the custom installation option and check the box beside Oracle9i Label Security.