Adv Replication AND Label Security

Has anybody implemented Adv Replication AND Label Security?
I am looking for any advice and warnings.

Your replication administrator accounts (REPADMIN,etc) will need to have the OLS READ (or FULL) privilege for the policy on the replicated tables so that the predicate is not added. These users will see and replicate everything, there is no way (in Adv. Rep) to replicate data based on the OLS label (say, to only replicate things that are S instead of TS).
As long as your replication admins have full privilege (or potentially the system privilege EXEMPT ACCESS POLICY, but this bypasses all policies/vpds and shouldn't be used unless you need to and understand the impacts), everything will work out just fine.
Likely you are aware but if you intend to have the data protected on the target(s), it will need a copy of the policy and the policy applied to the tables as well. You can use database managed OLS and manage the policy in both (or all) places, or evaluate central management of the policy in OID. As much as the OID method has its advanages, I would stick to managing the policy in the database (and automating distributing the changes to different environments) unless you have another good reason to use OID.

Similar Messages

Workspace Mgr and Label Security?

I noticed in the 10g Workspace manager that it now works with VPD's. Will it work therefor with Label Security?

Hi,
the answer to your question is no. Label Security is built on top of VPD and must be seperately licensed.

Advance Replication and Oracle Label Security

Has anyone been able to configure both Advance Replication and Oracle Label Security to work together?

This is currently not supported in Streams. I have an enhancement request in with Oracle for this functionality. This won't be seen in 11g R2 either.
Has anyone done Label Security with Advance Replication?

How to install Oracle Label Security in Oracle Database 10g EE

Hello All
I just want to know how to install Oracle Label Security in Oracle 10g Database EE.
I read in Oracle Enterprise Manager Grid Control Installation and Basic Configuration that Label Security must be installed before installing Enterprise Manager Grid Control.
I have Oracle Database 10g Release 1 (10.1.0.1) on my Windows XP System, and I patch it to 10.1.0.3.
M.
Sorry about my English.

Options is to connect to Oracle Policy Manager or use Oracle Internet Directory (OID)to administer Oracle Label Security.
Find more ways in the Documentation here:
http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm

Oracle 9.0.1.1 Spatial and Label

-- Author: Shawn Bisgrove
-- Oracle Version: 9.0.1.1 Personal
-- Operating System Windows 2000
-- I have just started evaluating Oracle for use on a future
project and have decided to recommend
-- using both the Label and Spatial components.
-- Sorry about the length of this post. I did make sure that
the example was simple but complete.
-- I have run into what I believe is a pretty severe bug. It
may not be, but if it is it hinders
-- the use of Oracle Spatial and Oracle Label Security with R-
TREE and Q-TREE indexing together.
-- Please tell me that I am doing something wrong. I will
cross post in the Spatial section.
-- Variations on this example can be derived from the base
example and will probably exhibit the
-- same behavior.
-- This example requires a database DARS configured with Label
Security
-- User: system Password: system
-- remove any residual policy information
connect admin/admin@dars;
execute sa_sysdba.drop_policy('DARS_RESOURCES');
connect system/system@dars;
drop user shawn cascade;
drop user dars cascade;
drop user admin cascade;
create user admin identified by admin;
grant connect, resource, select_catalog_role to admin;
grant connect to shawn identified by shawn;
grant connect to dars identified by dars;
grant resource to dars;
connect dars/dars@dars;
CREATE TABLE DATASET (COVERAGE MDSYS.SDO_GEOMETRY,
          INTERNALIDENTIFIER NUMBER(6) PRIMARY KEY);
create sequence DATASET_INTERNALIDENTIFIER_SEQ;
delete from USER_SDO_GEOM_METADATA;
INSERT INTO USER_SDO_GEOM_METADATA values
('dataset', 'coverage', mdsys.SDO_dim_array
(MDSYS.SDO_DIM_ELEMENT('X',-90,90,.001) ,
     MDSYS.SDO_DIM_ELEMENT('Y',-180,180,.001)), null);
-- OCCURS IN BOTH R-TREE and Q-TREE (for example using R-TREE)
CREATE INDEX DATASET_SPATIAL_IDX ON dars.DATASET(COVERAGE)
INDEXTYPE IS MDSYS.SPATIAL_INDEX;
--SELECT SDO_TUNE.QUALITY_DEGRADATION
('DARS', 'DATASET_SPATIAL_IDX') FROM DUAL;
--SELECT SDO_TUNE.RTREE_QUALITY('DARS', 'DATASET_SPATIAL_IDX')
FROM DUAL;
-- UNCOMMENT FOR Q-TREE EXAMPLE
--CREATE INDEX DATASET_SPATIAL_IDX ON dars.DATASET(COVERAGE)
INDEXTYPE IS MDSYS.SPATIAL_INDEX PARAMETERS('SDO_LEVEL = 8');
--SELECT SDO_TUNE.ESTIMATE_TILING_LEVEL
('dars.dataset', 'coverage', 8) from dual;
grant select, insert, update, delete on DATASET to public;
grant select, alter on DATASET_INTERNALIDENTIFIER_SEQ to public;
connect lbacsys/lbacsys@dars
GRANT EXECUTE ON SA_COMPONENTS TO admin WITH GRANT OPTION;
GRANT EXECUTE ON SA_USER_ADMIN TO admin WITH GRANT OPTION;
GRANT EXECUTE ON sa_user_admin TO admin WITH GRANT OPTION;
GRANT EXECUTE ON sa_label_admin TO admin WITH GRANT OPTION;
GRANT EXECUTE ON sa_policy_admin TO admin WITH GRANT OPTION;
GRANT EXECUTE ON sa_audit_admin TO admin WITH GRANT OPTION;
GRANT LBAC_DBA TO admin;
GRANT EXECUTE ON SA_SYSDBA TO admin;
GRANT EXECUTE ON to_lbac_data_label TO admin;
connect admin/admin@dars;
execute SA_SYSDBA.CREATE_POLICY('DARS_RESOURCES', 'ACL');
execute SA_COMPONENTS.CREATE_LEVEL('DARS_RESOURCES',
5000, 'EMP', 'Employee');
execute SA_COMPONENTS.CREATE_GROUP('DARS_RESOURCES',
500, 'MGR', 'Manager', NULL);
execute SA_COMPONENTS.CREATE_GROUP('DARS_RESOURCES',
600, 'WKR1', 'Worker', 'MGR');
execute SA_COMPONENTS.CREATE_GROUP('DARS_RESOURCES',
700, 'WKR2', 'Worker 2', 'MGR');
execute SA_LABEL_ADMIN.CREATE_LABEL('DARS_RESOURCES',
3000, 'EMP::MGR');
execute SA_LABEL_ADMIN.CREATE_LABEL('DARS_RESOURCES',
3100, 'EMP::WKR1');
execute SA_LABEL_ADMIN.CREATE_LABEL('DARS_RESOURCES',
3200, 'EMP::WKR2');
execute SA_POLICY_ADMIN.APPLY_TABLE_POLICY
('DARS_RESOURCES', 'DARS', 'DATASET', 'HIDE, READ_CONTROL,
LABEL_DEFAULT', NULL, NULL);
--execute SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
('DARS_RESOURCES', 'DARS', 'DATASET');
-- also occurs if given more than one label and then a default
label such as 'EMP::WKR1 ,WKR2', 'EMP::WKR1');
execute SA_USER_ADMIN.SET_USER_LABELS
('DARS_RESOURCES', 'SHAWN', 'EMP::WKR1');
execute SA_USER_ADMIN.SET_USER_LABELS
('DARS_RESOURCES', 'DARS', 'EMP::MGR');
connect shawn/shawn@dars;
insert into dars.dataset values (MDSYS.SDO_GEOMETRY(2003,
NULL, NULL, MDSYS.SDO_ELEM_INFO_ARRAY(1,1003,3),
MDSYS.SDO_ORDINATE_ARRAY(33.422, -113.4822, 33.5601, -
113.2995) ), dars.DATASET_INTERNALIDENTIFIER_SEQ.nextval );
commit;
select count(*) from dars.dataset;
connect dars/dars@dars;
insert into dars.dataset values (MDSYS.SDO_GEOMETRY(2003,
NULL, NULL, MDSYS.SDO_ELEM_INFO_ARRAY(1,1003,3),
MDSYS.SDO_ORDINATE_ARRAY(33.422, -113.4822, 33.5601, -
113.2995) ), dars.DATASET_INTERNALIDENTIFIER_SEQ.nextval );
commit;
select count(*) from dars.dataset;
prompt first execute as user dars
connect dars/dars@dars
-- causes a bug, first hint is label access control and rtree
screwing up??
select internalidentifier from dars.dataset where
mdsys.sdo_relate(coverage,
     mdsys.SDO_GEOMETRY(2003, NULL, NULL,
mdsys.SDO_ELEM_INFO_ARRAY(1, 1003, 3),
     mdsys.SDO_ORDINATE_ARRAY(33, -114, 34, -112)),
     'mask = INSIDE querytype = WINDOW')= 'TRUE' order by
internalidentifier;
connect dars/dars@dars
-- does not cause same problem because we are not using the
index
select internalidentifier from dars.dataset where
sdo_geom.relate( coverage, 'INSIDE',
     mdsys.SDO_GEOMETRY(2003, NULL, NULL,
mdsys.SDO_ELEM_INFO_ARRAY(1, 1003, 3),
     mdsys.SDO_ORDINATE_ARRAY(33, -114, 34, -112)),
.005 ) = 'INSIDE';
prompt first execute as user shawn
connect shawn/shawn@dars
-- causes a bug, first hint is label access control and rtree
screwing up??
-- ERROR at line 1:
-- ORA-03113: end-of-file on communication channel
-- if q-tree is being used:
select internalidentifier from dars.dataset where
mdsys.sdo_relate(coverage,
     mdsys.SDO_GEOMETRY(2003, NULL, NULL,
mdsys.SDO_ELEM_INFO_ARRAY(1, 1003, 3),
     mdsys.SDO_ORDINATE_ARRAY(33, -114, 34, -112)),
     'mask = INSIDE querytype = WINDOW')= 'TRUE' order by
internalidentifier;
connect shawn/shawn@dars
-- does not cause same problem because we are not using the
index
select internalidentifier from dars.dataset where
sdo_geom.relate( coverage, 'INSIDE',
     mdsys.SDO_GEOMETRY(2003, NULL, NULL,
mdsys.SDO_ELEM_INFO_ARRAY(1, 1003, 3),
     mdsys.SDO_ORDINATE_ARRAY(33, -114, 34, -112)),
.005 ) = 'INSIDE';
connect dars/dars@dars
prompt break the index at this point
-- causes the index to be broken:
-- ERROR at line 1:
-- ORA-29858: error occurred in the execution of ODCIINDEXALTER
routine
-- ORA-29400: data cartridge error
-- ORA-01031: insufficient privileges
-- ORA-13249: internal error in Spatial index: [mdidxrbd]
-- ORA-13249: Error in Spatial index: index build failed
-- ORA-13249: Stmt-Execute Failure: SELECT count(*) from
DARS.DATASET
-- ORA-29400: data cartridge error
-- ORA-01031: insufficient privileges
-- ORA-06512: at "MDSYS.SDO_INDEX_METHOD_9I", line 232
-- ORA-06512: at line 1
alter index dars.dataset_spatial_idx rebuild;

Here is the last entry in the darsCORE.LOG file:
Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production
Process Id: 0x000002e4 Thread Id : 0x00000674 Time : Mon Dec
17 06:27:19
Excp. Code: 0xc0000005 Excp. Type: ACCESS_VIO Flags:
0x00000000
------------------- Memory Map of process ----------------
Start Addr-End Addr Type Size ModuleName
0x00400000-0x01b5cfff Image 0024498176 C:\ORACLE\ORA90
\BIN\ORACLE.EXE
0x05790000-0x05882fff Image 0000995328 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_AURORA_RDBMS.DLL
0x05890000-0x05978fff Image 0000954368 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVA_LANG.DLL
0x05980000-0x05b59fff Image 0001941504 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVA_UTIL.DLL
0x05b60000-0x05bb4fff Image 0000348160 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_AURORA_VM.DLL
0x05bc0000-0x05c6ffff Image 0000720896 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVA_SECURITY.DLL
0x05c70000-0x05c83fff Image 0000081920 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVA_LANG_REFLECT.DLL
0x05c90000-0x06035fff Image 0003825664 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_GSS_UTIL.DLL
0x06040000-0x0619cfff Image 0001429504 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVA_IO.DLL
0x061a0000-0x066bdfff Image 0005365760 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9SUN_IO.DLL
0x066c0000-0x066d4fff Image 0000086016 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVA_LANG_REF.DLL
0x066e0000-0x066e6fff Image 0000028672 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9SUN_SECURITY_ACTION.DLL
0x06700000-0x0670afff Image 0000045056 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_AURORA_MEMORYMANAGER.DLL
0x06710000-0x067b0fff Image 0000659456 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9SUN_MISC.DLL
0x067c0000-0x06a47fff Image 0002654208 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_SQL.DLL
0x06a50000-0x06a87fff Image 0000229376 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVA_SQL.DLL
0x06a90000-0x06b70fff Image 0000921600 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9SUN_SECURITY_PROVIDER.DLL
0x06b80000-0x06d72fff Image 0002043904 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_JDBC_DRIVER.DLL
0x06d80000-0x06d89fff Image 0000040960 C:\ORACLE\ORA90
\BIN\COREJAVA.DLL
0x06d90000-0x06da1fff Image 0000073728 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVA_MATH.DLL
0x06db0000-0x06e3ffff Image 0000589824 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_AURORA_RDBMS_SECURITY.DLL
0x06e40000-0x06e54fff Image 0000086016 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_AURORA_REALM.DLL
0x06e60000-0x06ea0fff Image 0000266240 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_JDBC_KPRB.DLL
0x06eb0000-0x06f13fff Image 0000409600 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_JDBC_DBACCESS.DLL
0x070d0000-0x0712bfff Image 0000376832 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_AURORA_NET.DLL
0x07150000-0x071e7fff Image 0000622592 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVA_NET.DLL
0x07200000-0x07204fff Image 0000020480 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_AURORA_SECURITY.DLL
0x07240000-0x07245fff Image 0000024576 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVA_SECURITY_ACL.DLL
0x07280000-0x072acfff Image 0000184320 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVAX_NAMING_DIRECTORY.DLL
0x072c0000-0x07316fff Image 0000356352 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVAX_NAMING.DLL
0x07320000-0x07498fff Image 0001544192 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_AURORA_UTIL.DLL
0x074b0000-0x074d5fff Image 0000155648 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9COM_SUN_NAMING_INTERNAL.DLL
0x074e0000-0x07557fff Image 0000491520 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9SUN_SECURITY_UTIL.DLL
0x07560000-0x07576fff Image 0000094208 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_AURORA_RDBMS_URL_JSERVER.DLL
0x07580000-0x075acfff Image 0000184320 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVAX_NAMING_SPI.DLL
0x07a90000-0x07be1fff Image 0001384448 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9JAVA_TEXT.DLL
0x08140000-0x081a1fff Image 0000401408 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9SQLJ_RUNTIME_REF.DLL
0x081d0000-0x081fffff Image 0000196608 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9SQLJ_RUNTIME.DLL
0x08200000-0x08206fff Image 0000028672 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9SQLJ_FRAMEWORK_IDE_AURORA_RDBMS.DLL
0x08210000-0x08244fff Image 0000217088 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_JDBC.DLL
0x08250000-0x08255fff Image 0000024576 C:\ORACLE\ORA90
\JAVAVM\ADMIN\ORAJOX9ORACLE_JDBC_INTERNAL.DLL
0x10000000-0x1028efff Image 0002682880 C:\ORACLE\ORA90
\BIN\ORAJOX9.DLL
0x60000000-0x60031fff Image 0000204800 C:\ORACLE\ORA90
\BIN\ORAWWG9.DLL
0x60300000-0x60492fff Image 0001650688 C:\ORACLE\ORA90
\BIN\ORAGENERIC9.DLL
0x60500000-0x6057dfff Image 0000516096 C:\ORACLE\ORA90
\BIN\ORACOMMON9.DLL
0x60600000-0x60753fff Image 0001392640 C:\ORACLE\ORA90
\BIN\ORACLIENT9.DLL
0x60800000-0x60805fff Image 0000024576 C:\ORACLE\ORA90
\BIN\ORAVSN9.DLL
0x60810000-0x60815fff Image 0000024576 C:\ORACLE\ORA90
\BIN\ORAWTC9.DLL
0x60820000-0x60825fff Image 0000024576 C:\ORACLE\ORA90
\BIN\ORAODM9.DLL
0x60a00000-0x60c03fff Image 0002113536 C:\ORACLE\ORA90
\BIN\ORAPLS9.DLL
0x60e00000-0x60ed8fff Image 0000888832 C:\ORACLE\ORA90
\BIN\ORAPLP9.DLL
0x610a0000-0x61136fff Image 0000618496 C:\ORACLE\ORA90
\BIN\ORACORE9.DLL
0x612a0000-0x61307fff Image 0000425984 C:\ORACLE\ORA90
\BIN\ORANLS9.DLL
0x61350000-0x6135ffff Image 0000065536 C:\ORACLE\ORA90
\BIN\ORASNLS9.DLL
0x613a0000-0x613aefff Image 0000061440 C:\ORACLE\ORA90
\BIN\ORAUNLS9.DLL
0x61400000-0x6142bfff Image 0000180224 C:\ORACLE\ORA90
\BIN\ORANL9.DLL
0x61480000-0x61538fff Image 0000757760 C:\ORACLE\ORA90
\BIN\ORAN9.DLL
0x615a0000-0x61627fff Image 0000557056 C:\ORACLE\ORA90
\BIN\ORANNZSBB9.DLL
0x616a0000-0x616a5fff Image 0000024576 C:\ORACLE\ORA90
\BIN\ORANCDS9.DLL
0x616b0000-0x616c2fff Image 0000077824 C:\ORACLE\ORA90
\BIN\ORANCRYPT9.DLL
0x61730000-0x61766fff Image 0000225280 C:\ORACLE\ORA90
\BIN\ORANRO9.DLL
0x617c0000-0x617c5fff Image 0000024576 C:\ORACLE\ORA90
\BIN\ORANHOST9.DLL
0x617d0000-0x617d5fff Image 0000024576 C:\ORACLE\ORA90
\BIN\ORANONAME9.DLL
0x61820000-0x61825fff Image 0000024576 C:\ORACLE\ORA90
\BIN\ORANTNS9.DLL
0x61850000-0x61857fff Image 0000032768 C:\ORACLE\ORA90
\BIN\ORANBEQ9.DLL
0x61890000-0x6189dfff Image 0000057344 C:\ORACLE\ORA90
\BIN\ORANNTS9.DLL
0x61910000-0x6191bfff Image 0000049152 C:\ORACLE\ORA90
\BIN\ORANTCP9.DLL
0x61960000-0x6196efff Image 0000061440 C:\ORACLE\ORA90
\BIN\ORANLDAP9.DLL
0x61af0000-0x61af9fff Image 0000040960 C:\ORACLE\ORA90
\BIN\ORANSGR9.DLL
0x62000000-0x62020fff Image 0000135168 C:\ORACLE\ORA90
\BIN\ORALDAPCLNT9.DLL
0x62300000-0x6233ffff Image 0000262144 C:\ORACLE\ORA90
\BIN\ORATRACE9.DLL
0x62500000-0x62506fff Image 0000028672 C:\ORACLE\ORA90
\BIN\ORASLAX9.DLL
0x62600000-0x62673fff Image 0000475136 C:\ORACLE\ORA90
\BIN\ORASQL9.DLL
0x62fc0000-0x63040fff Image 0000528384 C:\ORACLE\ORA90
\BIN\ORAXML9.DLL
0x64000000-0x64006fff Image 0000028672 C:\ORACLE\ORA90
\BIN\ORANMS.DLL
0x64020000-0x6402ffff Image 0000065536 C:\ORACLE\ORA90
\BIN\ORANMSP.DLL
0x74fd0000-0x74fe0fff Image 0000069632 C:\WINDOWS\SYSTEM32
\MSAFD.DLL
0x75010000-0x75016fff Image 0000028672 C:\WINDOWS\SYSTEM32
\WSHTCPIP.DLL
0x75020000-0x75027fff Image 0000032768 C:\WINDOWS\SYSTEM32
\WS2HELP.DLL
0x75030000-0x75043fff Image 0000081920 C:\WINDOWS\SYSTEM32
\WS2_32.DLL
0x75050000-0x75057fff Image 0000032768 C:\WINDOWS\SYSTEM32
\WSOCK32.DLL
0x75150000-0x7515efff Image 0000061440 C:\WINDOWS\SYSTEM32
\SAMLIB.DLL
0x75170000-0x751befff Image 0000323584 C:\WINDOWS\SYSTEM32
\NETAPI32.DLL
0x751c0000-0x751c5fff Image 0000024576 C:\WINDOWS\SYSTEM32
\NETRAP.DLL
0x75500000-0x75503fff Image 0000016384 C:\WINDOWS\SYSTEM32
\SECURITY.DLL
0x77570000-0x7759ffff Image 0000196608 C:\WINDOWS\SYSTEM32
\WINMM.DLL
0x777e0000-0x777e7fff Image 0000032768 C:\WINDOWS\SYSTEM32
\WINRNR.DLL
0x777f0000-0x777f4fff Image 0000020480 C:\WINDOWS\SYSTEM32
\RASADHLP.DLL
0x77830000-0x7783dfff Image 0000057344 C:\WINDOWS\SYSTEM32
\RTUTILS.DLL
0x77840000-0x7784bfff Image 0000049152 C:\WINDOWS\SYSTEM32
\RNR20.DLL
0x77950000-0x77978fff Image 0000167936 C:\WINDOWS\SYSTEM32
\WLDAP32.DLL
0x77980000-0x779a3fff Image 0000147456 C:\WINDOWS\SYSTEM32
\DNSAPI.DLL
0x779b0000-0x77a44fff Image 0000610304 C:\WINDOWS\SYSTEM32
\OLEAUT32.DLL
0x77a50000-0x77b44fff Image 0001003520 C:\WINDOWS\SYSTEM32
\OLE32.DLL
0x77be0000-0x77beefff Image 0000061440 C:\WINDOWS\SYSTEM32
\SECUR32.DLL
0x77d40000-0x77daefff Image 0000454656 C:\WINDOWS\SYSTEM32
\RPCRT4.DLL
0x77db0000-0x77e09fff Image 0000368640 C:\WINDOWS\SYSTEM32
\ADVAPI32.DLL
0x77e10000-0x77e74fff Image 0000413696 C:\WINDOWS\SYSTEM32
\USER32.DLL
0x77e80000-0x77f35fff Image 0000745472 C:\WINDOWS\SYSTEM32
\KERNEL32.DLL
0x77f40000-0x77f7bfff Image 0000245760 C:\WINDOWS\SYSTEM32
\GDI32.DLL
0x77f80000-0x77ff8fff Image 0000495616 C:\WINDOWS\SYSTEM32
\NTDLL.DLL
0x78000000-0x78045fff Image 0000286720 C:\WINDOWS\SYSTEM32
\MSVCRT.DLL
0x780a0000-0x780b1fff Image 0000073728 C:\WINDOWS\SYSTEM32
\MSVCIRT.DLL
0x78140000-0x78159fff Image 0000106496 C:\WINDOWS\SYSTEM32
\MSV1_0.DLL
------------------- End of memory map --------------------
------------------- Registers ----------------------------
eip = 012362cf esp = 097fb024 ebp = 097fbc00 edi = 0996a910 esi
= 0996c258
eax = 00000000 ebx = 098bca34 ecx = 098b3d44 edx = 098b3d44
ecs = 0000001b eds = 00000023 ees = 00000023 ess = 00000023
egs = 00000000 efs = 0000003b
eflags = 00210206
------------------- End of Registers ---------------------
------------------- Instruction Disassembly --------------
------------------- End of Disassembly -------------------
------------------- Call Stack Trace ---------------------
Frameptr RetAddr Param#1 Param#2 Param#3 Param#4 Function
Name
0x097fbc00 011dc4f0 098b3d44 098bc990 098bca34 0996a910
_mdqtgmadt+16f
0x097fbc40 011ed2eb 098b3d44 098bc990 098bca34 098fccb0
_mdidxrel+c0
0x097fbc94 011ee035 0996a810 09980ad0 09890f44 097fbd4c
_mdrtrel+1cb
0x097fbd50 011ec071 00000000 000007d0 0996bc00 097fbfdc
_mdrtpq+7d5
0x097fbfe8 011e5824 098fccb0 098b3d44 098bc990 098bca34
_mdrtft+f1
0x097fc0fc 00e90c29 098fccb0 09979774 09979730 7a2bb7b8
_mdidxf+254
0x097fc1d8 00646246 792691b4 097fc534 79269296 79269290
_qeroifcf+1b9
0x097fc4a8 00e91417 7adb9634 00000179 097fc530 00000002
_rpiswu2+226
0x097fc568 00e8f846 79269290 00e90a70 792691b4 0990cd30
_qeroifcsu+a7
0x097fd9a4 010edd17 792691b4 00000000 097fdd24 00000001
_qeroiFetch+1b6
0x097fdd10 010f99ac 792690dc 010fa040 7926908c 00007fff
_qertbFetchByRowID+5
0x097fdd44 00fc0202 7926908c 00fa6320 097fdf04 00000001
_qersoFetch+9c
0x097fdf68 00fc5d03 00000089 00000005 097fdfc0 00000001
_opifch2+10d2
0x097fe15c 00ede1cb 0000005e 00000022 097fe1a4 00000000
_opiall0+d03
0x097fe2b4 00648369 0000005e 00000014 017ff6fc 00e5a8fc
_kpoal8+58b
0x097fe424 605352c6 0000005e 00000014 097ff6fc 00000000
_opiodr+549
0x097fe894 0064974a 01207104 0000005e 097ff6fc 00000000
_ttcpip+1066
0x097ff874 00b6c934 00000000 00000000 014e76d0 0000003c
_opitsk+74a
0x097ff958 00648369 0000003c 00000004 097ffbd8 00207104
_opiino+554
0x097ffac8 004156cb 0000003c 00000004 097ffbd8 00000000
_opiodr+549
0x097ffb58 0040920e 0000003c 00000004 097ffbd8 00000000
_opidrv+24b
0x097ffb70 00401120 097ffbf4 0000003c 00000004 097ffbd8
_sou2o+1e
0x097ffc08 00401c34 00000002 097ffe74 010373f4 77d4a1bb
_opimai+120
0x097fffb4 77e92ca8 01037d94 010373f4 77d4a1bb 01037d94
_OracleThreadStart@4
0x097fffec 00000000 004018d0 01037d94 00000000 00000000
0x77e92ca8
------------------- End of Stack Trace -------------------
------------------- Raw Stack Dump -----------------------
Address Dump of bytes
0x097fb024 c9 a3 6e 01 d3 a8 96 09 - 10 a8 96 09 53 45 4c
45 ..n.........SELE
0x097fb034 43 54 20 61 2e 22 43 4f - 56 45 52 41 47 45 22 20 CT
a."COVERAGE"
0x097fb044 46 52 4f 4d 20 44 41 52 - 53 2e 44 41 54 41 53 45
FROM DARS.DATASE
0x097fb054 54 20 61 20 77 68 65 72 - 65 20 61 2e 72 6f 77 69 T a
where a.rowi
0x097fb064 64 3d 3a 72 69 64 20 00 - a8 2f 20 00 70 2e 20 00
d=:rid ../ .p. .
0x097fb074 00 00 00 00 b0 b0 7f 09 - 46 ac 37 60 a8 2f 20
00 ........F.7`./ .
0x097fb084 00 00 00 00 00 20 00 00 - 28 10 00 00 3c 21 00
00 ..... ..(...<!..
0x097fb094 00 00 00 00 00 00 00 00 - 70 2e 20 00 00 00 00
00 ........p. .....
0x097fb0a4 0c 00 00 00 a8 2f 20 00 - 1c b1 7f 09 e1 9e 37
60 ...../ .......7`
0x097fb0b4 a8 2f 20 00 70 2e 20 00 - 9c 91 96 09 01 00 00
00 ./ .p. .........
0x097fb0c4 14 10 00 00 00 20 00 00 - 80 63 8d 09 7c 63 8d
09 ..... ...c..|c..
0x097fb0d4 58 63 8d 09 ff 2f 07 00 - 00 00 00 00 74 7b 38 60
Xc.../......t{8`
0x097fb0e4 00 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00
00 ................
0x097fb0f4 00 00 00 00 58 63 8d 09 - a4 91 96 09 9c 91 96
09 ....Xc..........
0x097fb104 01 00 00 00 d8 80 37 60 - 58 63 8d 09 00 00 00
00 ......7`Xc......
0x097fb114 a4 91 96 09 0c 10 00 00 - 00 00 00 00 58 63 8d
09 ............Xc..
0x097fb124 9c 91 96 09 00 00 00 00 - 01 00 00 00 0c 10 00
00 ................
0x097fb134 00 00 00 00 4e a8 37 60 - a8 2f 20 00 00 00 00
00 ....N.7`./ .....
0x097fb144 00 00 00 00 0c 10 00 00 - 0c 10 00 00 58 63 8d
09 ............Xc..
0x097fb154 00 00 00 00 94 b1 7f 09 - a0 be 37 60 00 00 00
00 ..........7`....
0x097fb164 ff ff ff ff 00 00 00 00 - 24 8c 8b 09 14 10 00
00 ........$.......
0x097fb174 44 3d 8b 09 48 a8 96 09 - 00 10 00 00 48 63 8d 09
D=..H.......Hc..
0x097fb184 9c 63 8d 09 00 10 00 00 - d8 63 8d 09 00 00 00
00 .c.......c......
0x097fb194 bc b1 7f 09 5e 92 38 60 - a8 2f 20 00 58 63 8d
09 ....^.8`./ .Xc..
0x097fb1a4 0c 10 00 00 00 00 00 00 - a8 2f 20 00 02 00 00
00 ........./ .....
0x097fb1b4 01 00 00 00 01 00 00 00 - e4 9d 96 09 d8 11 8b
09 ................
0x097fb1c4 01 b2 7f 09 00 02 8c 09 - 90 c9 8b 09 bc 93 8d
09 ................
0x097fb1d4 3c 00 00 00 01 00 00 00 - d8 11 8b 09 a8 2f 20 00
<............/ .
0x097fb1e4 3c 00 00 00 7c 60 90 09 - 3c 00 00 00 14 b2 7f 09
<...|`..<.......
0x097fb1f4 d3 bc 3d 60 02 00 00 00 - 48 63 8d 09 49 4e 53
49 ..=`....Hc..INSI
0x097fb204 44 45 00 00 48 63 8d 09 - 38 b2 7f 09 74 7b 38 60
DE..Hc..8...t{8`
0x097fb214 a8 2f 20 00 08 00 00 00 - e0 9e 96 09 f4 63 8d
09 ./ ..........c..
0x097fb224 d8 11 8b 09 7c 60 90 09 - 3c 00 00 00 c0 69 45
60 ....|`..<....iE`
0x097fb234 d8 11 8b 09 7c 60 90 09 - 3c 00 00 00 64 b2 7f
09 ....|`..<...d...
0x097fb244 d3 bc 3d 60 a8 2f 20 00 - 48 63 8d 09 ec 9e 96
09 ..=`./ .Hc......
0x097fb254 a8 2f 20 00 3f 00 00 00 - 40 a1 96 09 64 d2 8a
09 ./ [email protected]...
0x097fb264 e8 b2 7f 09 6b bb 3d 60 - a8 2f 20 00 ec 9e 96
09 ....k.=`./ .....
0x097fb274 3c 00 00 00 00 00 00 00 - d0 50 47 60 00 00 00 00
<........PG`....
0x097fb284 00 00 00 00 a8 2f 20 00 - a8 2f 20 00 3c 00 00
00 ...../ ../ .<...
0x097fb294 44 d1 8a 09 70 2e 20 00 - d8 11 8b 09 18 b3 7f 09
D...p. .........
0x097fb2a4 89 85 3d 60 a8 2f 20 00 - ec 12 8b 09 3c 00 00
00 ..=`./ .....<...
0x097fb2b4 01 00 00 00 d8 11 8b 09 - a8 2f 20 00 3c 00 00
00 ........./ .<...
0x097fb2c4 dc b2 7f 09 88 79 3e 60 - fc 10 8b 09 88 b2 7f
09 .....y>`........
0x097fb2d4 9c de 95 09 88 c2 7f 09 - fb ff ff ff 40 00 00
00 ............@...
0x097fb2e4 48 63 8d 09 14 b3 7f 09 - 74 7b 38 60 a8 2f 20 00
Hc......t{8`./ .
0x097fb2f4 04 00 00 00 d0 9d 96 09 - f4 63 8d 09 d8 11 8b
09 .........c......
0x097fb304 7c 60 90 09 3c 00 00 00 - c0 69 45 60 d8 11 8b 09
|`..<....iE`....
0x097fb314 7c 60 90 09 3c 00 00 00 - 40 b3 7f 09 d3 bc 3d 60
|`..<...@.....=`
0x097fb324 a8 2f 20 00 48 63 8d 09 - dc 9d 96 09 a8 2f 20
00 ./ .Hc......./ .
0x097fb334 c0 39 8b 09 0c 8a 8b 09 - 64 d2 8a 09 c4 b3 7f
09 .9......d.......
0x097fb344 6b bb 3d 60 a8 2f 20 00 - dc 9d 96 09 3c 00 00 00
k.=`./ .....<...
0x097fb354 00 00 00 00 7c f4 bd 60 - 00 00 00 00 00 00 00
00 ....|..`........
0x097fb364 24 bb 7f 09 c0 39 8b 09 - 0c 8a 8b 09 96 ef d6 34
$....9.........4
0x097fb374 9c 19 8b 09 44 d1 8a 09 - 0c 00 00 00 9c 19 8b
09 ....D...........
0x097fb384 9c 19 8b 09 b0 b3 7f 09 - 84 08 3d 60 a8 2f 20
00 ..........=`./ .
0x097fb394 8c 0b 8b 09 0c 00 00 00 - a8 2f 20 00 0c 00 00
00 ........./ .....
0x097fb3a4 40 89 92 09 fc 10 8b 09 - 64 b3 7f 09 a4 9d 8a 09
@.......d.......
0x097fb3b4 bc b7 7f 09 c0 69 45 60 - 88 86 45 60 ff ff ff
ff .....iE`..E`....
0x097fb3c4 f0 b3 7f 09 1f f4 ac 60 - a8 2f 20 00 2c 00 00
00 .......`./ .,...
0x097fb3d4 3c 00 00 00 00 00 00 00 - 7c f4 bd 60 00 00 00 00
<.......|..`....
0x097fb3e4 00 00 00 00 3c 00 00 00 - 24 8c 8b 09 60 04 00
00 ....<...$...`...
0x097fb3f4 11 00 00 00 00 00 00 00 - 4c b4 7f 09 4f 6a ad
60 ........L...Oj.`
0x097fb404 24 bb 7f 09 a0 ba 7f 09 - 68 b9 7f 09 00 00 00 00
$.......h.......
0x097fb414 00 00 00 00 a8 2f 20 00 - a8 2f 20 00 3f 00 00
00 ...../ ../ .?...
0x097fb424 44 d1 8a 09 70 2e 20 00 - d8 11 8b 09 a8 b4 7f 09
D...p. .........
0x097fb434 89 85 3d 60 a8 2f 20 00 - ec 12 8b 09 3f 00 00
00 ..=`./ .....?...
0x097fb444 01 00 00 00 d8 11 8b 09 - a8 2f 20 00 3f 00 00
00 ........./ .?...
0x097fb454 24 bb 7f 09 a0 ba 7f 09 - 68 b9 7f 09 80 8b 8b 09
$.......h.......
0x097fb464 ec 8a 8b 09 00 00 00 00 - 7f ff ff ff 90 00 00
00 ................
0x097fb474 04 ed 95 09 a0 b4 7f 09 - a0 b4 7f 09 fc eb 23
01 ..............#.
0x097fb484 ac b8 7f 09 03 00 00 00 - ac b8 7f 09 ac b8 7f
09 ................
0x097fb494 00 00 00 00 20 a4 96 09 - 00 00 00 00 cc b4 7f
09 .... ...........
0x097fb4a4 39 ec 23 01 60 a4 96 09 - 02 00 00 00 03 00 00 00
9.#.`...........
0x097fb4b4 00 00 00 00 00 00 00 00 - 00 00 41 40 7c b6 7f
09 ..........A@|...
0x097fb4c4 ac b8 7f 09 ac b8 7f 09 - 58 b5 7f 09 44 e4 23
01 ........X...D.#.
0x097fb4d4 04 00 00 00 02 00 00 00 - 03 00 00 00 00 00 00
00 ................
0x097fb4e4 00 00 41 40 00 00 00 00 - f8 b4 7f 09 28 b7 7f
09 ..A@........(...
0x097fb4f4 01 00 00 00 00 00 00 00 - 00 00 41 40 00 00 00
00 ..........A@....
0x097fb504 00 00 5c c0 00 00 00 00 - 00 00 00 00 00 00 00
00 ..\.............
0x097fb514 00 00 00 00 00 00 00 00 - 00 e0 40 40 00 00 00
00 ..........@@....
------------------- End of Raw Stack Dump ----------------

Enabling Oracle Label Security on 9.2.0.7 database

Hi there,
I have installed the option Oracle Label Security and patched it to 9.2.0.7. I have then run the script $ORAHOME\rdbms\admin\catols.sql . Which re-starts the database.
But when I run the below example I get the below error.
SQL> CONNECT lbacsys/lbacsys
Connected.
SQL> EXECUTE SA_SYSDBA.CREATE_POLICY( -
'FACILITY','FACLAB','READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');
BEGIN SA_SYSDBA.CREATE_POLICY( 'FACILITY','FACLAB','READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE'); END;
ERROR at line 1:
ORA-00439: feature not enabled: Oracle Label Security
ORA-06512: at "LBACSYS.LBAC_SYSDBA", line 107
ORA-06512: at "LBACSYS.SA_SYSDBA", line 43
ORA-06512: at line 1
I have also noticed that in the v$option view shows the
PARAMETER VALUE
Oracle Label Security FALSE
I have compared the number of objects to metalink article 171155.1 How to Install / Deinstall Oracle Label Security and all the objects seem to be in the schema.
Also I check the version and saw below.
SQL> conn dba/
Connected.
SQL> COL comp_name FORMAT A32
SQL> COL version FORMAT A16
SQL> SELECT
2 comp_id
3 ,comp_name
4 ,version
5 FROM dba_registry
6 where comp_id='OLS';
COMP_ID COMP_NAME VERSION
OLS Oracle Label Security 9.2.0.7.0
1 rows selected.
SQL>
Anyone know how I can enable Oracle Label Security is that it works?
TIA
Ed

I still have some old 9.2.0.8 databases running on both HP-UX and AIX and have clients on 10.2g which doesn't manifest any problem .

Can/How does Label Security integrate with Documentum Trusted Content Serv

How easy wouldit be to use Oracle Label Security to manage all information in the Oracle dabase including Documentum metadata so that a single security policy cn be defined..at least for the information stored in the Oracle database.
How does the documentum security tag get mapped to an OLS label?
Customer needs only a high level understanding...
Steve Flournoy

I am not familiar with documentum but you can use OLS for:
Row level security based on labels added to the tables you want to protect. Apply the labels to the documentum metadata tables and you have implemented OLS. The Documentum tags can be mapped to OLS labels in Oracle Policy Manager:
Set up the OLS labels just like the documentum security tags in Oracle Policy Manager .
For even more customization use Application Contexts and Virtual Private Database Policies.

OID-Integrated Label Security with HTMLDB?

Hi,
I've followed the how-to document to integrate Oracle Label Security with Oracle Internet Directory.(http://www.oracle.com/technology/deploy/security/database-security/howtos/ols_oid-how-to.html).
I've successfully created a label security policy for the HR.LOCATIONS table. I would like that same policy to be effective on any query regions in an HTMLDB application.
I created a test application in HTMLDB, and changed the authentication scheme to be LDAP. It uses Oracle Internet Directory to authenticate the users, and this works successfully.
However, when I login with an OID user that has been assigned to use the policy, I get no rows returned.
What is a good way to integrate my label security policy with my htmldb applicaton so that it works within HTMLDB and outside of HTMLDB?
I saw the technote to use VPD, but when I tried this, it caused my label security policy to stop working. I somehow made it conflict...(http://www.oracle.com/technology/pub/notes/technote_htmldb_vpd.html)
I guess I'm just not sure what the VPD function should look like after I've already created a Label Security Policy.
I basically want it to look at the APP_USER and then apply the policy appropriately.
Thanks,
Nora

Scott,
It still worked in SQLPLUS when I typed 'set role none' first.
The way I granted PROFILE_ACCESS was through a label security command:
SQL> exec sa_user_admin.set_user_privs('senspolicy','parse_schema','FULL,PROFILE_ACCESS');
It seems like this is the only way..
It just seems strange that it works in SQLPLUS. I'm trying to figure out what other permissions I need for HTMLDB.
Thanks again,
Nora
SQL*Plus: Release 10.2.0.1.0 - Production on Wed May 16 16:38:20 2007
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Enter user-name: parse_schema/<password>@testls
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, Oracle Label Security, OLAP and Data Mining options
SQL> set role none;
Role set.
SQL> select count(*) from hr.locations;
COUNT(*)
23
SQL> exec sa_session.set_access_profile('senspolicy','PUB');
PL/SQL procedure successfully completed.
SQL> select count(*) from hr.locations;
COUNT(*)
17
SQL>

Using Content Manager with OLS - Oracle Label Security

There are two entries in this forum with OLS - the last one in 2005.
Has any one successfully deployed UCM with OLS?
Thanks,
Paul

Yes I have with 10gr3
It can be made to work but perhaps not in the way you want (per user?). Your label security will need to have policies based on something.
I did a proof of concept using Security Group column as the 'label'. Then applied VPD policies based on which network the request came from (1 DB rac node in each network).
In my case I wanted to show ALL content to a secure network but a subset of content to the lower security network. For this use case it is ideal.
It worked flawlessly...not supported though
Apparently OLS is on roadmap or UCM (WCC) so ask Oracle and see if you can find out if it is slated for any particular release yet.
Tim

How to install "Oracle Label Security" on "Oracle Developers Day" VM?

Hello,
I downloaded and started the "Oracle Developers Day" pre-built virtual machine using VirtualBox.
I need to install Oracle Label Security in order to make some tests with it. So:
1) Do we have the installation folder of Oracle Enterprise Edition somewhere on the VM?
2) If not, how can I install OLS? Do I have to use shared folder to mount the installation media? How can I mount the installation folder, which I downloaded and stored on the host machine? Could you, please, provide step-by-step example?
Thank you in advance.
Beroetz

Options is to connect to Oracle Policy Manager or use Oracle Internet Directory (OID)to administer Oracle Label Security.
Find more ways in the Documentation here:
http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm

Downloading Label Security

Is Oracle Label Security for 9i (solaris) available for download and if so where?
Thanks
Tom

If the Mcafee is still available, then make sure you use your mother in Laws computer not your own.
toekneem
http://www.no2nuisancecalls.net
(EASBF)

OLS Label Security: how users can view own level/compartment/group choices?

I have an application using OLS (Oracle Label Security) Virtual Database (VDB) for security; to allow users to only view rows to which they have access.
I'm creating a list of values (LOV) to allow the user to change the level or compartment of a database record to a different value for which they still have access. The views that show these values is DBA_SA_USER_LEVELS (and COMPARTMENTS, GROUPS) but this view is only visible to DBA users, not the regular user. We are considering giving regular users access to this view, or granting SELECT_ALL_TABLES as suggested in an article I read. However, this approach seems to loosen security, not maintain it.
How can I allow a user to get a list of levels, compartments or groups available to them without loosening the security on the DBA_* views?
thanks,
Scott

Bump

Label security on VPD?

I have a question on label security.(i am new in Oracle security area)
The 9i Label Security is built on VPD(virtual private database). Does this means you have to set up VPD before you use the Label Security?
I am trying to run the Label Security demo/sample(in ALlSchema.zip), and I saw the tables has DN field which is used in VPD demo. I guess if i want to use Lable security i have to use VPD too, but it is not metioned in the demo/sample that the VPD is required.
Thanks in advance for any help.
Tim

label security automatically sets up VPD. you should not need to worry about how label security is implemented.
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by [email protected]:
I have a question on label security.(i am new in Oracle security area)
The 9i Label Security is built on VPD(virtual private database). Does this means you have to set up VPD before you use the Label Security?
I am trying to run the Label Security demo/sample(in ALlSchema.zip), and I saw the tables has DN field which is used in VPD demo. I guess if i want to use Lable security i have to use VPD too, but it is not metioned in the demo/sample that the VPD is required.
Thanks in advance for any help.
Tim<HR></BLOCKQUOTE>
null

Trying to use Oracle Label Security with a XMLType

Hi everybody.
I'm trying to apply some of the Oracle Label Security functionalities to a table created from the annotations of a XML Schema
(Below I show part of this XML Schema:
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xdb="http://xmlns.oracle.com/xdb"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
attributeFormDefault="unqualified">
<xs:element name="FILE_INFO" xdb:SQLType="FILE_INFO" xdb:defaultTable="TABLE_FILE_INFO">
<xs:complexType>
<xs:choice>
<xs:element name="FILE_INFO_DICOM"
type="FILE_INFO_DICOM_TYPE" />
<xs:element name="FILE_INFO_ANALYZE"
type="FILE_INFO_ANALYZE_TYPE" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:complexType name="FILE_INFO_DICOM_TYPE" xdb:SQLType="FILE_INFO_DICOM_TYPE">
<xs:sequence>
<xs:element name="ELEMENT_INFO_DICOM"
type="ELEMENT_INFO_DICOM_TYPE"
minOccurs="0"
maxOccurs="unbounded"
xdb:defaultTable="TABLE_ELEMENT_INFO_DICOM"
xdb:SQLInline ="false"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ELEMENT_INFO_DICOM_TYPE" xdb:SQLType="ELEMENT_INFO_DICOM_TYPE">
<xs:all>
<xs:element name="Description" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="GroupTag" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="ElementTag" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="VR" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Value" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:all>
</xs:complexType>
................etc
I've created a security policy that I have tested on relational tables (not based on any object type) and works correctly.
BEGIN
SA_POLICY_ADMIN.APPLY_TABLE_POLICY(policy_name => 'policy1',
schema_name => 'oe',
table_name => 'TABLE_FILE_INFO',
table_options => 'LABEL_DEFAULT, READ_CONTROL, WRITE_CONTROL',
label_function => NULL,
predicate => NULL);
END;
When I try to apply this policy to the XMLSchema-created table (TABLE_FILE_INFO) I get next error messages:
ORA-22856: cannot add columns to object tables
ORA-00604 error occurred at recursive SQL level 1
ORA-12445: cannot change HIDDEN property of column.
ORA-06512: in "LBACSYS.LBAC_POLICY_ADMIN", line 257
ORA-06512: in line 2
I suppose that the main problem is that the apply_plicy procedure is trying to add an extra column to a table created from a defined type.
So my questions are: It's that true? Is it possible to apply a policy to the content of XML documents, I mean, if I want to restrict that some users see some subset of a XML document based on a specific policy, is there anything similar to Oracle Label security for XML? (as defined with the annotations in the XML Schema, some elements will be mapped to rows of a XMLType-based table when a XML document is inserted into the XMLDB repository (marked to follow the previous XML Schema of course)
Hope someone can help to solve my doubts...
Thanks,
Marcos.

Have you ever answered this question? If not, have you tried to use the "HIDE" property on your table_options?

Label Security - Can see all rows as LBACSYS but none as table owner

Question: I've inherited a 10.2.2 database that contains a copy of a database that was upgraded from 8i.
All of the tables that were managed within Secure Access are now managed by OLS. The new tables now have two columns, one for SECMGR and one for OLS. The label was copied from SECMGR to OLS. The labels were recreated in the OLS container.
When I connect as the table owner and query a row count; I get zero. When I connect as lbacsys and query a rowcount, I get all rows.
Just for test purposes; I've gone into Policy manager and granted full access, profile_access, all compartments and groups and still the table owner cannot see any rows on the table. I've also disabled the policy for that table and still no rows.
Does anyone have any idea why the table owner cannot see the data?
Thanks in advance!

[URGENT]
I'm beginning to get closer to the problem; yet still no solution. To narrow down the problem I decided to create a new container/policy and a subset of the compartments, groups, and labels. (The existing container has over 500 groups).
After creating them and applying them to a test table. I've noticed that when I set a label in the table using the char_to_label function: example
update test_label_table
set sec_label = char_to_label('LO:COMP1')
where name = 'Low';
I then queried the row as lbacsys and retrieved a different level and compartment and a group that I didn't create: results
select name,label_to_char(sec_label)
from test_label_table
where name = 'Low'';
NAME LABEL_TO_CHAR
Low TS:REG:US
How is this possible? What could I possibly have done wrong to get this output?
Thanks in advance!

Adv Replication AND Label Security

Similar Messages

Maybe you are looking for