Enabling Oracle Label Security on 9.2.0.7 database

Similar Messages

• How to install Oracle Label Security in Oracle Database 10g EE

  Hello All
  I just want to know how to install Oracle Label Security in Oracle 10g Database EE.
  I read in Oracle Enterprise Manager Grid Control Installation and Basic Configuration that Label Security must be installed before installing Enterprise Manager Grid Control.
  I have Oracle Database 10g Release 1 (10.1.0.1) on my Windows XP System, and I patch it to 10.1.0.3.
  M.
  Sorry about my English.

  Options is to connect to Oracle Policy Manager or use Oracle Internet Directory (OID)to administer Oracle Label Security.
  Find more ways in the Documentation here:
  http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm

• Advance Replication and Oracle Label Security

  Has anyone been able to configure both Advance Replication and Oracle Label Security to work together?

  This is currently not supported in Streams. I have an enhancement request in with Oracle for this functionality. This won't be seen in 11g R2 either.
  Has anyone done Label Security with Advance Replication?

• How to install "Oracle Label Security" on "Oracle Developers Day" VM?

  Hello,
  I downloaded and started the "Oracle Developers Day" pre-built virtual machine using VirtualBox.
  I need to install Oracle Label Security in order to make some tests with it. So:
  1) Do we have the installation folder of Oracle Enterprise Edition somewhere on the VM?
  2) If not, how can I install OLS? Do I have to use shared folder to mount the installation media? How can I mount the installation folder, which I downloaded and stored on the host machine? Could you, please, provide step-by-step example?
  Thank you in advance.
  Beroetz

  Options is to connect to Oracle Policy Manager or use Oracle Internet Directory (OID)to administer Oracle Label Security.
  Find more ways in the Documentation here:
  http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm

• Trying to use Oracle Label Security with a XMLType

  Hi everybody.
  I'm trying to apply some of the Oracle Label Security functionalities to a table created from the annotations of a XML Schema
  (Below I show part of this XML Schema:
  <?xml version="1.0" encoding="UTF-8"?>
  <xs:schema xmlns:xdb="http://xmlns.oracle.com/xdb"
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  elementFormDefault="qualified"
  attributeFormDefault="unqualified">
  <xs:element name="FILE_INFO" xdb:SQLType="FILE_INFO" xdb:defaultTable="TABLE_FILE_INFO">
  <xs:complexType>
  <xs:choice>
  <xs:element name="FILE_INFO_DICOM"
  type="FILE_INFO_DICOM_TYPE" />
  <xs:element name="FILE_INFO_ANALYZE"
  type="FILE_INFO_ANALYZE_TYPE" />
  </xs:choice>
  </xs:complexType>
  </xs:element>
  <xs:complexType name="FILE_INFO_DICOM_TYPE" xdb:SQLType="FILE_INFO_DICOM_TYPE">
  <xs:sequence>
  <xs:element name="ELEMENT_INFO_DICOM"
  type="ELEMENT_INFO_DICOM_TYPE"
  minOccurs="0"
  maxOccurs="unbounded"
  xdb:defaultTable="TABLE_ELEMENT_INFO_DICOM"
  xdb:SQLInline ="false"/>
  </xs:sequence>
  </xs:complexType>
  <xs:complexType name="ELEMENT_INFO_DICOM_TYPE" xdb:SQLType="ELEMENT_INFO_DICOM_TYPE">
  <xs:all>
  <xs:element name="Description" type="xs:string" minOccurs="0" maxOccurs="1" />
  <xs:element name="GroupTag" type="xs:string" minOccurs="0" maxOccurs="1" />
  <xs:element name="ElementTag" type="xs:string" minOccurs="0" maxOccurs="1" />
  <xs:element name="VR" type="xs:string" minOccurs="0" maxOccurs="1"/>
  <xs:element name="Value" type="xs:string" minOccurs="0" maxOccurs="1"/>
  </xs:all>
  </xs:complexType>
  ................etc
  I've created a security policy that I have tested on relational tables (not based on any object type) and works correctly.
  BEGIN
  SA_POLICY_ADMIN.APPLY_TABLE_POLICY(policy_name => 'policy1',
  schema_name => 'oe',
  table_name => 'TABLE_FILE_INFO',
  table_options => 'LABEL_DEFAULT, READ_CONTROL, WRITE_CONTROL',
  label_function => NULL,
  predicate => NULL);
  END;
  When I try to apply this policy to the XMLSchema-created table (TABLE_FILE_INFO) I get next error messages:
  ORA-22856: cannot add columns to object tables
  ORA-00604 error occurred at recursive SQL level 1
  ORA-12445: cannot change HIDDEN property of column.
  ORA-06512: in "LBACSYS.LBAC_POLICY_ADMIN", line 257
  ORA-06512: in line 2
  I suppose that the main problem is that the apply_plicy procedure is trying to add an extra column to a table created from a defined type.
  So my questions are: It's that true? Is it possible to apply a policy to the content of XML documents, I mean, if I want to restrict that some users see some subset of a XML document based on a specific policy, is there anything similar to Oracle Label security for XML? (as defined with the annotations in the XML Schema, some elements will be mapped to rows of a XMLType-based table when a XML document is inserted into the XMLDB repository (marked to follow the previous XML Schema of course)
  Hope someone can help to solve my doubts...
  Thanks,
  Marcos.

  Have you ever answered this question? If not, have you tried to use the "HIDE" property on your table_options?

• Using non-alphabetical symbols in Oracle Label Security API

  I decide to use Oracle Label Security Release 9.0.1 , but I have some problems in realization . When I try to use function sa_policy_admin.apply_table_policy with
  following parameters:
  sa_policy_admin.apply_table_policy(
  POLICY_NAME => 'policy1',
  SCHEMA_NAME => 'domain1\user1',
  TABLE_NAME => 'table1'
  I receive messages :
  ORA-00604: error occurred at recursive SQL level 1
  ORA-00911: invalid character
  ORA-00911: invalid character
  ORA-06512: at "LBACSYS.LBAC_POLICY_ADMIN", line 251
  ORA-06512: at line 2
  Tell me please , may be there are any limitations on parameter SCHEMA_NAME in function ,
  because this function can't understand symbol "\".
  Note 1: It is obligatory to use symbol "\" in schema_name ,
  because I have to connect to DB as external user (user of Windows 2000 Server).
  Note 2: ORA-00911 invalid character
  Cause: Special characters are valid only in certain places. If special characters other than $, _, and # are used in a name and the name is not enclosed in double quotation marks ("), this message will be issued. One exception to this rule is for database names; in this case, double quotes are stripped out and ignored.
  Action: Remove the invalid character from the statement or encl[i]Long postings are being truncated to ~1 kB at this time.

  Yes I have with 10gr3
  It can be made to work but perhaps not in the way you want (per user?). Your label security will need to have policies based on something.
  I did a proof of concept using Security Group column as the 'label'. Then applied VPD policies based on which network the request came from (1 DB rac node in each network).
  In my case I wanted to show ALL content to a secure network but a subset of content to the lower security network. For this use case it is ideal.
  It worked flawlessly...not supported though
  Apparently OLS is on roadmap or UCM (WCC) so ask Oracle and see if you can find out if it is slated for any particular release yet.
  Tim

• Using Content Manager with OLS - Oracle Label Security

  There are two entries in this forum with OLS - the last one in 2005.
  Has any one successfully deployed UCM with OLS?
  Thanks,
  Paul

  Yes I have with 10gr3
  It can be made to work but perhaps not in the way you want (per user?). Your label security will need to have policies based on something.
  I did a proof of concept using Security Group column as the 'label'. Then applied VPD policies based on which network the request came from (1 DB rac node in each network).
  In my case I wanted to show ALL content to a secure network but a subset of content to the lower security network. For this use case it is ideal.
  It worked flawlessly...not supported though
  Apparently OLS is on roadmap or UCM (WCC) so ask Oracle and see if you can find out if it is slated for any particular release yet.
  Tim

• How to implement Oracle Label Security with Oracle8.1.5 database

  I want some fields in some tables which could not be even viwed by DBA..
  I am working on Oracle Server 8.1.5
  If possible it should be in the same database,same schema but different schema may also work..
  Please help

  I don't think this is going to be possible.
  When you register a crawler, you have to declare it as one of three types: Public, Identity-based or Attribute-based.
  The database crawler is registered as attribute-based, and therefore must be used with a suitable authorization manager.
  I guess in theory you could create a new authorization manager class which queries active directory to get the appropriate security attributes for a user (corresponding to the security attributes crawled from the database), but I suspect it might be easier to figure out a way to copy AD attributes into a database table (perhaps updating the table once a day via a nightly crawl of AD) and then use the standard database authorization manager.

• It is possible to have a dynamic Oracle Label Security procedure/script to configure data label (compartments and data label)  for multiple rows at same time?

  A single script which can be run below mentioned commands...  instead of using multiple manual steps for configuring data labels. Is that possible and how? Having bulk of data where OLS need to be applied.
  exec LBACSYS.SA_COMPONENTS.CREATE_COMPARTMENT
  exec SA_LABEL_ADMIN.CREATE_LABEL
  exec SA_POLICY_ADMIN.APPLY_TABLE_POLICY

  Have you ever answered this question? If not, have you tried to use the "HIDE" property on your table_options?

• Label Security Limitations

  [10.2.2]
  I've inherited a database that has about 500 groups within one policy. I'm told there is a potential for it to continue to grow at a rate of maybe 10 per year.
  Are there any limitations on the maximum number of groups, categories, etc for label security?

  In
  http://download.oracle.com/docs/cd/B19306_01/network.102/b14267/labels.htm#i1006370
  on 2.2.4 Groups session, we find:
  Groups are optional; a label can contain zero or more groups. Oracle Label Security permits defining up to 10,000 groups.

• Can/How does Label Security integrate with Documentum Trusted Content Serv

  How easy wouldit be to use Oracle Label Security to manage all information in the Oracle dabase including Documentum metadata so that a single security policy cn be defined..at least for the information stored in the Oracle database.
  How does the documentum security tag get mapped to an OLS label?
  Customer needs only a high level understanding...
  Steve Flournoy

  I am not familiar with documentum but you can use OLS for:
  Row level security based on labels added to the tables you want to protect. Apply the labels to the documentum metadata tables and you have implemented OLS. The Documentum tags can be mapped to OLS labels in Oracle Policy Manager:
  Set up the OLS labels just like the documentum security tags in Oracle Policy Manager .
  For even more customization use Application Contexts and Virtual Private Database Policies.

• OID-Integrated Label Security with HTMLDB?

  Hi,
  I've followed the how-to document to integrate Oracle Label Security with Oracle Internet Directory.(http://www.oracle.com/technology/deploy/security/database-security/howtos/ols_oid-how-to.html).
  I've successfully created a label security policy for the HR.LOCATIONS table. I would like that same policy to be effective on any query regions in an HTMLDB application.
  I created a test application in HTMLDB, and changed the authentication scheme to be LDAP. It uses Oracle Internet Directory to authenticate the users, and this works successfully.
  However, when I login with an OID user that has been assigned to use the policy, I get no rows returned.
  What is a good way to integrate my label security policy with my htmldb applicaton so that it works within HTMLDB and outside of HTMLDB?
  I saw the technote to use VPD, but when I tried this, it caused my label security policy to stop working. I somehow made it conflict...(http://www.oracle.com/technology/pub/notes/technote_htmldb_vpd.html)
  I guess I'm just not sure what the VPD function should look like after I've already created a Label Security Policy.
  I basically want it to look at the APP_USER and then apply the policy appropriately.
  Thanks,
  Nora

  Scott,
  It still worked in SQLPLUS when I typed 'set role none' first.
  The way I granted PROFILE_ACCESS was through a label security command:
  SQL> exec sa_user_admin.set_user_privs('senspolicy','parse_schema','FULL,PROFILE_ACCESS');
  It seems like this is the only way..
  It just seems strange that it works in SQLPLUS. I'm trying to figure out what other permissions I need for HTMLDB.
  Thanks again,
  Nora
  SQL*Plus: Release 10.2.0.1.0 - Production on Wed May 16 16:38:20 2007
  Copyright (c) 1982, 2005, Oracle. All rights reserved.
  Enter user-name: parse_schema/<password>@testls
  Connected to:
  Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
  With the Partitioning, Oracle Label Security, OLAP and Data Mining options
  SQL> set role none;
  Role set.
  SQL> select count(*) from hr.locations;
  COUNT(*)
  23
  SQL> exec sa_session.set_access_profile('senspolicy','PUB');
  PL/SQL procedure successfully completed.
  SQL> select count(*) from hr.locations;
  COUNT(*)
  17
  SQL>

• Downloading Label Security

  Is Oracle Label Security for 9i (solaris) available for download and if so where?
  Thanks
  Tom

  If the Mcafee is still available, then make sure you use your mother in Laws computer not your own.
  toekneem
  http://www.no2nuisancecalls.net
  (EASBF)

• OLS Label Security: how users can view own level/compartment/group choices?

  I have an application using OLS (Oracle Label Security) Virtual Database (VDB) for security; to allow users to only view rows to which they have access.
  I'm creating a list of values (LOV) to allow the user to change the level or compartment of a database record to a different value for which they still have access. The views that show these values is DBA_SA_USER_LEVELS (and COMPARTMENTS, GROUPS) but this view is only visible to DBA users, not the regular user. We are considering giving regular users access to this view, or granting SELECT_ALL_TABLES as suggested in an article I read. However, this approach seems to loosen security, not maintain it.
  How can I allow a user to get a list of levels, compartments or groups available to them without loosening the security on the DBA_* views?
  thanks,
  Scott

  Bump

• French label security documentation

  Hi,
  I need to get the 9iR2 Label Security administrator guide or some French 9iR2 whitepaper on label security.
  Can someone here please refer me to such document? I do not speak French, so I had an hard time looking for it at the OTN.
  Many thanks,
  Ofir

  It is on a separate CD.
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Ken Chan ([email protected]):
  Oracle Label Security is available in Oracle 8.1.7. Is the Label Security packaged with the standard edition or does it only come packaged with the enterprise edition?<HR></BLOCKQUOTE>
  null