Oracle
Label Security

Oracle Label Security User Clearances as Factors in Oracle Database Vault

Start Oracle Database Vault and log in as LBACSYS (the owner of the OLS schema) to create a Label Security policy that stores the user clearance labels. These will later be used as Factors in Oracle Database Vault:
 

$ sqlplus LBACSYS/password
SQL> execute sa_sysdba.create_policy('PRIVACY','PRIVACY_COLUMN','NO_CONTROL');

The following commands create the two levels used in the OLS policy:

SQL> execute sa_components.create_level('PRIVACY',1000,'C','CONFIDENTIAL');
SQL> execute sa_components.create_level('PRIVACY',2000,'S','SENSITIVE');


The next command creates the 'PII' compartment:

SQL> execute sa_components.create_compartment('PRIVACY',100,'PII','PERS_INFO');


The user JSmith is granted the less sensitive label:

SQL> execute sa_user_admin.set_user_labels('PRIVACY','JSmith','C');


The user MDale is granted the more sensitive label, which also includes the PII compartment:

SQL> execute sa_user_admin.set_user_labels('PRIVACY','MDale','S:PII');


In order to use the OLS labels as factors in Database Vault, you need to create a 'Rule Set' first:

SQL> connect dbv_owner/password;
SQL> execute dvsys.dbms_macadm.create_rule_set('PII Rule Set','Protect PII
         data from privileged users','Y',1,0,2,NULL,NULL,0,NULL);


Rule Sets contain one or more Rule; this Rule contains the syntax to evaluate the OLS labels:

SQL> execute dvsys.dbms_macadm.create_rule('Check OLS Factor',
         'dominates(sa_utl.numeric_label(''PRIVACY''),
         char_to_label(''PRIVACY'',''S:PII'')) = ''1''');
SQL> execute dvsys.dbms_macadm.sync_rules;
SQL> commit;


Add the Rule to the Rule Set:

SQL> execute dvsys.dbms_macadm.add_rule_to_rule_set
         ('PII Rule Set','Check OLS Factor');
SQL> commit;